Data Security

Updated May 25, 2018

Our Controls and Policies

We have in place, maintain and enforce a security program that addresses the management of our security and the security controls (“Controls”). The Controls include:

  • Our approved and documented processes and procedures which we publish internally, communicate to appropriate personnel within the Company, and review not less than once each year;
  • a clear written assignment of responsibility and authority for activities in respect of the Controls;
  • policies covering, amongst other things and as may be applicable from time to time, acceptable computer use, data classification, cryptographic controls, access control, removable media, and remote access;
  • applying encryption to all data when it is at rest and applying encryption to data in transit when reasonable; and
  • regular testing of the key controls, systems and procedures.

We have in place, maintain and enforce the Controls and related policies that address how Personal Data is collected, used and shared by us.

Management Of Risks

We perform and undertake from time to time appropriate risk assessments and implement and maintain in place controls for risk identification, analysis, monitoring, reporting, and corrective action identified as being required as a result of such risk assessments.

Management Of Assets

We maintain and enforce an asset management program that appropriately classifies and controls hardware and software assets throughout their life cycle.

Team Member Education And Awareness

We require that all team members, employees, agents, and contractors (“Team Members”) acknowledge, confirm and agree to adhere to their data security and privacy responsibilities under our policies and procedures as are in place and amended from time to time.

In relation to Team Members who, in the course of undertaking their employment or engagement with the Company, process Personal Data, we shall, in respect of such Team Members:

  • implement a procedure for, and undertake, pre-employment background checks and screening;
  • conduct and require Team Members to undertake security and privacy training;
  • implement and enforce disciplinary processes for violations of data security or privacy requirements; and
  • upon termination or applicable role change, promptly remove and/or update Team Member access rights and require the return or destruction of Personal Data in the possession, custody or control of such Team Member.

Vulnerability Assessments

We perform periodic vulnerability assessments and network penetration testing on any and all systems, platforms, networks and applications that process Personal Data.

Physical Access Control Systems

We implement and maintain appropriate and robust access control systems designed specifically to maintain the confidentiality of Personal Data. These controls are reviewed and upgraded as we sees fit from time to time and include:

  • authorisation processes for physical, privileged, and logical access to facilities, systems, networks, wireless networks, operating systems, mobile devices, system utilities, and other locations containing Personal Data; and
  • granting access only if it is logged, strictly controlled, and needed for a Team Member or third party to perform their job function.

We authenticate each Team Member’s identity through appropriate authentication credentials such as strong passwords, token devices, or biometrics.