Below is a description of the technical and organizational measures implemented by OpenPayd to ensure an appropriate level of security, taking into account the nature, scope, context and purpose of the processing, and the risks for the rights and freedoms of natural persons.
The protection of natural persons should be technologically neutral and should not depend on the techniques used. In this regard, the technical and organizational measures listed below do not enter into detailed technical specifics.
Some measures may serve more than one purpose and their repetition in each relevant section is avoided.
All measures are subject to regular audits and strong disciplinary procedures are in place to monitor and enforce compliance.
Technical Access Controls
For the purposes of ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and services, OpenPayd adheres to comprehensive technical access control measures, which may include the following:
Data Access Controls
OpenPayd shall treat all personal data in accordance with its information asset’s classification and shall apply necessary controls to uphold the security of information assets. OpenPayd ensures that all personal data are appropriately protected against unauthorized access, corruption, loss or disclosure.OpenPayd maintains strict data access controls, including:
OpenPayd maintains strict transmission controls, including:
OpenPayd maintains network intrusion detection measures. OpenPayd uses all commercially reasonable efforts to ensure that its operating systems and applications are secured to mitigate the risk of security vulnerabilities in accordance with industry standard practices.
OpenPayd ensures equipment security by implementing appropriate measures, which may include:
Data Center Security
The data centers used by OpenPayd are equipped with physical access mechanisms to ensure that only authorized individuals can access the respective facilities. Access to the facilities is granted only to individuals who have passed security check. Access lists are properly updated to ensure that access is limited to authorized personnel only. The facilities are secured, as appropriate, by personnel, CCTV surveillance and locked cabinets or vaults.
OpenPayd maintains business continuity and disaster recovery capabilities designed to minimize disruption of providing its services to the Customer in the event of a disaster or similar event. OpenPayd performs an annual review of its business continuity and disaster recovery plans and capabilities and updates such plans as needed or otherwise in accordance with generally accepted industry standards.
OpenPayd has a process for regularly testing the effectiveness of technical and organizational measures. The testing frequency is based on objective criteria.OpenPayd undergoes at least an annual penetration test.
OpenPayd conducts at least an annual assessment of the effectiveness of the technical and organizational measures employed. OpenPayd can provide an executive summary to Customer in relation to the Processed Data upon Customer’s reasonable written request.
OpenPayd has implemented appropriate measures to prevent its data processing systems from being used by unauthorized individuals, as well as to prevent unauthorized access, multiplication, alteration, deletion or removal of personal data. in addition to the technical access controls, OpenPayd has also implemented:
OpenPayd has implemented the following measures for the purposes of protection of personal data during transmission:
OpenPayd has developed and implemented vulnerability and patch management strategy supported by management controls, procedures and operational documentation.
OpenPayd implements vulnerability mitigation, information security patches and other relevant security vulnerability updates when available and approved to ensure secure storage of personal data or other classified information, including:
OpenPayd maintains security standards and policies for protection of Customer’s assets, data or property. OpenPayd reviews its physical security environment at least annually. OpenPayd ensures that all its personnel comply with the physical security requirements and have appropriate training in order to do so.
OpenPayd maintains access controls to ensure that only authorized personnel may enter any premises controlled by OpenPayd from which services are delivered. The access controls include at a minimum:
OpenPayd enables events logging on its systems that contain personal data to capture the following events:
OpenPayd captures event logs that include information for the following events:
OpenPayd shall retain event logs for so long as necessary for providing its services, to comply with the applicable regulatory framework, or for a longer period as it may be reasonably requested by the Customer. OpenPayd shall aim to maintain industry standard protection of audit logs to support the prevention of accidental or intentional modification or destruction.
OpenPayd maintains a system configuration using based on industry standards. OpenPayd applies security patches in accordance with its policies for vulnerability management.
OpenPayd shall perform all system development activities in specialized development environments, e.g., test environment, isolated from the live environment and protected against disruption and disclosure of information. OpenPayd shall ensure that systems are developed considering relevant laws and regulations as well as mitigating possible security risks. OpenPayd shall perform quality assurance of key security activities during the development lifecycle.
OpenPayd shall monitor and test its systems and shall implement fixes and developments when available and approved.
Internal Organization ManagementOpenPayd maintains internal organization that meets industry standards, including by:
Information Security PoliciesOpenPayd maintains information security policies providing for continual assessment and re-assessment of the risks to the security of its services, including:
OpenPayd’s information security policies address appropriate and detailed protection measures, including:
OpenPayd has a program for assurance of processes and products undergoing periodic surveillance and audits to ensure that OpenPayd’s information security management system meets industry standards and best practices with due regard to the state of the art, in accordance with the risk of the categories of data processed.
OpenPayd confirms that its services are designed in a manner ensuring that personal data is adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.
OpenPayd strictly follows the data minimization principle during the entire personal data lifecycle in order to limit the exposure of personal data to unauthorized access.
OpenPayd maintains policies and procedures ensuring data quality, including any type of adjustments, erasure, or revisions to personal data.
OpenPayd shall retain personal data to fulfill the purposes outlined in the Terms and the DPA in order to provide its services. OpenPayd will retain personal data in accordance with the Terms and the DPA regarding such data.
OpenPayd may provide the Customer with controls to enable the Customer to retrieve, rectify, delete or block personal data.
OpenPayd shall, in accordance with its security policies and processes, destroy, delete, or otherwise make irrecoverable personal data:
The data importer maintains appropriate measures and internal policies to ensure accountability with regard to processing personal data, including but not limited to:
OpenPayd shall provide the Customer options for erasure in accordance with the applicable statutory and industry standards requirements.
OpenPayd has ensured the following: