Below is a description of the technical and organizational measures implemented by OpenPayd to ensure an appropriate level of security, taking into account the nature, scope, context and purpose of the processing, and the risks for the rights and freedoms of natural persons.

The protection of natural persons should be technologically neutral and should not depend on the techniques used. In this regard, the technical and organizational measures listed below do not enter into detailed technical specifics.

Some measures may serve more than one purpose and their repetition in each relevant section is avoided.

All measures are subject to regular audits and strong disciplinary procedures are in place to monitor and enforce compliance.

MEASURES OF PSEUDONYMIZATION AND ENCRYPTION OF PERSONAL DATA
Pseudonymization
OpenPayd supports pseudonymization capabilities following industry standards and best practices.
Encryption
OpenPayd maintains an encryption policy including encryption at rest and encryption in transit that adheres to industry recommended algorithms and methods.
MEASURES FOR ENSURING ONGOING CONFIDENTIALITY, INTEGRITY, AVAILABILITY AND RESILIENCE OF PROCESSING SYSTEMS AND SERVICES

Technical Access Controls

For the purposes of ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and services, OpenPayd adheres to comprehensive technical access control measures, which may include the following:

    • access authorization requirements;
    • identification of workstation and individuals accessing OpenPayd’s systems;
    • automatic disablement of accounts after multiple unsuccessful attempts for password entering; logging of events and activities;
    • issuance and safeguarding of identification codes;
    • dedicated workstations for individuals;
    • authentication of authorized personnel;
    • separation of production and non-production environments;
    • automatic session log-off of individuals that have been inactive for a specific period;
    • designation of areas in which data media may and must be located;
    • designation of individuals for authorized handling and removal of data media;
    • control over removal of data media;
    • securing the areas in which data media is located;
    • controlled and documented destruction of data media;
    • use of encryption where appropriate.

Data Access Controls

OpenPayd shall treat all personal data in accordance with its information asset’s classification and shall apply necessary controls to uphold the security of information assets. OpenPayd ensures that all personal data are appropriately protected against unauthorized access, corruption, loss or disclosure.OpenPayd maintains strict data access controls, including:

  • securing workstations;
  • requirements for user authorization on a need-to-know basis;
  • appropriate confidentiality obligations;
  • role-based access policies based on function and scope;
  • control over destruction of data media;
  • deletion of data before changing data media;
  • policies controlling the production of backup copies.

Transmission Controls 

OpenPayd maintains strict transmission controls, including:

  • authentication of authorized personnel;
  • encryption during transmission;
  • documentation of transfer, retrieval, and transmission;
  • malware detection and protection against malware.

Network Security

OpenPayd maintains network intrusion detection measures. OpenPayd uses all commercially reasonable efforts to ensure that its operating systems and applications are secured to mitigate the risk of security vulnerabilities in accordance with industry standard practices.

Equipment Security

OpenPayd ensures equipment security by implementing appropriate measures, which may include:

  • systems and other equipment protection to reduce the risk from environmental threats and hazards and opportunities for unauthorized access;
  • maintenance of systems and other equipment to ensure its continued availability and integrity;
  • protection of equipment that is power-dependent from power failures, surges and other electrical anomalies;
  • implementation of exit procedures to control unauthorized removal of systems and other equipment.
  • protection of all power, telecommunication and network cabling from unauthorized access and damage;

Data Center Security

The data centers used by OpenPayd are equipped with physical access mechanisms to ensure that only authorized individuals can access the respective facilities. Access to the facilities is granted only to individuals who have passed security check. Access lists are properly updated to ensure that access is limited to authorized personnel only. The facilities are secured, as appropriate, by personnel, CCTV surveillance and locked cabinets or vaults.

MEASURES FOR ENSURING THE ABILITY TO RESTORE THE AVAILABILITY AND ACCESS TO PERSONAL DATA IN A TIMELY MANNER IN THE EVENT OF A PHYSICAL OR TECHNICAL INCIDENT

OpenPayd maintains business continuity and disaster recovery capabilities designed to minimize disruption of providing its services to the Customer in the event of a disaster or similar event. OpenPayd performs an annual review of its business continuity and disaster recovery plans and capabilities and updates such plans as needed or otherwise in accordance with generally accepted industry standards.

PROCESSES FOR REGULARLY TESTING, ASSESSING AND EVALUATING THE EFFECTIVENESS OF TECHNICAL AND ORGANIZATIONAL MEASURES IN ORDER TO ENSURE THE SECURITY OF THE PROCESSING

Testing

OpenPayd has a process for regularly testing the effectiveness of technical and organizational measures. The testing frequency is based on objective criteria.OpenPayd undergoes at least an annual penetration test.

Assessments

OpenPayd conducts at least an annual assessment of the effectiveness of the technical and organizational measures employed. OpenPayd can provide an executive summary to Customer in relation to the Processed Data upon Customer’s reasonable written request.

MEASURES FOR USER IDENTIFICATION AND AUTHORISATION

OpenPayd has implemented appropriate measures to prevent its data processing systems from being used by unauthorized individuals, as well as to prevent unauthorized access, multiplication, alteration, deletion or removal of personal data. in addition to the technical access controls, OpenPayd has also implemented:

  • maintenance of communications via secured protocols and use of multi-factor authentication;
  • identification, verification, recording and risk assessment of external connections to networks and applications.
  • maintenance of password management and strong password confidentiality;
MEASURES FOR THE PROTECTION OF DATA DURING TRANSMISSION

OpenPayd has implemented the following measures for the purposes of protection of personal data during transmission:

  • use of secure channels of communications; • control over data media;
  • firewall routing; • data erasure before changing data media;
  • documentation of transmissions; • use of encryption where appropriate.
  • authentication of authorized personnel;
MEASURES FOR THE PROTECTION OF DATA DURING STORAGE

OpenPayd has developed and implemented vulnerability and patch management strategy supported by management controls, procedures and operational documentation.

OpenPayd implements vulnerability mitigation, information security patches and other relevant security vulnerability updates when available and approved to ensure secure storage of personal data or other classified information, including:

  • creation of backup copies;
  • software updates automation;
  • maintenance of backup copies access management;
  • wireless networks security as per industry standards;
  • maintenance of retention policies;
  • personal data residency separation;
  • malware detection and protection against malware;
  • use of encryption where appropriate.
  • operating system updates;
MEASURES FOR ENSURING PHYSICAL SECURITY OF LOCATIONS AT WHICH PERSONAL DATA ARE PROCESSED

OpenPayd maintains security standards and policies for protection of Customer’s assets, data or property. OpenPayd reviews its physical security environment at least annually. OpenPayd ensures that all its personnel comply with the physical security requirements and have appropriate training in order to do so.

OpenPayd maintains access controls to ensure that only authorized personnel may enter any premises controlled by OpenPayd from which services are delivered. The access controls include at a minimum:

  • a robust, documented, and auditable process for issuance and removal of access credentials for personnel and third parties;
  • protection and restriction of exits;
  • personnel entry points controls, such as keycards and passes;
  • establishment of security areas;
  • third parties’ entry points control, such as individual temporary keycards;
  • physical security of premises.
  • restrictions on keys;
MEASURES FOR ENSURING EVENTS LOGGING

OpenPayd enables events logging on its systems that contain personal data to capture the following events:

  • account logon and logoff;
  • creation, modification and deletion of accounts or logon identifiers, access privileges for accounts and groups, individual rights and permissions;
  • unsuccessful access attempts;
  • changes in account or logon identifier status;
  • account lockouts;
  • modifications to, or unauthorized attempts to modify, the security configuration, security function or authorization policy.

OpenPayd captures event logs that include information for the following events:

  • individual, system or process identifier that triggered the event;
  • identifier of the system generating the event, which may be an IP address;
  • description of the event;
  • authorization information associated with the event.
  • date and time the event occurred;

OpenPayd shall retain event logs for so long as necessary for providing its services, to comply with the applicable regulatory framework, or for a longer period as it may be reasonably requested by the Customer. OpenPayd shall aim to maintain industry standard protection of audit logs to support the prevention of accidental or intentional modification or destruction.

MEASURES FOR ENSURING SYSTEM CONFIGURATION, INCLUDING DEFAULT CONFIGURATION

OpenPayd maintains a system configuration using based on industry standards. OpenPayd applies security patches in accordance with its policies for vulnerability management.

OpenPayd shall perform all system development activities in specialized development environments, e.g., test environment, isolated from the live environment and protected against disruption and disclosure of information. OpenPayd shall ensure that systems are developed considering relevant laws and regulations as well as mitigating possible security risks. OpenPayd shall perform quality assurance of key security activities during the development lifecycle.

OpenPayd shall monitor and test its systems and shall implement fixes and developments when available and approved.

MEASURES FOR INTERNAL IT AND IT SECURITY GOVERNANCE AND MANAGEMENT

Internal Organization ManagementOpenPayd maintains internal organization that meets industry standards, including by:

  • maintenance of clear allocation of responsibilities system;
  • maintenance of business continuity and disaster recovery plans;
  • maintenance of internal policies and procedures, guidelines, instructions, and processes covering data processing operations;
  • maintenance of privacy by design program;
  • maintenance of emergency plans;
  • performance of privacy impact assessments.

Information Security PoliciesOpenPayd maintains information security policies providing for continual assessment and re-assessment of the risks to the security of its services, including:

  • identification of internal threats that could result in a security breach;
  • assessment of the likelihood and potential damage of internal and external threats;
  • identification of external threats that could result in a security breach;
  • assessment of the sufficiency of the policies, procedures, information systems and other arrangements in place, to control risks.

OpenPayd’s information security policies address appropriate and detailed protection measures, including:

  • asset management;
  • access control;
  • personnel security;
  • information systems acquisition;
  • physical and environmental security;
  • information security incident management;
  • communications and operations management.
MEASURES FOR CERTIFICATION/ASSURANCE OF PROCESSES AND PRODUCTS

OpenPayd has a program for assurance of processes and products undergoing periodic surveillance and audits to ensure that OpenPayd’s information security management system meets industry standards and best practices with due regard to the state of the art, in accordance with the risk of the categories of data processed.

MEASURES FOR ENSURING DATA MINIMISATION

OpenPayd confirms that its services are designed in a manner ensuring that personal data is adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.

OpenPayd strictly follows the data minimization principle during the entire personal data lifecycle in order to limit the exposure of personal data to unauthorized access.

MEASURES FOR ENSURING DATA QUALITY

OpenPayd maintains policies and procedures ensuring data quality, including any type of adjustments, erasure, or revisions to personal data.

MEASURES FOR ENSURING LIMITED DATA RETENTION

OpenPayd shall retain personal data to fulfill the purposes outlined in the Terms and the DPA in order to provide its services. OpenPayd will retain personal data in accordance with the Terms and the DPA regarding such data.

OpenPayd may provide the Customer with controls to enable the Customer to retrieve, rectify, delete or block personal data.

OpenPayd shall, in accordance with its security policies and processes, destroy, delete, or otherwise make irrecoverable personal data:

  • following the termination or expiration of the Terms or a part thereof;
  • upon the disposal or repurposing of storage media containing personal data.
MEASURES FOR ENSURING ACCOUNTABILITY

The data importer maintains appropriate measures and internal policies to ensure accountability with regard to processing personal data, including but not limited to:

  • maintenance of a record of all categories of processing activities carried out on behalf of the Customer;
  • maintenance of confidentiality policies and best practices based on a strict need-to-know principle;
  • maintenance of an internal privacy program detailing the collection, processing and protection of personal data;
  • maintenance of best practices to appropriately and timely involve and provide access to information to the relevant experts on matters related to international transfers of personal data;
  • maintenance of an internal information security program and policy;
  • maintenance of an external facing up-to-date privacy notice.
MEASURES FOR ENSURING ERASURE

OpenPayd shall provide the Customer options for erasure in accordance with the applicable statutory and industry standards requirements.

SPECIFIC TECHNICAL AND ORGANISATIONAL MEASURES TO BE TAKEN BY OPENPAYD TO BE ABLE TO PROVIDE ASSISTANCE TO THE CUSTOMER

OpenPayd has ensured the following:

  • availability of trained personnel to respond to enquiries for assistance;
  • effective communication channels;
  • proactive approach to enquiries for assistance until their final closure;
  • internal organization eliminating backlogs in a timely manner.