INFORMATION SECURITY POLICY

[Last Modified: May 15, 2019]

 

Erika Carmel Ltd.  (“Company” or “we”) is committed to provide transparency regarding the security measures which it has implemented in order to secure and protect your Personal Data (as defined under applicable data protection law, including without limitations, the EU General Data Protection Regulation (“GDPR”)) processed by the Company for the purpose of providing its Services.

 

This information security policy (“Policy”) outlines the Company’s current security practices as of the “Last Modified” date indicated above.

 

We have implemented technical, organizational and monitoring protection measures, and also established an extensive information and cybersecurity program, all with respect to Personal Data processed by us. We make the best efforts to ensure our employees and contractors comply with this Policy at any time.  

 

Physical Access Control

The Company ensures the protection of any physical access to its data servers which store the Personal Data processed by the Company and stores its data solely with third-party hosting providers which are bound to provide sufficient security measures. Furthermore, entrance to Company’s offices is protected by electronic means.  An alarm system as well as monitoring and protective measures are implemented outside of working hours. In addition, our offices are secured by advanced physical and electronic means, including a CCTV, operating 24/7.

 

System Control

Access protection for all Personal Data processing systems is secured through user authentication. Access to Company’s database is highly restricted through protection measures aimed at ensuring that solely the appropriate previously approved personnel can access the database. Safeguards related to remote access and wireless computing capabilities are implemented therein. All databases are protected and solely authorized personnel may access such databases through a designated password. Company’s personnel are provided with a private password that allows strict access or use related to Personal Data, all in accordance with the relevant role, and solely to the extent such access or use is required. The Company carries out regular and random security tests on the system. In addition, the Company implements adequate safeguards on its hardware and software, including firewalls and anti-virus programs on applicable Company hardware and software, in order to protect them against malicious applications.

 

Data Access Control

There are restrictions in place in order to ensure that any access to the Personal Data is restricted to employees with a legitimate need-to-know, in order to ensure that Personal Data shall not be accessed, modified, copied, used, transferred or deleted without specific authorization. Any access to Personal Data, as well as any action performed involving the use of Personal Data requires a password and username, which is routinely changed, as well as blocked after 3 failed attempts. Each employee is able to perform actions solely according to the permissions determined by the Company. Furthermore, the Company regularly reviews employees’ authorizations, to assess whether their access is still required. The Company revokes access immediately upon termination of employment.

 

Organizational and Operational Security

The Company invests a multitude of efforts and resources to ensure compliance with the Company’s security practices, and it also provides employees with appropriate training. The Company strives to raise awareness on the risks involved in the processing of Personal Data.

 

Transfer Control

All transfers of Personal Data are protected using adequate safeguards. Company’s databases are protected by industry best standards and the Company is ISO 9001 certified.  All data transfers are secured and encrypted.

 

Availability Control

The Company runs a daily automated backup procedure on its servers.

 

Data Retention

Personal Data and raw data are all deleted as soon as such data and Personal Data are no longer required in order for the Company to provide its services, all in accordance with applicable laws.

 

Job Control

All the Company’s personnel are required to execute an agreement which includes confidentiality provisions as well as applicable provisions binding them to comply to applicable data security practices. In the event of a breach of obligation or non-compliance with the Company’s policies, the Company may apply disciplinary actions aimed at ensuring continuous compliance with the Company’s policies. Furthermore, the contract between the Company and each employee includes specific provisions for the destruction of Personal Data following termination of the employment.