Data Protection Measures
Last Amended: May 2022
This Company’s Data Protection Measures outlines the Company’s security, technical and organizational practices with respect to such Personal Data.
PHYSICAL ACCESS CONTROL
The Company ensures the protection of the data servers which store the Personal Data for the Company from unwanted physical access.
The Personal Data that is processed by the Company and which the Company is the Controller of (as such term is defined under the GDPR) is stored on Amazon Web Services.
The data processed by the Company as a Processor (as such term is defined under the GDPR) may be stored on any cloud of its customers’ choosing including, but not limited to, Amazon Web Services (AWS), Google Cloud Platform and Microsoft Azure. Please see AWS’s security measures here, Google Cloud Platform’s security measures here and Microsoft Azure’s security measures here. The Company also secures physical access to its offices by ensuring that only authorized individuals such as employees and authorized external parties (maintenance staff, visitors, etc.) can access the Company’s offices by using security locks and an alarm system, amongst other measures as well.
Access to the Company’s database is highly restricted in order to ensure that only the relevant personnel who have received prior approval can access the database. The Company has also implemented appropriate safeguards related to remote access and wireless computing capabilities. Employees are assigned private passwords that allow strict access to or use of Personal Data, all in accordance with such employee’s position, and solely to the extent such access or use is required. Access to the Personal Data and the passwords used to gain access are constantly being monitored. The Company uses automated tools to identify non-human login attempts and rate-limiting login attempts to minimize the risk of a brute force attack.
DATA ACCESS CONTROL
User authentication measures have been put in place in order to ensure that access to Personal Data is restricted solely to those employees who have been given permission to access it and to ensure that the Personal Data is not accessed, modified, copied, used, transferred or deleted without specific authorization for such actions to be done. Any access to Personal Data, as well as any action performed involving the use of Personal Data requires a password and user name, which is routinely changed, as well as blocked when applicable. Each employee is able to perform actions solely in accordance with the permissions granted to him by the Company. Furthermore, the Company conducts ongoing reviews of the employees who have been given authorization to access Personal Data, in order to assess whether such access is still required. The Company revokes any access to Personal Data immediately upon an employee’s termination of employment. Authorized individuals can only access Personal Data that are located in their individual profiles.
ORGANIZATIONAL AND OPERATIONAL SECURITY
The Company puts a lot of effort and invests a lot of resources into ensuring that the Company’s security policies and practices are being complied with, including, by continuously providing employees with training with respect to such security policies and practices. The Company strives to raise awareness regarding the risks involved in the processing of Personal Data. In addition, the Company has implemented applicable safeguards for its hardware and software, including installing firewalls and anti-virus software on applicable Company hardware and software, in order to protect against malicious software.
The Company ensures the transparency of input controls, including changing and the deletion of data.
The Company maintains backup policies and associated measures. Such backup policies include the constant monitoring of operational parameters, as relevant to the backup operations. Furthermore, the Company’s servers include an automated backup procedure. The Company also conducts regular checks with respect to the condition and labelling of data storage devices for data security. The Company ensures that regular tests are carried out to determine whether it is possible to undo the backup, as required and applicable.
On July 16, 2020, Europe’s highest court (“CJEU”) invalidated the EU-US Privacy Shield. Additionally, on September 8, 2020, the Swiss Data Protection Authority announced in a position statement that it no longer considers the Swiss-U.S. Privacy Shield adequate for the purposes of transferring Personal Data from Switzerland to the U.S.
We ensure that any transferring of Personal Data is done in a secure manner, in compliance with the latest EDPB recommendations concerning data transfer. We ensure the security of any data transfer by, amongst others, signing Data Processing Agreements which incorporates the Standard Contractual Clauses (“SCCs“) and which is also still considered to be a valid data export mechanism.
In order too keep your data safe when it is transferred cross border, we have conducted a transfer impact assessment which may be found here.
SCHREMS II Additional Safeguards
Measures and assurances regarding U.S. government surveillance (“Additional Safeguards”) have been implemented due to the EU Court of Justice Case C-311/18, Data Protection Commissioner vs Facebook Ireland Limited and Maximillian SCHREMS decision (“SCHREMS II”), these measures include the following:
- encryption both in transit and at rest and the customer holds the keys;
- As of the date included in the “Last Updated” header above, Akeyless has not received any national security orders of the type described in Paragraphs 150-202 of the SCHREMS II decision.
- No court has found Akeyless to be the type of entity eligible to receive process issued under FISA Section 702: (i) an “electronic communication service provider” within the meaning of 50 U.S.C § 1881(b)(4) or (ii) a member of any of the categories of entities described within that definition.
- Akeyless will not comply with any request under FISA for bulk surveillance, i.e., a surveillance demand whereby a targeted account identifier is not identified via a specific “targeted selector” (an identifier that is unique to the targeted endpoint of communications subject to the surveillance).
- Akeyless will use all available legal mechanisms to challenge any demands for data access through any national security process that it receives, as well as any non-disclosure provisions attached thereto.
- Akeyless will notify its customers (if required and as applicable) if it can no longer comply with the Standard Contractual Clauses or these Additional Safeguards, without being required to identify the specific provision with which it can no longer comply.
Personal Data is retained for as long as needed for us to provide our Services or as required under applicable laws.
JOB CONTROL AND THIRD PARTY CONTRACTORS AND SERVICE PROVIDERS
All of the Company’s employees are required to execute an employment agreement which includes confidentiality provisions as well as applicable provisions binding them to comply with applicable data security practices. In the event of a breach of an employee’s obligation or non-compliance with the Company’s policies, the Company will implement certain repercussions in order to ensure compliance with the Company’s policies. In addition, prior to the Company’s engagement with third party contractors, the Company undertakes diligence reviews of such third party contractors. The Company will agree with third party contractors on effective rights of control with respect to any Personal Data processed on behalf of the Company. The Company ensures that it enters into data protection agreements with all of its clients and service providers.
The Company’s operations, policies and procedures are audited regularly to ensure that it meets all standards expected of it as a cloud system provider. Compliance certifications and attestations are assessed by a third-party, independent auditor and result in a certification, audit report, or attestation of compliance. The Company’s systems and Services were audited and verified under the ISO 27001 and ISO 27701 certifications and the System and Organization Controls (SOC). If you wish to be provided with such certifications and reports please contact us at: [email protected]
In addition to our own compliance with privacy and security regulations, our customers remain responsible for their compliance with applicable compliance laws, regulations and privacy programs.
REPORTING A SECURITY ISSUE
The Company allocates considerable resources to ensure a secure code and infrastructure for all of its products. If you believe that you have found a vulnerability with respect to our security practices in any of our products, please report it to us immediately via e-mail at: [email protected]. Please be sure to include a brief description, including detailed steps that we can take in order to reproduce the issue and explain to us what the impact of such issue might be.
RESPONSIBLE DISCLOSURE POLICY
We encourage responsible disclosures of Personal Data and we promise to investigate all legitimate reports and fix any issues as soon as we can. We ask that during your research you make every effort to maintain the integrity of any data you come across, avoiding violating the privacy of any person. Please provide us with a reasonable amount of time to fix any vulnerability you find before you make it public. In return, we promise to investigate reports promptly and not to take any legal action against you with respect to such reports.