NAMOGOO INFORMATION SECURITY POLICY
[Last Updated: February 2021]
Namogoo Technologies Ltd. (“Namogoo” ,“Company” or “we”) is fully committed to provide its customers (“Customer(s)”) and their end users transparency regarding the security measures which the Company has implemented in order to secure and protect information, including Personal Data or Personal Information (collectively “Information”), as defined under applicable law, including the (i) EU General Data Protection Regulation (Regulation 2016/679) (“GDPR”); (ii) the EU e-Privacy Directive (Directive 2002/58/EC); (iii) California Consumer Privacy Act (“CCPA”); and (iv) any national laws made under or pursuant to the foregoing (collectively, “Data Protection Law”), processed by the Company for the purpose of providing the services.
This information security policy (“Security Policy”) outlines the Company’s current security measures deployed by the Company as of the “Last Updated” date indicated above. We will keep updating this Security Policy from time to time, as required by applicable Data Protection Laws and our internal policies.
The Company has implemented, technical and organizational safeguards, and established a comprehensive information and cyber security program.
Physical Access Control
Namogoo ensures the protection of unwanted and unauthorized physical access to its servers and facilities where it stores the Information. Namogoo has chosen the reputable SnowFlake as its main cloud data lake provider. The Information collected by Namogoo is stored in SnowFlake’s data servers, which are protected by industry best standards including PCI DCS and ISO 27001, for more information regarding the data security provided by Snow Flake please here. Further, Namogoo secures the physical access to its offices using a passcode to ensure that solely authorized individuals such as employees and authorized external parties (maintenance staff, visitors, etc.) can access Namogoo’s offices. Namogoo’s offices include fire and smoke alarms in place. All data backups are stored in data safes protected from fire and water.
System Access Control
The access to Namogoo’s databases is highly restricted, based on protections implemented in order to ensure that only authorized personnel can access the database. The Company implemented appropriate safeguards related to remote access and wireless computing capabilities. The systems are protected and solely authorized employees may access the systems by using a designated password. Employees are assigned private passwords that allow strict access or use of Information, all in accordance with such employee’s position, and solely to the extent such access or use is required. There is constant monitoring of the access to the Information, the passwords used to gain access and as well as real-time authentication protocols. The Company is using automated tools to identify non-human login attempts and rate-limiting login attempts to minimize the risk of a brute force attack
Data Access Control
User authentication measures have been put in place in order to ensure that access to the Information is restricted solely to those the employees who have been given permission to access it and to ensure that the Information is not accessed, modified, copied, used, transferred or deleted without specific authorization for such actions to be done. Employees are educated and tested with regards to security of the Information. Any access to Information, as well as any action performed involving the use of Information requires a valid password and username, which is routinely changed, as well as blocked when applicable. Each employee is able to perform actions solely in accordance with the permissions granted to him by the Company. Furthermore, the Company conducts ongoing reviews of the employees who have been given authorization to access the Information, in order to assess whether such access is still required. The Company revokes access immediately upon termination of the employment or for any other reason for which the Company believes such access authorizations are redundant.
Organizational and Operational Security
Namogoo invested resources in order to ensure that the Company’s security policies and practices are being complied with, including continuously providing employees with training in connection with such security policies and practices. The Company strives to raise awareness regarding the risks involved in the processing of Information. In addition, Namogoo implemented applicable safeguards for its hardware and software, including by installing firewalls and anti-virus software on applicable Company property in order to protect against malicious software as well as any intrusions to the Company’s systems.
All transfers of Information between the Customer’s side and the Company’s servers are protected by the use of encryption safeguards prior to the transfer of any Information. Backup files are checked with checksums daily and stored on a local disk. In order to minimize the risk of Personal Data being accessed by unauthorized third parties during an electronic transmission, Namogoo has implemented applicable safeguards such as L2TP, IPsec (or equivalent protection), as well as encryption of the Personal Data prior to the transfer of any Personal Data.
On July 16, 2020, Europe’s highest court (“CJEU”) invalidated the EU-US Privacy Shield. Additionally, on September 8, 2020, the Swiss Data Protection Authority announced in a position statement that it no longer considers the Swiss-U.S. Privacy Shield adequate for the purposes of transfers of personal data from Switzerland to the U.S. We ensure any data transfer is done in a secure manner, in compliance with the latest EDPB recommendations concerning data transfer as well as contractually sign a Data Processing Agreement which incorporate the Standard Contractual Clauses which remain a valid data export mechanism and which automatically apply in accordance with our Data Processing Agreement.
Over the coming months, we anticipate that EU data protection regulators will issue additional guidance on the CJEU decision, including what the supplementary measures could consist of for those transferring data in reliance on the SCCs. In addition, the current form of the SCC was written before the GDPR went into effect and will be updated at some point in time. We will continue to keep a close eye on forthcoming guidance to stay up to date and assess whether we need to make any changes to our existing practices.
Personal Data is retained for as long as needed for us to provide our services or as required under applicable laws.
Employees: All of Namogoo’s employees and consultants are required to execute an agreement which includes confidentiality provisions as well as applicable provisions binding them to comply with applicable data security practices. In addition, employees undergo a screening process applicable per regional law. In the event of a breach of an employee’s obligation or non-compliance with Namogoo’s policies, the Company implements certain repercussions in order to order to ensure compliance with the Company’s policies.
Third Parties: In addition, prior to Namogoo’s engagement with third party contractors, Namogoo undertakes diligence reviews of such third party contractors, including by conducting a risk assessment with respect to their security policies and practices. Third party contractors may solely access the Information as explicitly instructed by Namogoo. Furthermore, the Company ensures that all of its engagements with third party contractors include effective rights of control with respect to any Personal Data processed on behalf of the Company and the destruction of Personal Data following termination of an engagement with third parties. In addition, to the extent applicable, Namogoo’s partners are required to execute an applicable Data Processing Agreement (to the extent they are processing any Personal Data on behalf of Namogoo).
The Company maintains backup policies and associated measures which include permanent monitoring of operational parameters as relevant to the backup operations. Furthermore, the Company’s servers include an automated backup procedure. Periodical checks are performed to determine that the backup has occurred. The Company also conducts regular controls of the condition and labelling of data storage devices for data security. The Company ensures that regular checks are carried out to determine whether it is possible to undo the backup, as required and applicable.
Reporting Security Issue
Namogoo is exerting considerable resources to ensure a secure code and infrastructure for all of its products. If you believe that you have found a security vulnerability in any of our products, please report it to us straight away via e-mail to email@example.com. Please be sure to include a brief description, detailed steps to reproduce and what might be the impact.
Responsible Disclosure Policy
We encourage responsible disclosure, and we promise to investigate all legitimate reports and fix any issues as soon as we can. We ask that during your research you make every effort to maintain the integrity of our any data you come across, avoiding violating the privacy of any person or degrading our offerings. Please provide Namogoo reasonable time to fix any vulnerability you find before you make it public. In return we promise to investigate reports promptly and not to take any legal action against you.
THE INFORMATION SECURITY, LEGAL, PRIVACY AND COMPLIANCE DEPARTMENTS WORK TO IDENTIFY REGIONAL LAWS, REGULATIONS APPLICABLE TO COMPANY’S COMPLIANCE. THEREFORE, THIS SECURITY POLICY MAY BE UPDATED FROM TIME TO TIME, ACCORDING TO ANY APPLICABLE LEGISLATION OR INTERNAL POLICIES.