Security Policy

 (Last Modified: July 23, 2019)

Editor Choice Inc. (“Company” or “we”) is committed to provide transparency regarding the security measures which it has implemented in order to secure and protect Personal Data (as defined under applicable data protection law, including without limitations, the EU General Data Protection Regulation (“GDPR”) and the soon to be going into effect California Consumer Privacy Act (“CCPA”) (collectively “Data Protection Regulation”) processed by the Company for the purpose of providing its services.

This information security policy outlines the Company’s security, technical and organizational practices.

As part of our data protection compliance process we have implemented technical, physical and administrative security measures to protect our users’ Personal Data as explained below.

Physical Access Control

The Company ensures the protection of the data servers which store the Personal Data for the Company from unwanted physical access. The data processed by the Company is stored in the Washington WDC-1 Data Center, US hosted by LeaseWeb. You can find LeaseWeb’s security measures for its Washington D.C. Data Center here. The Company also secures physical access to its offices by ensuring that only authorized individuals such as employees and authorized external parties (maintenance staff, visitors, etc.) can access the Company’s offices by using security locks and an alarm system, amongst other measures as well. 

System Control

Access to the Company’s database is highly restricted in order to ensure that only the relevant personnel who have received prior approval can access the database. The Company has also implemented appropriate safeguards related to remote access and wireless computing capabilities. Employees are assigned private passwords that allow strict access or use to Personal Data, all in accordance with such employee’s position, and solely to the extent such access or use is required. There is constant monitoring of access to the Personal Data and the passwords used to gain access. 

Data Access Control

User authentication measures have been put in place in order to ensure that access to Personal Data is restricted solely to those employees who have been given permission to access it and to ensure that the Personal Data is not accessed, modified, copied, used, transferred or deleted without specific authorization for such actions to be done. Any access to Personal Data, as well as any action performed involving the use of Personal Data requires a password and user name, which is routinely changed, as well as blocked when applicable. Each employee is able to perform actions solely in accordance with the permissions granted to him by the Company. Furthermore, the Company conducts ongoing reviews of the employees who have been given authorization to access Personal Data, in order to assess whether such access is still required. The Company revokes access to Personal Data immediately upon termination of employment. Authorized individuals can only access Personal Data that are located in their individual profiles. 

Organizational and Operational Security

The Company puts a lot of effort and invests a lot of resources into ensuring that the Company’s security policies and practices are being complied with, including by continuously providing employees with training with respect to such security policies and practices. The Company strives to raise awareness regarding the risks involved in the processing of Personal Data. In addition, the Company has implemented applicable safeguards for its hardware and software, including by installing firewalls and anti-virus software on applicable Company hardware and software, in order to protect against malicious software. 

Transfer Control

All transfers of Personal Data between the client side and the Company’s servers are protected by the use of encryption safeguards, including the encryption of the Personal Data prior to the transfer of any Personal Data. The Company’s servers are protected by industry best standards including the EU-US privacy shield framework. In addition, to the extent applicable, the Company’s business partners execute an applicable Data Processing Agreement, all in accordance with applicable laws. 

Input Control

The Company ensures the transparency of input controls, including changing and the deletion of data. 

Availability Control

The Company maintains backup policies and associated measures. Such backup policies include permanent monitoring of operational parameters as relevant to the backup operations. Furthermore, the Company’s servers include an automated backup procedure. The Company also conducts regular controls of the condition and labelling of data storage devices for data security. The Company ensures that regular checks are carried out to determine whether it is possible to undo the backup, as required and applicable.

Data Retention

Personal Data is retained for as long as needed for us to provide our services or as required under applicable laws.

Job Control

All of the Company’s employees are required to execute an employment agreement which includes confidentiality provisions as well as applicable provisions binding them to comply with applicable data security practices. In the event of a breach of an employee’s obligation or non-compliance with the Company’s policies, the Company implements certain repercussions in order to ensure compliance with the Company’s policies. In addition, prior to the Company’s engagement with third party contractors, the Company undertakes diligence reviews of such third party contractors. The Company agrees with third party contractors on effective rights of control with respect to any Personal Data processed on behalf of the Company.