Information Security Policy
Lobster Apps Inc. (“Company”, “we” or “us”) takes information security seriously and has created this security Policy (“Security Policy”) to disclose its practices in safeguarding Personal Data processed through our Services. We have implemented the below technical and organizational measures to protect the Personal Data processed by us, against loss, unlawful acts, destruction, alteration, unauthorized disclosure or access.
As part of our compliance process with privacy legislation, including the GDPR, we have prepared this Security Policy to provide a summary of the security measures and policies we obtain. We require our personnel and service providers to comply with these standards and implement the same security measures when working with us.
THIS SECURITY POLICY OUTLINES THE COMPANY’S CURRENT SECURITY PRACTICES AS OF THE “LAST REVISED” DATE INDICATED BELOW. WE WILL KEEP UPDATING THIS POLICY FROM TIME TO TIME, AS REQUIRED BY APPLICABLE LAWS AND OUR INTERNAL POLICIES.
SYSTEM ACCESS CONTROL
Company’s database is accessible only by the Company’s management and solely from within the Company’s office. The Personal Data processed and stored by Company is stored in Amazon US servers and access granted through personal user authentication. Access to systems is restricted and is based on procedures to ensure appropriate approvals are provided solely to the extent required. In addition, remote access and wireless computing capabilities are restricted and require that both user and system safeguards, including VPN protection or similar security level. The systems are also protected and solely authorized employees may access the systems by using a designated password and user name protections.
PHYSICAL ACCESS CONTROL
The Company secures physical access to its offices and ensures that solely authorized individuals have access. Company works with Amazon Web Services datacenter, as its main storage processor; therefore, we recommend to review Amazon’s security policy available HERE. The transfer of personal data is secured an encrypted. Further, the Company has entered in to applicable and binding data processing agreements with its vendors.
DATA ACCESS CONTROL
All access to a database, system or storage is solely with authorization hierarchy and password protection. Further, the access to the Personal Data is restricted to solely the employees that “need to know” and is protected by passwords and user names. The Company audits any and all access to the database and any authorized access is immediately reported and handled. Each access is logged and monitored, and any unauthorized access is automatically reported. Company revokes access immediately upon termination of employment.
ORGANIZATIONAL AND OPERATIONAL SECURITY
The Company educates its employees and service providers, and raises awareness, risk and assessment with regards to any processing of Personal Data. Internal security testing is done on a regular basis. Company’s IT team ensures security of all hardware and software, by installing anti-malware software including firewalls on computers to protect against malicious use and malicious software as well as virus detection on endpoints, etc.
We have implemented applicable measures in order to prevent Personal Data from being read, copied, modified or removed by unauthorized parties while in transfer. Further, transfer of Personal Data (either between the servers or from client side to server side) is secured. The servers used by the Company (AWS) are Privacy Shield certified, as detailed HERE.
The Company’s servers include an automated backup procedure. Company has ensured all systems are protected by industry best standards of security systems and measures, as well as encryption of the personal data prior to its transfer. Our legal team has ensured our legal documentation is updated to reflect any changes and to include the mandatory provisions required by the GDPR.
Personal Data and raw data are all deleted as soon as possible or legally applicable.
Employees and applicable processors are all signed on binding data security and protection obligations. Noncompliance will result in disciplinary actions.
[Last Revised: January 27, 2019]