Information Security Policy

[Last Updated: September 17, 2018]

Vitalerter LTD (“Company” or “we”) is committed to provide transparency regarding the security measures which it has implemented in order to secure and protect Personal Data (as defined under the EU General Data Protection Regulation (Regulation 2016/679) (“GDPR”)) processed by the us for the purpose of providing its services.

This information security policy (“Security Policy”) outlines the Company’s current security measures deployed by the Company as of the “Last Updated” date indicated above. We will keep updating this Security Policy from time to time, as required by applicable laws and our internal policies. Definitions herein shall have the meaning as set forth under the GDPR or in our Privacy Policy. 

As part of our GDPR compliance process, we have implemented, technical organizational monitoring protections, and established an extensive information and cyber security program, all with regards to Personal Data processed by Company. 

System Access Control
Access to all data processing systems is solely via Company’s user authentication systems. Only a portion of specific personnel has access to systems. All access to Company’s systems admin network are available solely from the office going through a private, dark fibre, link to the data centre. Authentication to each system is through a user-password, unique to each employee or personnel and from a different domain controller dedicated to such environment. Password control and manual and ongoing monitoring on all system access. 

Data Access Control
The access to the Personal Data is restricted to solely the employees that are required to receive access. Employees are educated with regards to security of the Personal Data. 

Physical Access Control
Vitalerter ensures the protection of the physical access to the data servers which store the Personal Data and works exclusively with Microsoft Azure, as its main cloud storage to host the Personal Data (for additional information regarding Microsoft Azure Security see here). 

Transfer Control
The goal of transfer control is to ensure that Personal Data cannot be read, copied, modified or removed by unauthorized parties during the electronic transmission of data or during their transport in motion, to the applicable data center (i.e., HTTPS). Transmission of data during backups is encrypted. 

Availability Control and Purpose Control
The Company’s servers include an automated backup procedure. The Company has a backup concept which includes automated weekly backups. Periodical checks are preformed to determine that the backup have occurred. 

Data Retention
Personal Data as well as raw data are deleted as soon as possible or as soon as legally required.

Job Control 
Employees and data processors are all signed on applicable and binding agreements all of which include applicable data provisions and data security obligations, including our applicable partners. Employees are bound to comply with the Company’s policies and procedures and violations shall result in disciplinary actions up to and including termination of employment. An employee will not gain access to the Personal Data until the Company has trust that the employee is well educated and responsible to handle the Personal Data, in a secure manner. Company has ensured all documents, including without limitations, agreements, privacy policies online terms, etc. are compliant with the GDPR. Our Legal team is busy ensuring our legal documentation is updated to reflect any changes and to include the mandatory provisions required by the GDPR. The security, legal, privacy and compliance departments work to identify regional laws, regulations applicable to Company’s compliance. Therefore, this Security Policy may be updated from time to time, according to any applicable legislation or internal policies.

Data Subject Rights Policy

[Last Updated: September 31, 2018]

Vitalerter LTD (“Company” or “we”) values the privacy rights of our customers, partners, vendors and others, and has set forth this Data Subject Right Policy (“Policy”) to provide you with a summary of your rights (as an EEA resident), as required by the EU General Data Protection Regulation (“GDPR”).

The right to basic information
Data subjects have the right to understand who the Company and its affiliates are, and why and how it or they process personal data. This information is also available to you through our privacy policy: www.vitalerter.com/privacy.

The right of access (“Subject Access”)
Data subjects have a right to obtain confirmation from the Company that it processes certain personal data related to a data subject and a right to obtain a copy of that information, along with other details about how and why the Company uses the data subject’s information. Once the veracity and appropriateness of an access request is affirmatively determined by the Company, we will, within the period required by the law, provide you with, confirmation of processing, the copy of the personal data or a description of the personal data and categories of data processed the purpose for which such data is being held and processed, and details about the source of the personal data if not provided by the data subject.

The right of rectification
The Company must ensure that all personal data that it holds and uses about a data subject is correct. If such data is not accurate, a data subject has the right to require that the Company updates such data so it is accurate.

The right of erasure (“right to be forgotten”)
Data subjects have a right to require the Company to erase certain personal data if particular conditions are satisfied. The Company is legally obligated to comply with a request to delete personal data if:
• The data is no longer needed for the original purpose and no new lawful purpose exists for continued processing.
• The lawful basis for processing is consent of the data subject and such consent is withdrawn.
• The data subject exercises his or her right to object to the Company’s processing of his or her personal data, and the Company has no overriding grounds for processing the data.
• The personal data is processed unlawfully; or erasure of the data is necessary to comply with applicable laws.

The right to erasure is not absolute. Even if a data subject falls into one of the categories described above, the Company is entitled to reject the data subject’s request and continue processing data if such processing is:
• Necessary to comply with legal obligations.
• Necessary to establish, exercise or defend legal claims.
• Necessary for scientific, etc.
All subject to applicable laws.

The right to object
In the event the Company processes personal data on the basis that it is in its legitimate interests to do so (i.e., direct marketing), a data subject has the right to object to our processing on such grounds.

The right of restriction
A data subject may limit the purposes for which the Company may process its personal data.

The right of data portability
A data subject can request that the Company send or “port” its personal data to another entity.

The right to object to direct marketing
If the Company sends you marketing communications by email or other electronic methods a data subject has the right to require the Company to stop sending such communications.

If you have any further question please contact us at info@vitalerter.com. If you wish to exercise your right please fill this form. Note, you can request your rights in any form or manner, however, to validate your identification and validate request we will require completion of the online form.

GDPR

The General Data Protection Regulation (“GDPR”), which is in effect as of May 25, 2018, is an iteration of the existing data protection law defined and enforced by the European Union. 

Vitalerter LTD (“Company” or “we”) is committed to ensuring that its services comply with the GDPR, and that its client can continue to use its services. Company has for months designated an internal team, which are accompanied by the Company’s legal consultants and other professional and expert consultants, for the sole purpose of ensuring all required actions are taken in order to achieve GDPR compliance. 

Please see below a general overview which details the Company’s compliance with GDPR for additional information please contact us at  info@vitalerter.com

Data Processing
Company only processes personal data to the extent necessary and in accordance with applicable privacy laws including the GDPR. Company has ensured that there is an applicable lawful basis for any and all processing of EEA data subjects Personal Data and has entered into applicable Data Processing Agreements with its vendors. Company only processes personal data to the extent necessary and in accordance with applicable privacy laws including the GDPR. In addition, Company has ensured all legal documents, including without limitations, agreements and privacy policy are compliant with the GDPR.

Technological Organizational and Security Standards
The Company has completed an in-depth audit data mapping out all of the Personal Data and data sets which it processes, as well as the technical and organizational security measures used in order to safeguard and protect such data. For additional information, please see  Vitalerter’s privacy policy. 

Education
Company has ongoing training for its personnel and employees with regards to the GDPR, Company’s data practices and the importance of data security.

Transparency to Regulators
Company maintains accurate and accessible written records to the extent legally required to provide supervisory authorities, all in a timely manner, as required under applicable laws including the GDPR. 

User Rights
In accordance with GDPR, data subjects may exercise the following rights:
• Request to access Personal Data.
• Request the rectification of Personal Data.
• Request the erasure of Personal Data.
• Request to restrict processing of Personal Data.
• Object to processing of Personal Data.
• Request to exercise right of data portability.
• Right to file a complaint to a supervisory authority.
• Right to withdraw consent (to the extent applicable).
In order to exercise any of the above rights please fill this form .

Incident Responsiveness
Company has implemented a process, in the event of a data breach and will provide the data controllers, the regulators and the end users with an immediacy of notification to the extent required under applicable law.

Legal Documentation
Our Legal team is busy ensuring our legal documentation is updated to reflect any changes and to include the mandatory Processor provisions required by Article 28 of the GDPR.