Data Processing Agreement (DPA)

ANNEX II: TECHNICAL AND OPERATIONAL SECURITY MEASURES

Nelio implements and maintains appropriate technical and organizational Security Measures for the Processing of Personal Data, including the measures set out in this Annex II to the Data Processing Agreement..  

Nelio may update or modify these Security Measures from time to time provided that such updates and modifications do not result in the degradation of the overall security of the Services. 

The technical and organizational security measures implemented by Nelio are in accordance with the SCCs. 

Physical Access Controls

Measures, where Nelio reasonably can, to prevent unauthorised persons from gaining access to Nelio’s Services processing data.

  • Services Infrastructure. Nelio hosts its Service infrastructure with the multi-tenant, data centre provider AWS which is compliant with Cloud Security Alliance Star Level 2, ISO 9001, 27001, 27017, 27018, 27701, 22301, PCI DSS Level 1, and SOC 1, 2, and 3 standards.
  • Services providers. Additionally, we mantain contractual relationship with other providers in order to provide the Services. Nelio relies on contractual agreements, privacy policies, and compliance programs in order to protect data processed or stored by those providers.

Logical Access Controls

Measures, where Nelio reasonably can, to prevent Services processing data being used without authorisation.

  • Personnel and confidenciality: Nelio personnel are required to conduct themselves in a manner consistent with the Nelio’s guidelines regarding confidentiality, business ethics, appropriate usage, and professional standards.
  • Least access privileges: Nelio adopts a least access privileges principle for providing access to the code. Commits to production code are strictly reviewed, and approval is restricted to just the Chief Product & Quality Officer and/or the Chief Tehcnology Officer, after passing Unit Testing and QA in Test and Staging.
  • Limited access: The data stored on production servers is accessible only to the Chief Product & Quality Officer, the Chief Technology Officer and CEO.

Data Access Controls

Measures, where Nelio reasonably can, to ensure that persons entitled to use the Services processing Personal Data gain access only to such Personal Data as they are entitled to accessing in accordance with their access rights and Controller’s instructions, and that, in the course of Processing or use and after storage, Personal Data cannot be read, copied, modified or deleted without authorisation (data access control).

  • Authentication: Access to Nelio systems are subject to password standards in conjunction with multi-factor authentication. Customers who interact with the Plugins within their websites must authenticate into their Customer websites before accessing non-public customer data.
  • Authorization: Customer Data is stored in the multi-tenant storage system AWS accessible to Customers via only application user interfaces and application programming interfaces. Customers are not allowed direct access to the underlying application infrastructure. The authorization model in each of our products is designed to ensure that only the appropriately assigned individuals can access relevant features, views, and customization options. Authorization to data sets is performed through validating the user’s permissions against the attributes associated with each data set.
  • Application Programming Interface (API) access: Public product APIs may be accessed using an API key.

Data Transfer Controls

Measures, where Nelio reasonably can, to ensure that Personal Data cannot be read, copied, modified or deleted without authorisation during electronic transmission, transport or storage on storage media, and that the target entities for any transfer of Personal Data by means of data transmission facilities can be established and verified.

  • In-transit: Nelio utilizes HTTPS (Hypertext Transfer Protocol Secure), HSTS (HTTP Strict Transport Security), and TLS (Transport Layer Security) protocols to establish a secure connection between your device and our servers. This ensures that all data transmitted between your browser and our Services is encrypted and protected from unauthorized access.
  • At-rest: Nelio stores user passwords following policies that follow industry standard practices for security. Nelio has implemented technologies to ensure that stored data is encrypted at rest.

Entry Controls

Meaures, where Nelio reasonably can, to ensure the establishment of an audit trail to document whether and by whom Personal Data have been entered into, modified in, or removed from Personal Data Processing systems .

  • Detection: Nelio’s infrastructure includes log extensive information about the system behaviour, traffic received, system authentication, and other application requests. Internal systems aggregated log data and alert appropriate employees of malicious, unintended, or anomalous activities. Nelio personnel are responsive to known incidents.
  • Response and tracking: Nelio maintains a record of known security incidents that includes description, dates and times of relevant activities, and incident disposition.. Suspected and confirmed security incidents are investigated by Nelio; and appropriate resolution steps are identified and documented. For any confirmed incidents, Nelio will take appropriate steps to minimize product and Customer damage or unauthorised disclosure.
  • Communication: If Nelio becomes aware of unlawful access to Customer data stored within its products, Nelio will: 1) notify the affected Customers of the incident; 2) provide a description of the steps Nelio is taking to resolve the incident; and 3) provide status updates to the Customer contact, as Nelio deems necessary.

Control of Instructions

Meaures to ensure that where Nelio is processing Personal Data that they are done solely in accordance with the Customer’s instructions.

  • Services solutions. Nelio provides solutions (plugins) to Customers to conduct their marketing and experimenting activities, subject to the DPA. Customers control the data types collected by and stored within their websites. Nelio never sells personal data to any third party.
  • Terminating customers. Nelio maintains a data retention policy setting out the retention periods for various types of data based on legal requirements, justified interests and the purposes of collection as described in the DPA. Marketing aggregated information stored in backups, replicas, and snapshots is not automatically purged, but instead ages out of the system as part of the data lifecycle. Nelio reserves the right to alter data purging period in order to address technical, compliance, or statutory requirements.

Availability Controls

Meaures, where Nelio reasonably can, to ensure that Personal Data are protected against accidental destruction or loss (availability control).

  • Infrastructure availability: The infrastructure providers use commercially reasonable efforts to ensure a minimum of 99.95% uptime. The providers maintain a minimum of N+1 redundancy to power, network, and heating, ventilation and air conditioning (HVAC) services.
  • Fault tolerance: Backup and replication strategies are designed to ensure redundancy and fail-over protections during a significant processing failure. Customer data is backed up to multiple durable data stores and replicated across multiple availability zones.
  • Online replicas and backups: Where feasible, production databases are designed to replicate data between no less than 1 primary and 1 secondary database. All databases are backed up and maintained using at least industry standard methods.
  • Our products are designed to ensure redundancy and seamless failover. The server instances that support the products are also architected with a goal to prevent single points of failure. This design assists our operations in maintaining and updating the product applications and backend while limiting downtime.

Separation Controls

Meaures, where Nelio reasonably can, to ensure that that Personal Data collected for different purposes can be processed separately, based on Customer’s instructions (separation control), use of, where applicable and reasonably practicably possible, industry standard encryption and/or
pseudonymization.

  • Product Improvement. Nelio’s collection of personal data from its Customers is to provide and improve our Services and shall be done in an aggregate and anonymous manner. Nelio does not use that data for other purposes that would require separate processing.

Organizational Controls

Security Policy and Counsellor, Supervision, Inspection and Maintenance

  • Organizational Structure: The Nelio team consisting of the Chief Product & Quality Officer, Chief Tehcnology Officer and CEO is responsible for facilitating security, privacy and compliance procedures and guidelines at Nelio.
  • Centralized Documentation: Nelio has completed centralised documentation relating to security, which is complete and formalized, proportional to security needs, up-todate at any time and accompanied by a directory at the disposal of properly authorized persons whenever necessary.
  • Organizational Security: Nelio has made available sufficient and adequate organizational, technical and financial resources to organize security. All employees participating in the Processing of Personal Data are sufficiently informed about their duties and responsibilities during Processing operations conduct themselves in accordance with established company guidelines and policies.

Pages: 1 2 3 4 5 6