Last Modified: 06 May, 2018
Iron Mountain Technology limited (“Company”) takes information security seriously. This information security overview and policy (“Security Policy”) applies to the safeguarding of users Personal Data (as defined by applicable legislation, including the EU General Data Protection Regulation “GDPR”) processed or collected in connection with the delivery of Company’s various services platforms (“Service(s)”).
The Company has implemented the below technical and organizational measures to protect the Personal Data processed by it against loss, unlawful acts and destruction, alteration, unauthorized disclosure or access, etc. The Company has established a comprehensive information and cyber security program in which all employees and personal need to comply with, including the Company’s customers and business partners.
The Company has prepared this Security Policy to provide you with a summary of the security measures and policies it obtains when providing the Services and thereafter.
System Access Control
Access to corporate systems is restricted and is based on procedures to ensure appropriate approvals are provided solely if needed. In addition, remote access and wireless computing capabilities are restricted and require that both user and system safeguards are in place. The systems are also protected and solely authorized employees may access the systems by using a designated password.
Physical Access Control
The Company secures any physical access to facilities that contain Personal Data, such as the Company’s offices and server centers. The Company secures access to its offices and ensures that solely authorized persons have access. Further, an alarm system is installed in the premises which is activated at all times during non-working hours. The Company’s servers are located in a protected facilities in which the physical access is controlled by professional security staff. Further, the Company has entered in to applicable and binding processing agreements with each server service provider. In addition, when the Personal Data is transferred to the applicable servers it is always done in a secure and encrypted manner. The Company’s servers are protected by industry best standards of security systems and measures. The Company balances its approach towards physical security by considering elements of control that include architecture, operations, systems, performance, compatibility and interoperability.
Data Access Control
The access to the Personal Data is restricted to solely the employees that “need to know” and is protected by passwords and user names. Access to the Personal Data is secured by VPN and is highly managed by access control policies. The Company uses high level security measures to ensure that the Personal Data will not be accessed, modified, copied, used, transferred or deleted without specific authorization. The Company audits any and all access to the database and any authorized access is immediately reported and handled.
Organizational and Operational Security
It is the responsibility of the individuals across the Company to comply with these practices and standards. The Company educates its employees and service providers, consultants and contractors and raises awareness, risk and assessment with regards to any processing of Personal Data. Internal security testing are done on a regular basis. Further, the Company’s IT team ensures security of all hardware and software available within the Company, such as: install anti-malware software on computers to protect against malicious use and malicious software (additional controls may be implemented based on risk), virus detection on endpoints, email attachment scanning, system compliance scans, information handling options for the data exporter based on data type, network security, and system and application vulnerability scanning, use secured email transfer, etc.
The goal of transfer control is to ensure that Personal Data cannot be read, copied, modified or removed by unauthorized parties during the electronic transmission of these data or during their transport or storage in the applicable data center. The Company prevents from any unneeded creation of copies and has incorporated prevention of non-digital output transmission of the data sets (including the Personal Data). Further, any access to the Personal Data from beyond the Company network is solely possible by means of a secured VPN access. Last, any and all transfers of the data (either between the servers, from client side to server side and between Company’s designated partners) is secured (HTTPS) and encrypted.
Personal Data and raw data are all deleted as soon as possible or legally applicable.
Employees and data processors are all signed on applicable and binding agreements all of which include applicable data provisions and data security obligations. Further, as part of the employment process, employees undergo a screening process applicable per regional law. Employees are bound to follow the Company’s policies and procedures and breaking or not following these will result in disciplinary actions up to and including termination based on local law. An employee will not gain access to the data until the Company has trust that the employee is well educated and responsible to handle the Personal Data, if needed, in a secure manner. In addition, the Company hold annual compliance training which include data security education.
THE INFORMATION SECURITY, LEGAL, PRIVACY AND COMPLIANCE DEPARTMENTS WORK TO IDENTIFY REGIONAL LAWS, REGULATIONS APPLICABLE TO COMPANY’S COMPLIANCE. HENCE THIS SECURITY POLICY MAY BE UPDATED FROM TIME TO TIME, ACCORDING TO ANY APPLICABLE LEGISLATION OF INTERNAL POLICIES.