Security

DISPLAY.IO INFORMATION SECURITY POLICY

[Last Updated: May 6, 2018]

Display.io (“Display.io” “Company” or “we”) is committed to provide transparency regarding the security measures which it has implemented in order to secure and protect Personal Data (as defined under applicable law, including the EU General Data Protection Regulation (Regulation 2016/679) (“GDPR”)) processed by the Company for the purpose of providing its services as detailed in Company’s Privacy Policy.

This information security policy (“Policy”) outlines the Company’s current security practices as of the “Last Updated” date indicated above. We will keep updating this Policy from time to time, as required by applicable laws and our internal policies.

As part of our GDOR compliance process (available at: www.display.io/gdpr) we have implemented, technical organizational monitoring protections, and established an extensive information and cyber security program, all with respect to data processed by us. We take best efforts to ensure our employees, contractors, as well clients, comply with this Policy.

Physical Access Control

Display.io ensures the protection of the physical access to the data servers which store the Personal Data for Display.io.  Display.io works exclusively with Amazon, as its main cloud storage to host the Display.io Personal Data (for additional information regarding Amazon’s Security see here). Further, Display.io secures the physical access to its offices to ensure that solely authorized individuals such as employees and authorized external parties (maintenance staff, visitor, etc.) can access Display.io’s offices.

System Control

Access protection for all Personal Data processing systems through user authentication. Access to Display.io’s database is highly restricted, the restrictions are through protections implemented therein in order to ensure that solely the appropriate prior approved personnel, can access Display.io’s database. Safeguards related to remote access and wireless computing capabilities are in implemented therein. The databases are protected and solely authorized personnel may access such database by using a designated password. Employee are assigned private passwords that allows strict access or use related to Personal Data all in accordance with position, and solely to the extent such access or use is required. There is constant monitoring of the access to the data and the passwords used to gain login access.

Data Access Control

There are restrictions in place in order to ensure that the access to the Personal Data is restricted to employees which have a requirement to access it, all in order to ensure that Personal Data shall not be accessed, modified, copied, used, transferred or deleted without specific authorization. The access to the Personal Data, as well as any action performed involving the use of the Personal Data requires a password and user name, which is routinely changed, as well as blocked when applicable. The user password is fully encrypted. Each employee is able to perform actions solely according to the permissions determined by the Company. Each access is logged and monitored, and any unauthorized access is automatically reported. Further, Display.io has ongoing review of which employees’ have authorizations, to assess whether access is still required. Company revokes access immediately upon termination of employment. Authorized individuals can solely access Personal Data that is established in their individual profiles.

Organizational and Operational Security

Display.io invests a multitude of efforts and resources in order to ensure compliance with the Company’s security practices, as well as continuously provides employees training. The Company strives to raise awareness to the risk involved in the processing of Personal Data. In addition, Display.io implemented applicable safeguards for its hardware and software, including firewalls and anti-virus software on applicable Company hardware and software, in order to protect against malicious software.

Transfer Control

The Company does not transfer any Personal Data outside of the Company’s cloud servers. All transfer of Personal Data between the client side and the Company’s servers is protected using encryption safeguards such as L2TP, IPsec (or equivalent protection), as well as encryption of the Personal Data prior to the transfer of any Personal Data. Display.io’s servers are protected by industry best standards.

Availability Control

The Company’s servers include an automated backup procedure. The Company has a backup concept which includes automated daily backups. Periodical checks are preformed to determine that the backup have occurred.

Data Retention

Personal Data and raw data are all deleted automatically as soon as such data and Personal Data is no longer required in order for Display.io to provide its Services, all in accordance with applicable laws.

Job Control

All of Display.io’s employees are required to execute an employment agreement which includes confidentiality provisions as well as applicable provisions binding them to comply with applicable data security practices. In addition, employees undergo a screening process applicable per regional law. In the event of a breach of an employee’s obligation or non-compliance with Display.io’s policies, the Company includes repercussions to ensure compliance with the Company’s policies. In addition, prior to Display.io’s engagement with third party contractors, Display.io reviews such third party’s security policies, specifically their information data security policies to ensure it complies with the Display.io standard for data security protection. Third party contractors may solely access the Personal Data as explicitly instructed by the Display.io. Furthermore, the destruction of Personal Data following termination of the engagement is included within the contract between the parties. In addition, to the extent applicable, Display.io’s business partners execute an applicable Data Processing Agreement, all in accordance with applicable laws.