Statement of Technical and Organizational Measures
Our Policies Re: Data Encryption and Control
For any personal data or electronic transmission over which PolicyPak has any measure of control, the company promises to take whichever steps it deems necessary to see to it that any such material cannot be used in any substantial way by anyone who lacks the proper authority to do so. To accomplish that, PolicyPak will implement the latest and most effective market-based encryption practices available at the time of the transmission. Currently, that will include Transport Layer Security (TLS), Secure Socket Layer (SSL), and Internet Protocol Security (IPSec), but those measures are constantly reviewed for efficacy and safety, with an eye to protocol replacement, should that become necessary.
When it comes to securing information and data owned by customers, such as that stored on PolicyPak Cloud, we take specific precautions to keep everyone's data safe.
The details of those precautions can be found here: https://kb.policypak.com/kb/article/205-what-data-is-stored-in-policypak-cloud-andhow-is-that-data-safely-communicated-and-stored/
In addition, we reserve the right to implement and make use of a Web Application Firewall (WAF) to add an extra layer of protection to all data under our control, especially those stored on the PolicyPak Cloud. We will configure said WAF to address and mitigate any and all potential weaknesses we suspect and/or identify on our network, systems and servers, including, but not limited to, common attack methods.
The range of possible methods of attack can include third-party vulnerabilities that have been publicly released, all of which we review for their relevance to the PolicyPak system and environment. We will always pre-determine a timeframe for remediation, whenever we discover a potential risk, regardless of the level of that risk, to PolicyPak's business or its customers. Whenever we deem such measures necessary, we will engage in the use of scanners and code reviews as we develop new systems and software as a way to proactively detect weaknesses in coding to address any possible risk, no matter how small, and to monitor compliance with local and regional laws and regulations, as well as all contracts and other agreements we enter into in the course of business.
This information security overview applies to PolicyPak’s corporate controls for safeguarding Personal Data which is processed by PolicyPak or its affiliates and corporate customers. Among the applicable compliance requirements include areas like intellectual property, software licensing, privacy protection, financial and operational procedures, export regulations, and data security, for both PolicyPak and our customers.
Efforts to Maintain Safety and Security for Employees
PolicyPak has policies in place to screen empl0yees as a part of their recruitment and intake process, to keep their employees as honest and responsible as possible. That includes an employee background check wherever it's appropriate and practical and based on local regulations. That includes customers and vendors who may have access to any PolicyPak networks, servers or systems.
PolicyPak also requires all prospective employees to provide proof of identification, especially based on laws and regulations present in the country of hire or for those who work in other company divisions, or those who work for customers who use services requiring them to access PolicyPak servers, systems and facilities as a part of their regular job and under standard agreements.
In addition to all that, PolicyPak employees are also required to complete a training program designed to increase their awareness of online data protection and information security, and they are also legally required to maintain data confidentiality through standard agreements and contracts.
Other Security Measures Taken by PolicyPak
In addition to vetting our employees to the extent necessary and possible, PolicyPak also restricts access to its systems. Our policy is to limit use to authorized users. In addition to that, even those who gain access are limited to the specific level of access to personal data that is needed to perform their job duties and nothing more. Their access is further restricted by formal procedures and controls that require only appropriate access to perform those specific job duties. Besides those restrictions, PolicyPak personnel must agree to use no more than the minimum amount of personal data to do their job effectively, and no more. They are also subject to policies intended to prevent them from reading, copying, modifying, or removing personal data under the same conditions.
All personal data is also retained by PolicyPak in accordance with a standard customer contract or, if that doesn't apply, PolicyPak's policies and practices related to records management. Under those policies, hardcopy personal data can be disposed of by a vendor with a disposal bin system or by secure shredder practices, while electronic data is disposed of via policies developed by the company’s IT Asset Management team for proper and secure disposal. Besides those policies, PolicyPak also has measures in place to restrict who can input personal data, the types of personal data that can be input, and there are restrictions with regard to access to inputs, which are also recorded and archived.
The Importance of Information Security Organization-Wide
It is our commitment to information security that has led PolicyPak to develop a set of corporate security policies that serve a number of important purposes, both at the internal corporate level and the external customer corporate level. Best of all, our corporate security policies extend responsibility for data safety and security to all employees, especially those whose job it is to process the personal data for all customers.
Likewise, the PolicyPak IS Department is ultimately setting the security strategy for the entire company and its customers. They work to ensure its security policies and procedures are in compliance with all statutory and regulatory laws on the books, and to conduct risk management assessments, so that company standards and practices manage to address all security requirements that fall under the various contracts we enter into with customers
The nature of the IS Department at PolicyPak is such that they are expected to adopt safety, security, and privacy controls that monitors and maintains the overall security of the entirety of PolicyPak’s internal and external technological environments. The function of the IS Department is designed to work with each and every PolicyPak department, including the legal and compliance departments and the Human Resources department, and all have been equipped with everything they need to carry out investigations and respond to information and data security incidents.
The Importance of Protecting All Assets, Regardless of Type
In addition to data breaches and violations of laws and regulations covering data handling, he PolicyPak IS Department is also charged with developing policies and best practices regarding security, and to that end, they also consult with developers when it comes to software architecture and tests all products for safety and security
As an overarching series of security policies, to the extent possible, PolicyPak tracks and manages all key assets of all types, including the physical and software assets that lie at the heart of our business model, like computers, servers, backup and archival media, including those maintained to serve business continuity and disaster recovery plans, and even data classifications.
In addition, our plan is to protect and preserve informational assets, like identified databases and their classification, as well as all other types of assets determined to be critical to the business of PolicyPak and the businesses of our customers and clients. We follow all available industry guidance with regard to all assets, including data encryption and management, monitoring and assessment and, eventually, destruction of some data at the appropriate time. We do this because the proper handling of company and personal is a key element of a secure environment that is beneficial for all aspects of business.
Our Practices Reflect Our Position on Information Security
As a matter of policy, PolicyPak strongly intends to maintain a data privacy and security program that covers a wide variety of policies and procedures designed to provide access rights and restrictions, record retention and management, and the safe preservation and protection of sensitive data, including personal data where necessary.
Over time, PolicyPak has taken to implementing the types of information security policies and procedures that have been carefully designed to maintain an appropriate security regimen, and to review and update it on a regular basis and maintain it as a way to safeguard data security and privacy. All information security policies developed by PolicyPak, including those regarding credentialing programs and data privacy, are reviewed at least once a year and updated as necessary, based on changes that are found to be necessary and effective.
How We Respond to Security Incidents
PolicyPak has put in place controls and systems intended to detect and remediate the fraudulent or malicious use of our assets, as well as the placement of malicious software. In addition, we have taken measures to identify and to report potential incidents to PolicyPak’s IS department, so that appropriate action may be taken. Among the strictest controls include but are not limited to restricted access; information security policies and standards; virus detection; and the scanning of all email attachments. PolicyPak also scans files as a way to detect system compliance, and we scan designated development and test environments, and we implement intrusion prevention monitoring and response. We also implement specific firewall rules, as well as logging and alerts related to key events. In addition, we are constantly reviewing all types of policies and procedures, at least annually, and we implement additional controls based on the risks we see.
Just as important as recognizing the need for putting data safety and security protocols in place is the need to recognize when they have been breached and to act appropriately in response. PolicyPak has always maintained and constantly updated a policy for responding to data security incidents, along with related policies and procedures for directing the response that PolicyPak will probably take, should there be an incident like theft or any other type of loss of control of data that is important to the company or its customers. Among the potential attempts to regain control and security over these assets can include incident analysis, containment and isolation of the data; we will implement virtually any measure that can lead to an eventual attempt to regain normal operations.