Privacy Policy
The term “Privacy Policy” encompasses all information shared by one party with another, whether verbally or in writing, that is marked as confidential or should reasonably be considered confidential given the nature of the information and the context of disclosure. This definition excludes any information that has become publicly available without the receiving party’s involvement. EmpMonitor’s confidential information includes, but is not limited to, the features, functionality, and performance of the Service, as well as your interactions with the Service. Your Confidential Information includes, but is not limited to, the Content you provide.
Both parties are obligated to treat the other party’s Confidential Information with strict confidence. This means using it only in accordance with the terms of the Agreement, permitting its use only by employees and consultants of the receiving party who have signed a confidentiality agreement containing terms similar to this Agreement and on a need-to-know basis and pursuant to the terms of this Agreement. The parties agree not to disclose the other party’s Confidential Information to any third party except as required by applicable law, implement appropriate security measures to prevent unauthorized access, use, or copying of the other party’s Confidential Information, and notify the other party in writing of any misuse or misappropriation of their Confidential Information that the receiving party becomes aware of, all without derogating from the terms of the EmpMonitor Privacy Policy.
1. Privacy & Cybersecurity Indemnification
You agree that the EmpMonitor Services and Platform are used to process information and Personal Data that you provide on an individual basis or by way of a transfer by a business entity under these Terms, and for purposes of these Terms you are designated the data Controller and EmpMonitor is designated as Processor as those terms in defined in the General Data Protection Regulation (EU) 2016/679 of the European Parliament and of the Council (“GDPR”). You further agree and acknowledge your obligations as the data Controller under the Personal Data Processing Addendum set forth below. To the fullest extent permitted by law for all Personal Data that you collect, process via the Services or maintain on the Platform, you shall indemnify and hold EmpMonitor, and their respective officers, directors, trustees, shareholders, employees, and agents (each an “Indemnified Party”), harmless from and against any and all damages and liabilities or third party claims against any Indemnified Party, for loss, cost, damage, or expense of every kind and nature (including, without limitation, penalties imposed by law, regulations, rules by any regulatory authority, court costs, expenses, and reasonable attorneys’ fees) to the extent arising out of, relating to privacy and cybersecurity requirements, including without limitation, failure to comply with Articles 5 to 21, and 32 to 37 of the GDPR, or resulting from, in whole or in part, the breach or non-compliance with this Agreement or the omission, negligence, gross negligence or willful misconduct by you or any of your representatives.
2. Data Processing Addendum
In addition to the terms stated in between EmpMonitor and the Customer for subscriptions to the EmpMonitor Services and Platform, this Personal Data Processing Addendum (“PDPA”) covers personal data processing, privacy, and cyber security duties. By agreeing to these Terms, Customer acknowledges that its Authorized Affiliates qualify as the “Controller” as defined under General Data Protection Regulation (EU) 2016/679 of the European Parliament and of the Council (“GDPR”) to the extent that EmpMonitor processes Personal Data in connection with Customer’s subscription to Platform. All capitalized terms not defined in this PDPA shall have the meaning set forth in the Terms. In the course of providing the Services to Customer pursuant to the Terms, EmpMonitor may Process Personal Data on behalf of Customer and the Parties agree to comply with the following provisions with respect to any Personal Data.
2.1 Integration
This PDPA shall not replace any equivalent or extra rights related to the processing of customer data that are included in the Terms.
2.2 Processing Of Personal Data
Roles of the parties
The parties acknowledge and agree that with regard to the Processing of Personal Data, Customer is the Controller, EmpMonitor is the Processor and that EmpMonitor or members of the EmpMonitor Group will engage Sub-processors in accordance with the conditions outlined in Section 5 “Sub-processors” below
Customer’s processing of personal data
The Customer shall, in its use of the Services, Process Personal Data in accordance with the requirements of Data Protection Laws and Regulations. For the avoidance of doubt, the Customer’s instructions for the processing of Personal Data must adhere to all applicable Laws and Regulations on Data Protection. The correctness, excellence, legality, and method by which the Customer obtained Personal Data shall be solely the responsibility of the Customer.
EmpMonitor’s processing of personal data
EmpMonitor shall treat Personal Data as Confidential Information and shall only Process Personal Data on behalf of and in accordance with Customer’s documented instructions for the following purposes: (i) Processing in accordance with the Terms and applicable order form(s); (ii) Processing initiated by Users in their use of the Services; and (iii) Processing to comply with other documented reasonable instructions provided by Customer (e.g., via email) where such instructions are consistent with the terms of the Agreement.
Processing details
The provision of the Services in accordance with the Terms is the subject-matter of EmpMonitor’s processing of personal data. The length of the Processing, the nature and purpose of the Processing, the categories of Data Subjects Processed under this PDPA, and the kinds of Personal Data are further described above.
2.3 Rights Of Data Subjects
Data subject request
EmpMonitor is committed to protecting the privacy and rights of data subjects whose personal data we process on behalf of our clients. This policy outlines our procedures for managing data subject requests efficiently and in compliance with applicable data protection regulations.
2.3.1 Procedures:
Identification and Logging
EmpMonitor will promptly identify and log all data subject requests received from our clients.Requests may be submitted through various channels, including email, phone, or in-person interactions.
Verification of Identity
Before processing any request, EmpMonitor will verify the identity of the data subject to prevent unauthorized disclosure of personal data. Valid forms of identification may include government-issued IDs or any other means deemed appropriate.
Processing of Requests
EmpMonitor will process data subject requests within the time frames prescribed by relevant legislation (e.g., GDPR, CCPA). Requests will be handled in accordance with applicable data protection laws and regulations.
Collaboration with Client
If the request involves sharing personal data with the client, EmpMonitor will collaborate closely with the client’s designated contact person or data protection officer. Any necessary approvals and permissions will be obtained from the client before sharing personal data.
Documentation and Records
EmpMonitor will maintain comprehensive records of all data subject requests received and the actions taken in response. Records will include details such as the nature of the request, verification of identity, actions taken, and any communication with the data subject.
Training and Awareness
Employees involved in handling data subject requests will receive training on data protection laws, company policies, and procedures. Regular awareness sessions will be conducted to ensure all personnel understand their roles and responsibilities.
2.4 Empmonitor Personnel
Confidentiality
EmpMonitor shall ensure that its personnel engaged in the Processing of Personal Data are informed of the confidential nature of the Personal Data, have received appropriate training on their responsibilities and have executed written confidentiality agreements. The EmpMonitor shall ensure that such confidentiality obligations survive the termination of the personnel engagement.
Reliability
EmpMonitor shall take commercially reasonable steps to ensure the reliability of any EmpMonitor personnel engaged in the Processing of Personal Data.
Limitation of access
EmpMonitor shall ensure that EmpMonitor’s access to Personal Data is limited to those personnel performing Services in accordance with the Agreement.
3. Security
Customers shall be responsible for obtaining and maintaining any equipment and ancillary services needed to connect to, access or otherwise use the Services, including, without limitation, modems, hardware, servers, software, operating systems, networking, web servers and the like (collectively, “Equipment”).
Customer shall also be responsible for maintaining the security of the Equipment, Customer account, passwords (including but not limited to administrative and user passwords) and files, and for all uses of the Customer account or the Equipment with or without Customer’s knowledge or consent.
EmpMonitor will maintain reasonable physical and technical safeguards to prevent unauthorized disclosure of or access to Content, in accordance with industry standards. EmpMonitor will notify you if it becomes aware of unauthorized access to Content.
EmpMonitor will not access, view or process Content except (a) as provided for in this Agreement and in EmpMonitor privacy policy (“Privacy Policy”); (b) as authorized or instructed by you, (c) as required to perform its obligations under this Agreement; or (d) as required by applicable law. EmpMonitor has no other obligations with respect to Content.
4. Customer Data Incident Management and Notification
EmpMonitor maintains security incident management policies and procedures specified in the Security, Privacy and Architecture Documentation and shall, notify Customer without undue delay after becoming aware of the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Data, including Personal Data, transmitted, stored or otherwise Processed by EmpMonitor or its Sub-processors of which EmpMonitor becomes aware (a “Customer Data Incident”). EmpMonitor shall make reasonable efforts to identify the cause of such Customer Data Incident and take those steps as EmpMonitor deems necessary and reasonable in order to remediate the cause of such a Customer Data Incident to the extent the remediation is within EmpMonitor’s reasonable control. The obligations herein shall not apply to incidents that are caused by Customer or Customer’s Users.
5. Distribution of Roles and Responsibility
EmpMonitor has implemented an organizational model that defines roles and responsibilities concerning data protection. The following roles and responsibilities are established:
5.1 System Administrator Appointment
All employees who will have access to premises hosting EmpMonitor’s software solution are formally appointed as System Administrators. This appointment signifies their responsibility for ensuring the security and protection of personal data processed within the premises. As System Administrators, these employees are tasked with implementing appropriate technical and organizational measures to safeguard personal data, including access controls, encryption, and regular security assessments. They are also responsible for monitoring compliance with data protection policies and procedures, as well as responding to any data security incidents or breaches that may occur.
5.2 Data Protection Officer (DPO)
EmpMonitor appoints a Data Protection Officer (DPO) to oversee compliance with data protection laws and regulations, including the specific requirements of Italian regulations. The DPO is responsible for advising on data protection matters, monitoring compliance with data protection laws, conducting privacy impact assessments, and serving as the point of contact for data protection authorities and data subjects.
5.3 Management Responsibilities
EmpMonitor’s management team holds ultimate responsibility for data protection within the organization. Management is responsible for establishing a culture of data protection, providing resources and support for compliance efforts, and ensuring that data protection policies and procedures are effectively implemented and maintained throughout the organization.
5.4 Employee Training and Awareness
All employees receive training and awareness programs on their roles and responsibilities concerning data protection. This includes understanding the importance of protecting personal data, adhering to data protection policies and procedures, and reporting any potential data security risks or incidents to the appropriate channels.
5.5 Regular Review and Update
EmpMonitor regularly reviews and updates its organizational model for data protection roles and responsibilities to ensure alignment with evolving legal requirements and best practices in data protection. This includes assessing the effectiveness of existing roles and responsibilities, identifying areas for improvement, and implementing any necessary changes to enhance data protection practices.
6. DPO Appointment
EmpMonitor takes the protection of personal data seriously and recognizes the importance of compliance with the General Data Protection Regulation (GDPR). As such, we have appointed a Data Protection Officer (DPO) to oversee our data protection efforts and ensure compliance with applicable data protection laws and regulations.
6.1 Role of the DPO
The DPO serves as an independent person responsible for educating EmpMonitor and its employees about compliance with data protection laws, including the GDPR.
6.1.1 The DPO’s responsibilities include
Educating the Company: The DPO educates EmpMonitor and its employees about their obligations under data protection laws, including the GDPR. This includes raising awareness of privacy risks and best practices for protecting personal data. Training Staff: The DPO provides training to staff involved in data processing activities to ensure they understand their responsibilities and adhere to data protection policies and procedures.
Conducting Security Audits: The DPO conducts regular security audits to assess EmpMonitor’s data protection measures and identify any vulnerabilities or areas for improvement.
6.1.2 Contacting the DPO
If you have any questions or concerns about data protection at EmpMonitor, or if you would like to contact our Data Protection Officer, you can reach them at [email protected]
7. Return And Deletion Of Customer Data
EmpMonitor shall return Customer Data to Customer and, to the extent allowed by applicable law, delete Customer Data in accordance with the procedures and time frames specified in the Security and Privacy Documentation.
7.1 DATA RETENTION POLICY
EmpMonitor maintains a data retention policy to govern the storage and disposal of user data collected through its platform in compliance with applicable laws and regulations, as well as to optimize system performance and resource utilization.
Retention Period
User data collected by EmpMonitor will be retained for a period determined by the nature of the data and its relevance to the purposes for which it was collected. The retention periods are as follows:
Employee activity logs: Retained for a minimum of [X] months/years for performance evaluation and compliance purposes.
Personal identification information: Retained only for the duration of the user’s employment or contractual relationship with the organization and securely deleted thereafter, unless required for legal or regulatory compliance.
Data Anonymization
Where feasible and in accordance with privacy regulations, EmpMonitor will anonymize or pseudonymize user data once it is no longer necessary for the intended purpose. Anonymized data may be retained for analytical or statistical purposes without time limitation.
Communication with Data Subjects
EmpMonitor will communicate with data subjects (employees or users) regarding the retention, erasure, or anonymization of their data as required by applicable data protection laws. This communication may include providing clear information on data retention periods, rights to access and rectify personal data, and procedures for data erasure requests.
Deletion or Erasure Process
At the end of the retention period or upon receipt of a valid data erasure request from the data subject, EmpMonitor will promptly and securely delete or anonymize the relevant user data from its systems and databases. This process includes:
● Removal of data from primary storage systems.
● Secure deletion from backups and archives.
● Confirmation of data erasure through audit trails or logs.
Backup Retention
Backup copies of user data will be retained for a limited period consistent with the primary retention period. Backup retention periods will not exceed the time necessary to ensure data recoverability in the event of system failures or data loss incidents.
Compliance and Review
This policy will be reviewed periodically to ensure compliance with changes in legal requirements, industry standards, and organizational needs. Any updates or revisions to the policy will be communicated to all relevant stakeholders. By adhering to this data retention policy, EmpMonitor aims to strike a balance between preserving necessary data for operational and legal purposes while respecting individual privacy rights and minimizing data storage risks.
7.2 GDPR (EU)
With effect from May 25, 2018, EmpMonitor will process personal data in compliance with GDPR regulations that are specifically relevant to EmpMonitor’s provision of its Services.
7.3 Data Protection Impact Assessment (DPIA)
With effect from 25 May 2018, upon the Customer’s request, EmpMonitor shall provide the customer with reasonable cooperation and assistance necessary to fulfil the customer’s obligation under the GDPR to carry out a data protection impact assessment related to the customer’s use of the services, to the extent customer does not otherwise have access to the relevant information, and to the extent such information is made available to EmpMonitor.
8. Privacy Risk Management
EmpMonitor is committed to proactively identifying, assessing, and managing privacy risks to ensure the protection of personal data entrusted to us. Our Privacy Risks Management Policy outlines our approach to identifying and mitigating potential privacy risks.
8.1 Monitoring and Framework
We systematically identify privacy risks associated with our data processing activities, including data collection, storage, and processing. This includes assessing potential risks related to data breaches, unauthorized access, data loss, and non-compliance with data protection laws.
Risk Assessment
We evaluate the likelihood and potential impact of identified privacy risks to prioritize them for mitigation. This assessment takes into account factors such as the sensitivity of the data involved, the volume of data processed, and the potential harm to individuals in the event of a privacy incident.
Risk Mitigation
We implement measures to mitigate identified privacy risks to an acceptable level. This may include implementing technical and organizational controls, such as encryption, access controls, pseudonymization, and regular security assessments.
Monitoring and Review
We continuously monitor and review our privacy risk management processes to ensure their effectiveness and responsiveness to changing circumstances. This includes regularly updating risk assessments, evaluating the effectiveness of risk mitigation measures, and adjusting our approach as necessary.
9. Continuity Management Plan
At EmpMonitor, we understand the importance of ensuring continuity of operations, especially in the face of unexpected events or disruptions. To address this, we have developed a comprehensive Continuity Management Plan. This plan outlines our strategies and protocols for maintaining essential business functions and safeguarding the personal data entrusted to us in various scenarios.
9.1 Key Components
Risk Assessment and Identification: We regularly assess potential risks and vulnerabilities that could impact operations, including natural disasters, technological failures, and human errors.
Business Impact Analysis: Identify critical business functions and resources required to maintain operations.
Business Continuity Planning: Develop and maintain comprehensive plans for responding to emergencies and ensuring the continuity of critical operations.
Data Backup and Recovery: Implement robust data backup and recovery procedures to ensure the integrity and availability of personal data.
Emergency Response and Communication: We establish clear protocols for responding to emergencies and communicating with stakeholders, including employees, clients, and regulatory authorities.
Testing and Training: We conduct regular drills and exercises to test the effectiveness of the Continuity Management Plan and provide training to employees on their roles and responsibilities during emergencies.
9.2 Responsibilities
Management: Oversees the implementation and maintenance of the Continuity Management Plan.
Employees: Follows protocols outlined in the plan and participates in training and testing activities.
10. Subprocessors
EmpMonitor utilizes third-party assistance to deliver essential services required for the operation and enhancement of the services we provide to our customers. We establish GDPR-compliant data processing agreements with each vendor responsible for processing personal data.
Also testing for VAPT (Vulnerability Assessment and Penetration Testing) is crucial for identifying and addressing security weaknesses in systems and applications. By systematically assessing vulnerabilities, prioritizing risks, and implementing appropriate countermeasures, organizations can protect sensitive data, ensure compliance with regulations, and maintain trust with stakeholders. VAPT enables proactive security measures, mitigating the likelihood of successful cyberattacks and enhancing the overall security posture of the organization.
Here’s a breakdown of the process:
10.1 Testing the Main Domain (app.empmonitor.com)
Our main domain, app.empmonitor.com, serves as the central hub for users to access their employee monitoring dashboard.
We conduct comprehensive testing to ensure that users can seamlessly navigate through the interface, access relevant features, and manage employee monitoring activities effectively. Testing encompasses user experience, performance under varying loads, security measures, and compatibility with different browsers and devices.
10.2 Testing API Services
EmpMonitor offers a range of API services accessible through dedicated subdomains such as ping.empmonitor.com, reports.empmonitor.com, storelogs.empmonitor.com, and track.empmonitor.com. Each API service undergoes meticulous testing to guarantee reliability, accuracy, and adherence to documented specifications.
Our testing protocols include validating response integrity, error handling, data security measures, and interoperability with third-party integrations.
10.3 Testing Agents
Agents play a crucial role in collecting data from monitored devices and transmitting it securely to our platform. We rigorously test EmpMonitor agents across diverse operating systems and environments to ensure seamless integration, minimal resource consumption, and data accuracy. Testing encompasses agent deployment, data collection efficiency, compatibility with different device configurations, and resilience to network fluctuations.
10.4 Third-Party Sub-Processors We Use
● Google Cloud Platform (GCP)
● Google Analytics – Analytics
● aMember – CRM
● Sendgrid – Mailing Service
● Freshchat – for chat support
● Freshsales – Contacting and Supporting
11. Employees Management
Awareness-Raising Controls for New Recruits and Departing Employees EmpMonitor is committed to maintaining the highest standards of data privacy and security. As part of our ongoing efforts to safeguard personal data, we have implemented policies and procedures to ensure that awareness-raising controls are carried out with regard to both new recruits and departing employees.
11.1 New Recruits
Upon joining EmpMonitor, all new recruits undergo comprehensive training on our data privacy and security policies. This training covers key aspects of GDPR compliance, including the handling of personal data, data protection principles, and the importance of maintaining confidentiality. New employees are required to review and acknowledge our privacy policy and undergo specific training modules tailored to their roles and responsibilities involving personal data processing.
11.2 Departing Employees
When an employee who has been accessing data leaves their job, EmpMonitor follows strict procedures to ensure the protection of personal data. This includes revoking access to all systems and data repositories promptly upon termination or resignation. Additionally, exit interviews are conducted to remind departing employees of their ongoing obligations regarding confidentiality and data protection. Furthermore, we conduct a thorough review of access logs and permissions to identify and address any potential security risks associated with the departure of personnel who have had access to sensitive data.
Notes: Awareness-raising controls for new recruits involve comprehensive training sessions covering GDPR compliance, data handling procedures, and confidentiality obligations.
Controls for departing employees include immediate revocation of access, exit interviews to reiterate confidentiality obligations, and a review of access logs to mitigate security risks associated with employee departures.
12. Relations with Third Parties
The objective of this policy is to establish guidelines and processes to reduce the risk associated with third-party access to personal data, ensuring the protection of data subjects’ civil liberties and privacy.
12.1 Third-Party Data Management
Third-Party Vetting
Conduct thorough due diligence before engaging with third-party entities. Assess data handling practices, security measures, and compliance with regulations.
Data Processing Agreements
Establish formal agreements outlining terms, data protection, confidentiality, and usage limitations.
Access Control and Monitoring
Strictly control third-party access. Implement robust access controls, authentication mechanisms, and regular monitoring.
Data Minimization
Provide access only to essential personal data for designated tasks.
Training and Awareness
Train employees and contractors on data protection principles and their roles. Inform third-party entities of data protection obligations.
Incident Response and Notification
Have procedures for prompt response to breaches or incidents. Notify data subjects of breaches or incidents as required.
Compliance
Compliance with this policy is mandatory for all involved in processing personal data. Non-compliance may result in disciplinary action or legal consequences.
Review and Revision
Review periodically to ensure effectiveness. Amend as necessary to address emerging threats or regulatory changes.
13. Project Management
Identification and Evaluation of New Data Processing Activities The purpose of this policy is to establish guidelines for the identification and evaluation of all new data processing activities conducted by EmpMonitor. This policy aims to ensure that data processing activities are conducted in compliance with relevant laws, regulations, and industry standards and that potential risks are identified and mitigated effectively
13.1 Identification Process
Employees are required to report any new data processing activities within their departments to the Data Protection Officer (DPO). The DPO oversees the identification process and maintains a centralized register of all data processing activities
13.2 Evaluation Criteria
Before commencing any new data processing activity, the responsible personnel must conduct a thorough evaluation to assess its compliance implications and potential risks. Evaluation criteria should include but are not limited to:
● Purpose and necessity of data processing
● Legal basis for data processing (e.g., consent, legitimate interests)
● Data minimization and relevance
● Security measures and safeguards
● Data transfer mechanisms (if applicable)
● Impact on data subjects’ rights and freedoms
● Potential risks to data confidentiality, integrity, and availability
● Compliance with applicable laws, regulations, and industry standards
Documentation and Approval
A detailed assessment report, outlining findings and proposed risk mitigation measures, must be submitted to the DPO for review and approval before commencing any new data processing activity.
Ongoing Monitoring and Review
Approved data processing activities are subject to regular monitoring and periodic reviews to ensure continued compliance with established criteria and regulatory requirements.
Training and Awareness
Personnel involved in data processing activities receive training and guidance on their responsibilities. Regular awareness sessions ensure an understanding of evolving data protection requirements.
Policy Review
The policy is subject to periodic review and updates to reflect changes in legal requirements, organizational processes, and technology.
14. Social Engineering Awareness
The objective of this policy is to implement an employee education program aimed at increasing awareness and understanding of social engineering risks among EmpMonitor employees. Social engineering risks pose a significant threat to the security and integrity of our organization’s data and assets. By educating employees about these risks, we aim to empower them to recognize and mitigate potential threats effectively
14.1 Education Program Overview
EmpMonitor will implement an ongoing education program focused on social engineering risks. The program will include training sessions, workshops, informational materials, and regular updates to keep employees informed about evolving threats and best practices.
14.2 Content and Topics
The education program will cover various aspects of social engineering, including phishing attacks, pretexting, baiting, tailgating, and other tactics used by malicious actors to exploit human psychology and manipulate employees into divulging sensitive information or performing unauthorized actions.
Specific topics will include:
● Identifying phishing emails and other suspicious communications.
● Recognizing social engineering techniques in various forms, including emails, phone
calls, and in-person interactions.
● Understanding the potential consequences of social engineering attacks for both
individuals and the organization.
● Best practices for verifying the legitimacy of requests for information or actions.
● Reporting procedures for suspected social engineering attempts or security incidents.
14.3 Training Delivery
The education program will utilize a variety of delivery methods to accommodate different learning styles and preferences. These may include in-person training sessions, online courses, webinars, interactive modules, and written materials. Training sessions will be conducted periodically throughout the year to ensure that all employees have the opportunity to participate and stay up-to-date on emerging threats.
14.4 Employee Participation
Attendance and participation in social engineering awareness training sessions and activities will be mandatory for all EmpMonitor employees. They will be required to complete assigned training modules and demonstrate an understanding of key concepts and best practices. Managers and team leaders will be responsible for encouraging active participation and ensuring that employees prioritize their training obligations.
14.5 Evaluation and Feedback
EmpMonitor will regularly evaluate the effectiveness of the education program through surveys, quizzes, assessments, and feedback mechanisms. Feedback from employees will be used to continuously improve the content, delivery, and relevance of the training materials and activities.
Notes: The education program should be designed in collaboration with cybersecurity experts and tailored to address specific social engineering risks relevant to EmpMonitor’s operations and industry sector.
Regular updates and revisions to the education program should be made in response to emerging threats, changes in technology, and lessons learned from real-world incidents.
The success of the program will depend on the active engagement and commitment of employees at all levels of the organization.
By implementing this policy, EmpMonitor aims to foster a culture of security awareness and resilience, empowering employees to play an active role in safeguarding the organization against social engineering threats.
15. Register of Data Processors
EmpMonitor recognizes the importance of maintaining a register of data processors to ensure compliance with data protection laws and to safeguard the privacy and security of personal data processed by the organization.
15.1 Policy Implementation:
The Data Protection Officer (DPO) or designated personnel shall identify all third-party data processors who process personal data on behalf of EmpMonitor. The DPO or designated personnel shall maintain a central register of data processors. This register shall include the following information:
● Name and contact details of the data processor.
● Purpose of processing personal data.
● Description of the type of personal data processed.
● Details of any international transfers of personal data.
● Data security measures implemented by the data processor.
● Any relevant contractual agreements or data processing agreements in place.
15.2 Updates and Maintenance
The register of data processors shall be regularly reviewed and updated to reflect any changes in the processing activities or data processors engaged by EmpMonitor. Any new data processor engaged by EmpMonitor shall be documented in the register before the commencement of processing activities.
Access Control
Access to the register of data processors shall be restricted to authorized personnel responsible for data protection and compliance within EmpMonitor.
Training and Awareness
Relevant employees and stakeholders shall receive training and awareness sessions on the importance of maintaining a register of data processors and their role in ensuring compliance.
16. Data Breaches Notifications
EmpMonitor prioritizes data confidentiality, integrity, and security, including employee and client information. Prompt and effective communication of data breaches to all affected parties is crucial. This policy outlines procedures for identifying, assessing, and reporting breaches to mitigate damages and ensure transparency.
16.1 Definition of Data Breach
A data breach refers to the unauthorized access, disclosure, alteration, or destruction of sensitive or confidential information stored or transmitted by EmpMonitor. This includes but is not limited to employee records, client data, financial information, and proprietary business data.
16.2 Identification and Reporting Procedures
Upon notification, an investigation team assesses the breach’s scope, severity, and cause, documenting relevant details for further action.
16. 3 Assessment and Risk Analysis
EmpMonitor conducts a risk analysis to evaluate breach severity and potential impact, determining appropriate response measures.
16.4 Notification Process
Affected individuals and stakeholders receive timely notifications via email, written correspondence, or public announcements, detailing the breach, compromised data, mitigation steps, and protection instructions.
16.5 Regulatory Compliance
EmpMonitor complies with data protection laws like GDPR and CCPA, adhering to notification requirements set by relevant regulatory authorities.
16.6 Documentation and Review
Comprehensive breach records, including incident reports and remedial actions, are maintained. Regular policy reviews ensure alignment with evolving regulatory requirements and best practices. This policy applies to all employees, contractors, and third-party service providers with system and data access. Non-compliance may result in disciplinary action, including termination. EmpMonitor’s Data Breach Notification Policy underscores transparency, accountability, and swift response to data breaches, safeguarding trust and operational integrity
17. Privacy Compliance Training for Appliances
Our organization implements employee monitoring measures to enhance productivity, ensure security, and maintain compliance with regulatory requirements. This applies to all employees, contractors, and third-party entities who access or utilize organizational resources, networks, and information systems.
17.1 Types of Monitoring:
Employee monitoring may include but is not limited to network traffic analysis, email monitoring, software usage tracking, video surveillance, and internet browsing logs.
17.2 Legal Compliance
All monitoring activities shall comply with relevant local, national, and international laws, including but not limited to data protection and privacy regulations.
17.3 Notice and Consent
Employees shall be provided with clear notice regarding the types of monitoring conducted, the purposes thereof, and their rights related to privacy and data protection.
17.4 Data Protection
Any data collected through monitoring activities shall be handled and stored securely, by established data protection policies and procedures.
17.5 Access Restrictions
Access to monitoring data shall be restricted to authorized personnel on a need-to-know basis, and shall not be disclosed to unauthorized individuals or third parties.
17.6 Employee Privacy
Employees shall have a reasonable expectation of privacy in the workplace, and monitoring shall be conducted in a manner that respects individual privacy rights to the extent possible.
17.7 Prohibited Activities
Monitoring shall not be used for unlawful purposes, such as discrimination, harassment, or retaliation against employees.
17.8 Employee Awareness
Employees shall receive training and awareness programs regarding the organization’s employee monitoring policies and practices.
17.9 Review and Update
This policy shall be reviewed periodically to ensure its effectiveness, relevance, and compliance with changing legal and business requirements.
TECHNICAL MEASURES
1. Storage of Encryption Keys
EmpMonitor acknowledges its accountability obligations under EU data protection regulations and is committed to ensuring the secure storage of encryption keys used to protect sensitive data.
Encryption keys are essential components of our data security infrastructure, serving to safeguard the confidentiality and integrity of personal data processed by EmpMonitor. To uphold the highest standards of data protection, we have implemented the following measures regarding the storage of encryption keys.
1.1 Secure Key Management System
EmpMonitor employs a secure key management system designed to centrally manage and protect encryption keys. This system utilizes industry-standard cryptographic protocols and best practices to ensure the confidentiality and integrity of encryption keys.
1.2 Role-Based Access Controls
Access to encryption keys is strictly controlled and limited to authorized personnel with a legitimate need to access such keys for operational purposes. Role-based access controls are enforced to prevent unauthorized access or misuse of encryption keys.
1.3Physical and Logical Security Measures
Physical and logical security measures are implemented to safeguard the infrastructure and environments where encryption keys are stored. This includes access controls, surveillance systems, and intrusion detection mechanisms to prevent unauthorized access or tampering.
1.4 Regular Audits and Compliance Checks
EmpMonitor conducts regular audits and compliance checks to assess the effectiveness of our encryption key storage practices and ensure compliance with EU data protection regulations. Any identified vulnerabilities or non-compliance issues are promptly addressed and remediated.
Notes: EmpMonitor employs a secure key management system to centrally manage encryption keys. Access to encryption keys is restricted to authorized personnel based on role-based access controls. Physical and logical security measures are in place to protect the infrastructure where encryption keys are stored. Regular audits and compliance checks are conducted to assess and maintain the effectiveness of encryption key storage practices.
2. Partitioning Data
The Logical Separation of Data policy outlines EmpMonitor’s commitment to maintaining the integrity, confidentiality, and security of customer data stored in our cloud infrastructure. This policy establishes guidelines and procedures to ensure that data belonging to different organizations are logically separated within our cloud environment.
The purpose of this policy is to safeguard customer data by implementing robust measures for logical separation within EmpMonitor’s cloud infrastructure. By logically segregating data, we aim to prevent unauthorized access, mitigate the risk of data breaches, and uphold the trust of our customers.
This policy applies to all employees, contractors, and third-party service providers who have access to EmpMonitor’s cloud infrastructure and handle customer data.
2.1 Definition of Logical Separation
Logical separation involves isolating data belonging to different organizations at the logical level within our cloud infrastructure. It encompasses access controls, encryption mechanisms, data segregation techniques, monitoring, and incident response procedures.
2.2 Implementation Guidelines
Access Controls: Strict access controls will be enforced based on the principle of least
privilege.
Encryption: All data stored in EmpMonitor’s cloud will be encrypted both in transit and at rest using industry-standard encryption algorithms.
Data Segregation: Data belonging to different organizations will be logically segregated using virtualization or containerization techniques.
Monitoring and Auditing: Robust monitoring and auditing mechanisms will be implemented to track access to sensitive data and detect unauthorized activities.
Incident Response: Established incident response procedures will be followed in the event of a security incident or data breach.
Responsibilities
Management: Responsible for establishing and enforcing policies related to logical data separation.
Employees and Contractors: Obligated to adhere to security protocols and procedures.
Third-party service Providers: Required to comply with contractual obligations related to data security.
2.3 Policy Compliance and Enforcement
Non-compliance may result in disciplinary action, including termination of employment or contract, and legal consequences for data breaches or violations of regulations.
2.4 Review and Revision
The policy will be reviewed periodically to ensure effectiveness and compliance with evolving security standards and regulatory requirements. Amendments will be communicated to relevant stakeholders. By adhering to this policy, EmpMonitor reaffirms its commitment to protecting customer data and maintaining trust in our cloud services.
3. Backup Policies
Measures for Ensuring Data Availability and Access Restoration.
3.1 Data Backup and Redundancy
EmpMonitor maintains regular backups of all critical data, including personal data, stored in secure and redundant locations. Backup processes are automated and scheduled to ensure data integrity and consistency. Redundant storage systems are in place to minimize the risk of data loss and enable rapid recovery in the event of hardware failures or disasters.
3.2 Disaster Recovery Plan (DRP)
EmpMonitor has developed and documented a comprehensive Disaster Recovery Plan outlining procedures and protocols for responding to various physical or technical incidents. The DRP defines roles and responsibilities, escalation procedures, and communication channels to facilitate prompt incident response and data restoration efforts. Regular testing and exercises are conducted to validate the effectiveness of the DRP and ensure readiness to mitigate potential disruptions to data availability.
3.3 Incident Response Team
EmpMonitor has established an incident response team comprised of experienced professionals responsible for managing and coordinating the response to physical or technical incidents affecting data availability. The incident response team is trained to assess the severity of incidents, initiate appropriate response actions, and prioritize the restoration of access to personal data.
3.4 Monitoring and Alerting Systems
EmpMonitor employs monitoring and alerting systems to detect and promptly notify relevant personnel of any anomalies or disruptions to data availability. Automated alerts are configured to trigger in response to predefined thresholds or patterns indicative of potential incidents, enabling proactive intervention to minimize downtime and data loss.
3.5 Regular Review and Improvement
EmpMonitor conducts regular reviews and assessments of its data availability measures to identify areas for improvement and optimization. Feedback from incident response exercises, post-incident reviews, and audits is used to refine and enhance existing processes and procedures.
Notes: Data backup and redundancy measures ensure the availability and integrity of personal data in the event of hardware failures or disasters.The Disaster Recovery Plan outlines procedures for responding to incidents and restoring data availability.
An incident response team is responsible for coordinating the response to incidents affecting data availability. Monitoring and alerting systems detect and notify personnel of anomalies or disruptions to data availability. Regular reviews and improvements are conducted to enhance data availability measures and response capabilities.
4. IT Security Governance and Management Policy
EmpMonitor maintains a robust internal IT and IT security governance framework to ensure the effective management and protection of data assets, including personal data.
4.1 IT Governance Framework
EmpMonitor has established an IT governance framework that defines policies, procedures, and standards governing the acquisition, deployment, and management of IT resources. The framework includes mechanisms for prioritizing IT initiatives, allocating resources, and aligning IT activities with business objectives.
4.2 IT Security Governance
EmpMonitor prioritizes IT security through the implementation of a dedicated IT security governance structure. This structure includes the designation of responsible individuals or teams tasked with overseeing IT security policies, procedures, and controls. Regular assessments and audits are conducted to evaluate the effectiveness of IT security measures and ensure compliance with relevant standards and regulations.
4.3 Risk Management
EmpMonitor employs a risk-based approach to IT and IT security management, focusing on identifying, assessing, and mitigating potential risks to data assets. Risk assessments are conducted regularly to identify vulnerabilities and threats, prioritize mitigation efforts, and minimize the likelihood and impact of security incidents.
4.4 Compliance and Standards
EmpMonitor is committed to compliance with applicable laws, regulations, and industry standards governing IT and IT security. The IT governance framework includes provisions for monitoring changes in legal and regulatory requirements and implementing necessary adjustments to ensure ongoing compliance.
5. Clamping Down on Malicious Software
The purpose of this policy is to establish guidelines and procedures for preventing, detecting, and responding to malicious software threats within EmpMonitor’s systems and network infrastructure.
5.1 Policy Elements:
Definition of Malicious Software: Clearly define malicious software (malware) to include viruses, worms, Trojans, ransomware, spyware, adware, and any other software designed to compromise system integrity, confidentiality, or availability. Risk Assessment: Regularly conduct risk assessments to identify potential vulnerabilities and entry points for malicious software. Evaluate the impact of potential malware infections on business operations and data security.
Employee Training: Implement ongoing employee training programs to educate staff about the risks of malicious software, including phishing attacks, downloading unauthorized software, and visiting untrusted websites. Train employees on safe browsing habits, recognizing suspicious emails, and reporting potential security threats promptly.
Access Controls: Enforce access controls to restrict user privileges based on the principle of least privilege. Regularly review and update user access permissions to ensure that employees only have access to resources necessary for their job roles. Endpoint Protection: Deploy and maintain endpoint protection solutions such as antivirus software, intrusion detection systems (IDS), and intrusion prevention systems (IPS) across all devices connected to EmpMonitor’s network. Ensure that endpoint protection tools are regularly updated with the latest definitions and patches.
Network Security: Implement robust network security measures, including firewalls, network segmentation, and encryption protocols, to mitigate the risk of malware propagation across EmpMonitor’s network infrastructure. Monitor network traffic for suspicious activities and implement controls to block unauthorized access attempts. Software Updates: Establish procedures for timely software updates and patch management to address known vulnerabilities and security flaws. Regularly apply patches to operating systems, applications, and firmware to reduce the risk of exploitation by malware threats.
Incident Response Plan: Develop an incident response plan outlining procedures for identifying, containing, and eradicating malware infections. Define roles and responsibilities for IT personnel in responding to security incidents and restoring affected systems and data. Conduct regular tabletop exercises to test the effectiveness of the incident response plan.
Regular Audits and Monitoring: Conduct regular audits and monitoring of systems and network infrastructure to detect signs of malware activity, such as unusual file modifications, unauthorized access attempts, and anomalous network traffic patterns. Implement logging and alerting mechanisms to notify IT administrators of potential security breaches promptly.
Reporting and Documentation: Establish clear reporting channels for employees to report suspected malware infections or security incidents to the IT department. Document all security incidents, including the nature of the threat, impact assessment, and remediation actions taken, for post-incident analysis and regulatory compliance purposes.
Third-Party Vendors: Ensure that third-party vendors and service providers adhere to similar security standards and controls to mitigate the risk of malware infiltration through external sources. Conduct regular security assessments and due diligence reviews of third-party vendors to evaluate their security posture and compliance with EmpMonitor’s security requirements.
Compliance and Review: Regularly review and update the Malicious Software Prevention and Detection Policy to reflect changes in technology, emerging threats, and regulatory requirements. Ensure compliance with industry standards and best practices for malware prevention and detection. Conduct periodic reviews and audits to assess the effectiveness of security controls and policy enforcement mechanisms.
6. Network Security
Network Security Measures:
EmpMonitor has implemented comprehensive measures to ensure the security of our network.
Firewall:
EmpMonitor utilizes enterprise-grade firewalls to monitor and control incoming and outgoing network traffic, preventing unauthorized access and blocking malicious activity.
Antimalware:
We deploy robust antimalware solutions across our network infrastructure to detect and mitigate malware threats, including viruses, spyware, and ransomware.
Intrusion Detection and Prevention Systems (IDS/IPS):
EmpMonitor employs IDS/IPS technology to identify and block suspicious network traffic and potential intrusions in real-time, enhancing our network security posture.
Secure Sockets Layer (SSL) Encryption:
We utilize SSL encryption protocols to secure data transmissions over the network, ensuring the confidentiality and integrity of sensitive information exchanged between users and our servers.
Network Access Control (NAC):
EmpMonitor implements NAC solutions to enforce access policies and authenticate devices connecting to our network, reducing the risk of unauthorized access and ensuring compliance with security requirements.
7. Anonymization
This policy outlines the measures implemented by EmpMonitor to anonymize personal data to ensure compliance with data protection regulations and safeguard user privacy.
7.1 Measures of Anonymization
EmpMonitor implements the following measures to anonymize personal data: Data Aggregation: EmpMonitor aggregates personal data to remove individual identifiers. Data is grouped together to prevent identification of specific individuals. Pseudonymization: Personal identifiers such as names, email addresses, and contact numbers are replaced with unique pseudonyms or tokens. This ensures that the data cannot be directly linked to an individual without additional information stored separately.
Data Masking
EmpMonitor masks sensitive information within datasets, rendering it unreadable or indistinguishable. This includes techniques such as replacing characters with placeholders or encrypting sensitive data fields.
Randomization
EmpMonitor employs randomization techniques to alter data values while preserving statistical integrity. This prevents the identification of individuals while still allowing for meaningful analysis.
Data Minimization
EmpMonitor only collects and retains the minimum amount of personal data necessary for its intended purpose. Unnecessary or redundant data is promptly deleted or anonymized to reduce privacy risks.
Notes:
Anonymization of personal data is a critical aspect of EmpMonitor’s commitment to user privacy and data protection. Regular audits and reviews are conducted to ensure the effectiveness and compliance of anonymization measures with evolving regulatory requirements.
Employees handling anonymized data are trained on the proper procedures to maintain anonymity and prevent re-identification of individuals. Any updates or revisions to this policy will be communicated to all relevant stakeholders and reflected in the documentation accordingly.
8. Pseudonymization
EmpMonitor has implemented robust pseudonymization measures in accordance with the requirements of the GDPR. Pseudonymization ensures that personal data can no longer be attributed to a specific individual without the use of additional information, thus enhancing data protection and privacy.
Our pseudonymization measures include the following key components:
Data Encryption: Personal data stored in our systems is encrypted to render it unreadable without the use of encryption keys. This ensures that even if the data is accessed by unauthorized parties, it remains incomprehensible and unusable.
Separation of Identifiers: Any additional information necessary to re-identify pseudonymized data is kept separately from the pseudonymized data itself. This ensures that even if one dataset is compromised, the re-identification process requires access to separate and securely stored information.
Access Controls: Access to both pseudonymized data and any associated re-identification information is strictly controlled and limited to authorized personnel with a legitimate need-to-know. Role-based access controls are enforced to prevent unauthorized access or misuse of data.
Audit Trails: We maintain comprehensive audit trails of all access and activities related to pseudonymized data. This enables traceability and accountability in the event of any unauthorized access or data breaches.
EmpMonitor is committed to continuously enhancing our pseudonymization measures to ensure the highest level of data protection and privacy for our users.
9. Authentication
EmpMonitor implements a role-based authentication policy to ensure that access to its systems and resources is granted based on the roles and responsibilities of individual users within the organization.
User Roles
The policy defines various user roles within EmpMonitor, such as administrators, managers, employees, and guests, each with specific permissions and access levels tailored to their job functions.
Access Control
Access to EmpMonitor’s features, data, and functionalities is restricted based on the user’s assigned role. Users will only be able to access the information and perform actions relevant to their role.
Role Assignment
User roles are assigned by the system administrator or designated personnel upon user registration or as per organizational requirements. Role assignments are reviewed periodically to ensure alignment with current job responsibilities.
9.1 Authentication Standards
EmpMonitor employs a multi-factor authentication (MFA) standard to enhance the security of user accounts. This requires users to provide two or more authentication factors to verify their identity before gaining access to the system.
Authentication factors may include:
● Something the user knows (e.g., password or PIN).
● Something the user has (e.g., smartphone or security token).
● Something the user is (e.g., fingerprint or facial recognition).
9.2 Password Policy
EmpMonitor enforces a strong password policy to prevent unauthorized access and enhance security. Passwords must meet complexity requirements, including minimum length, combination of alphanumeric characters, and periodic password changes.
Account Lockout Mechanism
To mitigate the risk of brute force attacks, EmpMonitor implements an account lockout mechanism that temporarily locks user accounts after multiple failed login attempts. Locked accounts require manual intervention by administrators to unlock.
Audit Trails
EmpMonitor maintains detailed audit trails of user activities, including login attempts, access requests, and changes made to user roles or permissions. These audit logs are regularly reviewed for security compliance and investigation purposes.
Training and Awareness
EmpMonitor provides regular training and awareness programs to educate users about the importance of security measures, such as safeguarding passwords, recognizing phishing attempts, and adhering to security policies.
Compliance and Review
This policy is subject to periodic review and updates to ensure compliance with evolving security standards and regulatory requirements. Any changes to the policy will be communicated to all users and stakeholders.