Cybertonica Ltd. is a company where data is at the core of its services. Whether it is customer data, end-user data or employee data, we work hard to provide for a secure and resilient data environment. 

This Security Policy provides a succinct overview of the technical and organisational security measures that Cybertonica Ltd. ("Cybertonica " or "We") has in place to secure our – and your – data. 

1. Documentation, Training, and Accountability

We have implemented accountability principles and documented our operations related to data processing and data security, This is ia. accomplished through: 

• Drafting, implementing and monitoring an extensive company-wide Security Policy and ongoing review in order to update any policy terms; 
• Information & security training and policies & procedures for staff; and
• Applying Confidentiality and Non-Disclosure Agreements and vendor assessments where appropriate. 

2. Access Control of Processing Areas

We apply suitable measures in order to prevent unauthorised persons from gaining access to the data processing equipment used to process data. This is accomplished through: 

• Keys and card key systems; 
• Receptionists and building security; and
• CCTV. 

3. Access Control to Data Processing Systems

We apply a number of measures to prevent data processing systems from being used by unauthorised persons. This is accomplished through: 

• Individual user ID's and strong passwords subject to minimum security requirements for staff members; 

• Multi factor authentication;
  - Acceptable use and security policies for IT assets such as PC's, mobile phones and applications;
  - Third party access control policies; 
• Strict on- and off-boarding policies for staff members;
  Lock out of user accounts after a limited number of failed log-in attempts; and 
• Advanced firewalls, PEN testing, anti-virus and spam scanning. 

4. Access Control to Use Specific Areas of Data Processing Systems

The individuals entitled to use our data processing systems are only able to access the data within scope and to the extent covered by their respective access permission (authorisation). We have implemented measures that ensure the data cannot be read, copied or modified or removed without authorisation. This shall be accomplished by:

• Access management on strict need-to-know principles, job duties, project responsibilities and actual business activities; and 
• Strict VPN corporate network requirements. 

5. Transmission Control

We apply suitable measures to prevent data from being read, copied, altered or deleted by unauthorised parties during the transmission thereof or during the transport of the data media and to ensure that it is possible to check and establish to which bodies the transfer data is envisaged. This is accomplished by: 

• Firewall and encryption technologies to protect gateways through which the data travels; and 
• Monitoring of encryption technologies. 

6. Access and Input Control

We apply suitable measures that help to check and establish whether, when, by whom and for what reason data have been input into data processing systems or otherwise processed. This is accomplished by: 

• Authentication of the authorised users via user ID and passwords; 
• Restricted physical access to processing areas; and
• System time-out after non-activity for a predetermined time period. 

7. Availability control 

We apply suitable measures to ensure that data are protected from accidental destruction or loss. This is accomplished by: 

• Robust and proofed policies for security incidents and data breaches; 
• Business continuity, backup and disaster recovery management; and 
• Offsite backup storage.

8. Separation of Processing for Different Purposes

We apply suitable measures to ensure that data that are intended for different purposes can be processed separately. This is accomplished by: 

• Access to data being restricted via user authorisation passwords; 
• Function separation of data of different customers; and
• Use of data being application specific.