(Last modified: January 9, 2022)
Wizer Feedback Ltd. (“Company”, “Wizer” or “we”) is committed to provide transparency regarding the security measures which implemented in order to secure and protect Personal Data (as defined under applicable data protection law, including without limitations, the EU General Data Protection Regulation (“GDPR”) and the California Consumer Privacy Act (“CCPA”) (collectively “Data Protection Regulation”) processed by the Company for the purpose of providing its services.
This security policy outlines the Company’s security, technical and organizational practices.
The security objectives of the Company are identified and managed to maintain a high level of security and consists of the following (concerning all data assets and systems):
- Availability – information and associated assets should be accessible to authorized users when required. The computer network must be resilient. The Company must detect and respond rapidly to incidents (such as viruses and other malware) that threaten the continued availability of assets, systems, and information.
- Confidentiality – ensuring that information is only accessible to those authorized to access it, on a need-to-know-basis.
- Integrity – safeguarding the accuracy and completeness of information and processing methods and therefore requires preventing deliberate or accidental, partial or complete, destruction, or unauthorized modification, of electronic data.
The following policies are maintained by the Company in order to ensure the measures set forth above, the policies are updated on an ongoing basis and reviewed annually for gaps:
- Information Security
- Security Incident Response
- Vulnerability Management
- Policy Management and Maintenance
- Data Request
- System Access
- Business continuance and disaster recovery
As part of our data protection compliance process, we have implemented technical, physical and administrative security measures to protect our customers’ and customer’s users’ Personal Data as explained below.
Physical Access Control
The measures for ensuring physical security of locations at which Personal Data are processed include security measures implemented in Company’s office (alarm system, code locks, etc.) and the physical security measures taken by Company’s hosting providers. The Company secures the physical access to its offices and maintains records of any physical access to the protected Personal Data in order to ensure that solely authorized individuals such as employees and authorized external parties (maintenance staff, visitor, etc.) can access the Company’s offices.
The Personal Data processed by the Company is stored on AWS Cloud (please see the security measures here). When the Personal Data is transferred to the applicable servers it is always done in a secure and encrypted manner, encryption by default, at rest and in transit. AWS undergoes various third-party independent audits regularly and can provide verification of compliance controls for its data centers, infrastructure, and operations. This includes, but is not limited to, SSAE 16-compliant SOC 2 certification and ISO 27001 certification.
Security Risk Analysis and Management
The Company conducts an accurate and thorough assessment of the potential risks and vulnerabilities of the Personal Data to ensure the confidentiality, integrity, and availability of electronic Personal Data processing. The Company applies an annual penetration testing (as further detailed below) and periodic scout reports (e.g., NCC scout and alike) are executed periodically to identify potential security risks, whereas major or critical issues are handled immediately. The Company abides by the Company’s Disaster Recovery plan in order to ensure that the Company can cope with a consummation of any disaster and emergencies. The Company’s servers include an automated back-up procedure. The Company’s office is equipped with fire detectors, fire extinguishers and other applicable measures for the case of consummation of a nature disaster.
External penetration test is performed on an annual basis. The penetration tests include, among others, procedures to prevent customers, groups of individuals, or other entities from accessing confidential information other than their own. The penetration tests and security scans are performed by a reputable Third-party vendor. In addition, Wizer conducts vulnerability scans designed to identify potential vulnerabilities or misconfigurations on a periodic basis and after any significant change in the environment. Actions are taken to remediate identified deficiencies on a timely basis. Vulnerability scans is performed using external tools, in order to detect potential security breaches.
Access to the Company’s systems is highly restricted in order to ensure that solely the appropriate prior approved personnel can access or use the Company’s systems. Safeguards related to remote access and wireless computing capabilities are in implemented therein. Employees are required to comply with the Company’s password policy when composing a password in order to allow strict access or use related to Personal Data all in accordance with position, and solely to the extent such access or use is required. There is constant monitoring of the access to the data and the passwords used to gain login access. In addition, the Company implement automatic captcha, lock-out mechanism in order to prevent any unauthorised login to the Company’s servers by the means of password guessing. Electronic procedures are set in order to terminate an inactive session are also in use by the Company. Only very few employees have access to the database which is protected by multiple passwords.
Data Access Control
There are restrictions in place to ensure that the access to the Personal Data is restricted to employees and service providers which have a permission to access it and solely on a “need to know” basis. Any permission is granted by the Company’s data protection officer. The Company uses high level security measures to ensure that Personal Data information shall not be accessed, modified, copied, used, transferred or deleted without specific authorization. The access to the Personal Data information, as well as any action performed involving the use of the Personal Data requires a password and user name, which is routinely changed, as well as blocked when applicable. The user password is fully encrypted. Each employee is able to perform actions solely according to the permissions determined by the Company. Each access is logged and monitored, and any unauthorized access is automatically reported. Further, the Company has ongoing review of which employees’ have authorizations, to access and whether access is still required. Company revokes access immediately upon termination of employment. Authorized individuals can solely access Personal Data that is established in their individual profiles.
In addition, weekly security reports are reviewed by the Company’s security officer, the servers are monitored 24/7 and AWS audit trail (CloudTrail) tracks any changes to resources and entities.
Organizational and Operational Security
The Company invests a multitude of efforts and resources in order to ensure compliance with the Company’s security practices, as well as continuously provides employees on-going training and periodic updates regarding Company’s security procedures. The Company strives to raise awareness to the risk involved in the processing of Personal Data. In addition, the Company implemented applicable safeguards for its hardware and software, including web content filtering, firewalls and anti-virus software (“Protection Measures”) on applicable Company hardware, software or employee’s computer, in order to protect against virus, worms, Trojan identifications or any other malicious software. The Protection Measures cannot be deactivated by any user other than the Company’s cyber security officer and according to the Company’s policies.
The Company conducted a transfer impact assessment (“TIA”) identifying all transfers of Personal Data and is able to share the TIA upon Customer���s request. The purpose of transfer control is to ensure that Personal Data cannot be read, copied, modified or removed by unauthorized parties during the electronic transmission of these data or during their transport or storage in the applicable data center. All data is encrypted, both at rest and in transit. All and any transfer of Personal Data (either between the servers, from Customer side to server side and between Company’s designated partners) is protected using encryption safeguards such as L2TP, IPsec (or equivalent protection), as well as encryption of the Personal Data prior to the transfer of any Personal Data. The Company’s servers are protected by industry best standards. Furthermore, the destruction of Personal Data following termination of the engagement is included within the contract between the parties. In addition, to the extent applicable, the Company’s business partners execute an applicable Data Processing Agreement and Standard Contractual Clauses, all in accordance with applicable laws. In addition, the traffic and transfer are guarded by a WAF with IPS and IDS (Incapsula) and is encrypted by TLS.
Company has ensured all documents, including without limitations, agreements, privacy policies online terms, etc. are compliant with the Data Protection Regulations, including by implementing Data Processing Agreement and where needed Standard Contractual Clauses (either pursuant to the GDPR and adopted by the European Commission Decision 2021/914 of 4 June 2021 which is attached herein by linked reference: https://eur-lex.europa.eu/legal content/EN/TXT/PDF/?uri=CELEX:32021D0914&from=EN or pursuant to the standard data protection clauses adopted pursuant to or permitted under Article 46 of the UK GDPR for transferring Personal Data outside of the EEA or UK).
Measures for ensuring the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident were implemented by the Company and include an automated backup procedure. The Company has a backup concept which includes automated daily backups. Periodical checks are preformed to determine that the backup have occurred. The Company has also implemented Business Continuity plans and Disaster Recovery policies so that in the event of a disaster the Company will be able to continue to provide the services.
Personal Data is retained for as long as needed to provide the services or as required under applicable laws.
All builds are executed on a remote and secured server in a sterile environment (CI/CD). Deployments are checked with anti-virus and vulnerabilities tests before being shipped for deployment and code is tested on unit, integration and end-to-end level before being shipped via CI.
All of the Company’s employees are required to execute an employment agreement which includes confidentiality provisions as well as applicable data protection provisions binding them to comply with the Company’s policies, in particular the computer security policy. In addition, employees undergo a screening process applicable per regional law. In the event of a breach of an employee’s obligation or non-compliance with the Company’s policies, the Company includes repercussions to ensure compliance with the policies all according to the Company’s Employee’s Manual. In addition, prior to the Company’s engagement with third party contractors, the Company reviews such third party’s security policies, specifically their information data security policies to ensure it complies with the Company’s standard for data security protection. Third party contractors may solely access the Personal Data as explicitly instructed by the Company.
Data Subject Request
The Company has an online mechanism to enable individuals to submit a data subject request (“DSR”), further, the Company has implemented internal policies to handle the DSR subject to applicable data protection laws and contractual obligations.
Measures and assurances regarding U.S. government surveillance (“Additional Safeguards”) have been implemented due to the EU Court of Justice Case C-311/18, Data Protection Commissioner v Facebook Ireland Limited and Maximillian Schrems decision (“Schrems II”), these measures include the following:
- Encryption both in transit and at rest;
- As of the date of this policy, the Company has not received any national security orders of the type described in Paragraphs 150-202 of the Schrems II decision.
- No court has found the Company to be the type of entity eligible to receive process issued under FISA Section 702: (i) an “electronic communication service provider” within the meaning of 50 U.S.C § 1881(b)(4) or (ii) a member of any of the categories of entities described within that definition. The Company shall not comply with any request under FISA for bulk surveillance, i.e., a surveillance demand whereby a targeted account identifier is not identified via a specific “targeted selector” (an identifier that is unique to the targeted endpoint of communications subject to the surveillance).
- The Company shall use all available legal mechanisms to challenge any demands for data access through national security process that Company receives, as well as any non-disclosure provisions attached thereto.
- The Company will notify Customer if The Company can no longer comply with the Standard Contractual Clauses or these Additional Safeguards, without being required to identify the specific provision with which it can no longer comply.
Reporting a Security Issue
Wizer is exerting considerable resources to ensure a secure code and infrastructure for all of its products. If you believe that you have found security vulnerability in any of our products, please report it to us straight away via e-mail to firstname.lastname@example.org. Please be sure to include a brief description, detailed steps to reproduce and what might be the impact.
Responsible Disclosure Policy
We encourage responsible disclosure, and we promise to investigate all legitimate reports and fix any issues as soon as we can. We ask that during your research you make every effort to maintain the integrity of our any data you come across, avoiding violating the privacy of any person or degrading our offerings. Please provide us reasonable time to fix any vulnerability you find before you make it public. In return we promise to investigate reports promptly and not to take any legal action against you.