SECURITY POLICY


This Security Statement is aimed at providing you with more information about Affogata security infrastructure and practices. Affogata privacy policy contains more information on how collected information is handled.

The normal and successful functioning of Affogata is affected and dependent on the level of the information's confidentiality, integrity, reliability, availability and its survivability.The information and its supporting systems represent the main assets of Affogata and, therefore, must be protected by all means. 
 

The information that is stored in Affogata systems consists mainly of sensitive and confidential business and personal information of employees, clients and suppliers. Any damage to the information, or it's exposure to an unauthorized person, could damage Affogata’s business activity and reputation and, on the other hand, could also be a violation of laws and regulations regarding the right of privacy.
 

The information security plan at Affogata will be implemented subject to state and other relevant laws regarding information security, as well as laws concerning privacy, intellectual proprietary and copyright laws and in accord with the management forum's decision on the matter of information security. This policy encompass principals and guidelines decided upon and adopted by Affogata management, comprise the firm's infrastructure and is the source of instructions concerning information security.

 

Organizational Security
 

Information security roles and responsibilities are defined within the organization. The security team focuses on information security, global security auditing and compliance, as well as defining the security controls for protection of Affogata hardware infrastructure. The security team receives information system security notifications on a regular basis and distributes security alert and advisory information to the organization on a routine basis after assessing the risk and impact as appropriate.

[Affogata follows the NIST Cybersecurity Framework with layered security controls to help identify, prevent, detect, and respond to security incidents. The information security manager is also responsible for tracking incidents, vulnerability assessments, threat mitigation, and risk management.]

Security and privacy risks are addressed through the application of appropriate security controls and associated risk treatment plans and the acceptance and management of residual risks.

 

Access Control
 

Access to Affogata’s systems and information are controlled to protect its confidentiality and integrity and availability. Accordingly, access is restricted to those with a ‘need to know’ and is reviewed periodically to ensure appropriate access is maintained. Role based access controls are implemented for access to information systems. Processes and procedures are in place to address employees who are voluntarily or involuntarily terminated. Access controls to sensitive data in our databases, systems, and environments are set on a need-to-know / least privilege necessary basis. 

Audit logs on systems are maintained. These logs provide an account of which personnel have accessed which systems. Organizational responsibilities for responding to events are defined. Security events that record critical system configuration changes and administrators are alerted at the time of change. Affogata also implements retention schedules for the various logs.

Employees are granted a limited set of default permissions to access company resources, such as their email. Employees are granted access to certain additional resources based on their specific job function. Requests for additional access follow a formal process that involves a request and an approval from a data or system owner, manager, or other executives, as defined by our security guidelines. Approvals are managed by workflow tools that maintain audit records of changes.

Physical Security
 

Affogata maintains physical security policy in order to prevent any unauthorised access to sites or specific technical areas. Nominative access processes and devices are in place and logged. Sites are secured with anti-intrusion systems, video surveillance and 24/7 security service. All visitors and contractors are required to present identification, are required to log in, and be escorted by authorized staff through the data center.
 

Security Incident management

Affogata is formalizing an incident response plan and associated procedures in case of an information security incident, which includes responsibilities and identifies required processes and procedures regarding notification. Our employees are aware to need to identify and report an information  security incident and the incident management process.

Affogata will notify you in the event of an information security incident via email or other means that Affogata will deemed appropriate. Affogata will also periodically update on corrective measures taken in connection therewith. 

Business Continuity & Disaster Recovery Plan 

To minimize service interruption due to hardware failure, natural disaster, or other catastrophe, we implement a disaster recovery program. This program includes multiple components to minimize the risk of any single point of failure. Application data is replicated to multiple systems within the data center and, in some cases, replicated to secondary or backup data centers that are geographically dispersed to provide adequate redundancy and high availability. 
 

Data Privacy
 

Affogata applies a common set of personal data management principles to customer data that may be processed, handled, and stored. Affogata gives additional attention and care to sensitive personal data and respect local laws and customs, where applicable. Affogata processes personal information in a way that is compatible with and relevant for the purpose for which it was collected or authorized in accordance with our privacy policy and takes reasonable steps to protect information from loss, misuse or unauthorized access. For more information, please access: privacy@affogata.com


Changes to this Policy
 

We may revise this Security Policy from time to time. The most recent version of the policy will govern our use of your information and will always be www.affogata.com/security.


Effective: November 20 2020.