GemSeek’s Client Data Safeguards was last reviewed and updated in June, 2024
GemSeek maintains and manages a comprehensive written security program designed to comply with all applicable laws, regulations and best practices.
These terms outline the measures GemSeek uses to protect client data in its environments against unauthorized access, disclosure, alteration, loss, or destruction. For personal data, these measures ensure appropriate security. GemSeek may update these measures periodically without notice, provided the protection level is not reduced.
STANDARD DATA SAFEGUARDS:
Organization of Information Security
- Security Ownership: GemSeek will appoint a Security Officer to oversee and monitor security rules and procedures.
- Security Roles and Responsibilities: GemSeek personnel with access to Client Data will adhere to confidentiality obligations.
- Risk Management: GemSeek will implement a risk management program to identify, assess, and address risks related to processing Client Data under the agreement.
Asset Management Policy and Procedures
- Asset Management: GemSeek will maintain an inventory of its assets including infrastructure, network and applications, including media where Client assets might be stored. The access to the inventory is restricted to personnel authorized in writing to have such access.
- Data Handling: GemSeek will:
- Classify Client Data to help identify such data and allow for access to it to be appropriately restricted.
- Require its personnel to obtain appropriate authorization prior to accessing, processing, and storing Client Data outside of contractually approved locations and systems.
- Restrict the usage of BYOD devices.
Human Resource
- Security Measures: GemSeek will maintain Information Security Policy documentation, describing its security measures and procedures available to all personnel at any time.
- Security Training : GemSeek will inform its personnel on relevant security procedures and the consequences of violating them.
- GDPR Training: GemSeek will train its personnel on working with Personal and Sensitive Data, Code of Conduct of working with such data, as well as all technical measures and processes within GemSeek.
- Data Usage: GemSeek will minimize the use of Client data in training environments, prioritizing anonymous data.
- Confidentiality: GemSeek will require all personnel to sign confidentiality agreements and adhere to the CLIENT contractual obligations.
Physical Security
- Physical Access to Facilities. GemSeek will implement and maintain procedures to limit authorized access to its facilities where information systems that process Client Data are located.
Risk Management
- Annual Risk Assessment: GemSeek will do an annual risk assessment designed to identify threats and vulnerabilities in the administrative, physical, legal, regulatory, and technical safeguards
- Risk Remediation Process: Gemseek will maintain a documented risk remediation process to assign ownership of identified risks, establish remediation plans and timeframes.
Operational Management
- Data Recovery Procedures:
- Implement data recovery procedures for Client Data in its systems.
- Review data recovery procedures annually.
- Log data restoration efforts, including responsible personnel and data restored
- Malicious Software: GemSeek will implement anti-malware controls to prevent unauthorized access to Client Data.
- Event Logging: GemSeek will log events for the systems containing Client Data, consistent with its policies and procedures
Access Control
- Access Policy: GemSeek will maintain a record of security privileges of individuals having access to Client Data via its systems.
- Access Authorization: GemSeek will:
- Maintain and update a record of personnel authorized to access Client Data.
- Promptly provision authentication credentials when responsible for access.
- Deactivate credentials within 24 hours upon notification that access is no longer required/needed.
- Identify personnel who can grant, alter or cancel access.
- Ensure everyone accessing systems containing Client Data has a unique identifier.
- Least Privilege: GemSeek will:
- Only permit its authorized personnel to have access to Client Data when needed
- Restrict access to Client Data in its systems to only those individuals who require such access to perform their job function.
- Limit access to Client Data in its systems to only that data minimally necessary to perform the services.
- Authentication: GemSeek will:
- Where authentication mechanisms are based on passwords, require that the passwords are renewed regularly.
- Keep a minimum requirement of the standard password length of 8 characters, with at least one uppercase letter, lowercase letter, special character and number included. All passwords must be changed every 75 days.
- Monitor repeated attempts to gain access to its information systems using an invalid password.
- Use industry standard (e.g., ISO 27001 as applicable) password protection practices, including practices designed to maintain the confidentiality and integrity of passwords when they are assigned and distributed, as well as during storage.
- Implement Multi Factor Authentication (MFA) for internal and remote access over virtual private network (VPN) to its systems.
Penetration Test and Certificates
- Penetration Test: Once per year, GemSeek will perform penetration and vulnerability assessment of GemSeek’s infrastructure and IT environment in accordance with GemSeek’s internal policies and procedures. GemSeek agrees to share with the Client the summary information related to such a test to the extent applicable to the Services and with prior agreement with the Client.
- ISO 27001: GemSeek will ensure data safeguard compliance by maintaining an ISO 27001 certificate, readily available as proof of GemSeek’s commitment to data security.
Patch Management
- Patch Management Procedure: GemSeek will implement a patch management procedure to deploy security patches on servers, laptops, and desktops, ensuring all patches are applied within 60 days. GemSeek will ensure an established process of handling emergency and critical patches as soon as practicable.
Network and Network Access
- GemSeek will:
- Have controls in place to prevent personnel gaining unauthorized access to Client Data in its systems.
- Perform during working hours daily monitoring of information systems and security to proactively detect potential security incidents, including network intrusions, malware, phishing, hardware and software vulnerabilities, inappropriate use of resources, etc.
- Use network-based web filtering to prevent access to unauthorized sites
- Check for latest software versions of network devices and update them in a timely manner.
- Maintain up to date server, network, infrastructure and application security configuration standards.
- Keep up to date technical documentation, including network topology, device locations, connections, etc.
Workstations
- Controls: GemSeek will implement controls for all workstations it provides and are used in connection with service delivery, incorporating but not limited to: encrypted hard drives, established patching process for workstations, software agent that manages the overall compliance of workstations, ability to prevent blacklisted software from being installed, antivirus, and firewalls installed.
Information Security Management
- Security Breach Response Process: GemSeek will maintain an updated policy and procedure for Security and GDPR breach management shared with all personnel, together with a record in the occurrence of such events. Each incident shall be investigated including the cause, data involved, impact and response actions. A comprehensive review of the incident and implementation of preventive measures against future incidents is to be undertaken.
Supplier Relationship Management
- Third-party Vendors/Suppliers: When utilizing third-party suppliers for service provision, GemSeek will ensure thorough evaluation of these parties. GemSeek will maintain a comprehensive Supplier Management Program to mitigate risks associated with any third party that hosts or processes Client Data.
Business Continuity Management
- Program and Recovery of Data: GemSeek will implement a process and program to enable the recovery of Client Data in case of accidental loss, security incidents, or data breaches, ensuring compliance with the Client Agreement.
Organizational supplementary measures
- Internal policies: All Client Data will be treated in accordance with GemSeek’s internal policies and procedures, including internal data access, confidentiality policies and procedures, internal data minimization policies, and internal security and data protection procedures.
- Record: GemSeek shall maintain a documented record of requests for access to personal data received from public authorities and the response provided
- Compliance: GemSeek shall comply with public and regulatory authority requests for personal data, if any.