Our security policy

Data protection and information security is our priority. All of our products and services implement technical and organizational measures to ensure secure processing of information. Our practices are based on the legal framework of the European General Data Protection Regulation (GDPR).

General Information on Data Protection

Please send an email to. security@martechrevolution.com with the most detailed information such as: URL where the problem was detected, Your company name and user name affected, Type of data affected, Information about the mobile device/operating system, Information about how the problem can be reproduced.

Who is the data protection officer?

For data protection we have appointed a person in charge who is Adriano Gazzerro
For any questions regarding this topic please contact us at the email privacy@martechrevolution.com

First, all employees and contractors of our company are bound to data secrecy and data protection in general and are informed of the consequences of any breach.
In addition, we regularly run training and awareness programs regarding the processing of personal data as well as data protection. These programs also include new regulations such as the EU General Data Protection Regulation (EU GDPR).

We are committed to the continuous improvement of processes and structures that ensure data protection and information security. In addition to regularly appointing a data protection officer and training staff, we employ an internal information security officer in order to ensure that security is a top priority in all treatments and internal processes.

In the unlikely event of a data breach, if a customer’s personal data is affected and the breach may pose a risk to the rights and freedoms of the customer’s personnel, we immediately notify the affected customer so that they can fulfill their legal obligation to inform the regulator and affected persons.

Yes, data protection is an integral element of our product strategy. Therefore, even in the development phase of our features we carefully respect principles such as data economy and use state-of-the-art measures to ensure an adequate level of protection. In addition, while preparing for the EU GDPR, we reviewed the default settings of all applications and adjusted them to provide the highest possible level of data protection while ensuring ease of use.

The configurations are generally all adaptable to the needs of each individual customer. In order to consistently ensure this, we have also established procedures to feed legal requirements into the product development process on an ongoing basis and review demand accordingly at set intervals.

Encryption and pseudonymization

Yes, all personal data that the application transmits to a client or other platforms must be encrypted using Transport Layer Security (TLS), especially HTTPS. This requires that a secure connection be established between the two communication partners (client and server) before data can be transmitted.

Confidentiality and integrity

We use Aruba Cloud services for hosting our software solutions(https://www.arubacloud.com/gdpr-data-protection-eu-regulation.aspx). The data centers used are ISO/IEC 27001 certified and thus meet our high requirements for the physical security of our customers’ data.

As a general rule, neither data center personnel nor Aruba personnel have access to your data. As for our staff, only our server manager and product manager can access the data when necessary. Access rights are granted on a need-to-know basis and documented. In addition, access to clients’ systems is recorded.

On the server side, we use an intrusion detection system to monitor parameters such as suspicious registry entries, known rootkit and Trojan signatures, anomalies in the device file system, or classic brute force attacks. These parameters are scanned for anomalies on a regular basis. In the event that an anomaly is detected, the operating and development personnel in charge are immediately informed so that they can take action. In addition, on the application side, all essential activities (especially modification, deletion, and update operations) are recorded so that unauthorized access and changes to data can be proved upon request.

Access is allowed only through personalized user accounts, each of which is clearly assigned to an individual. Registration is done with a user name and password, the latter of which must be changed during initial login in accordance with the secure password guidelines implemented in the application. In addition, we advise our customers to use two-factor authentication to achieve a higher level of protection.

Access rights are generally aimed at meeting the requirements of Art. 24 of the EU GDPR on data protection by default. This means that all employees with newly created user accounts have no default rights beyond editing their own profile. You as the client, however, can manage the granting of access rights according to your individual authorization protocol.

Willingness and ability

We focus in particular on geo-redundant design of server infrastructure in relation to production data and backups, as well as physical security of data centers (e.g., continuous capacity management for monitoring resources in use and distributing free ones as needed

Retrievability

We have implemented a backup concept for customer data and documents stored in its data centers according to the state of the art in order to ensure adequate availability. Database system backups are stored only in encrypted form. This means that it is not necessary for the client to perform its own backups. Regular restore tests are performed to ensure that backups have been stored properly and can be restored if necessary.

In the unlikely event of a total system failure, the redundant data center structure (production and backup data) ensures that your data will not be lost. In this case, we will ensure the fastest possible recovery in accordance with our disaster recovery concept.

Purpose limitation

The customer is and remains the owner and controller of the data in accordance with Art. 24 EU GDPR. In particular, this means that the client is responsible for respecting the rights of data subjects (Chapter 3 of the EU GDPR). Our software is suitable for information processing and in that capacity processes your data solely on your instruction and for the purposes set forth in the data processing agreement.

At the end of the business relationship, persons authorized by the customer can request delivery of the data in a machine-readable format. After 30 days from the termination of the contract, the data will then be irretrievably deleted. In the unlikely event that Whappy ceases operations, this procedure remains in principle unchanged, as the client is the owner of the data.

Security verification procedure

First, we perform audits of our procedures and product at regular intervals, generally once a year, in line with legal requirements on data protection. The results of these audits are then used to take specific actions to further develop our documentation, processes, structures and/or functions, as well as our technical and organizational processes.

We perform internal vulnerability scans at regular intervals to test our application and infrastructure. We also regularly hire an outside service provider to perform penetration testing to examine our systems and applications for errors and weaknesses.