Security policy

Publication date: June 29, 2022

The Security Policy regulates the procedure and methods of protecting the Personal Data of the Data Subject.

The Security Policy describes how Plerdy trains its Employees to protect the Data Subject's Personal Data, including measuring the level of security and the procedure for evaluating the effectiveness of the Security Policy to make the necessary changes.

The Security Policy describes special data processing methods, such as encryption, pseudo-minimization, and methods to protect against distributed denial of service (DDoS) attacks.

This Security Policy is created in order to provide the Data Subject the opportunity to understand the storage of their Personal Data, provide Plerdy employees access to Personal Data, and define the procedures of Plerdy in case of loss of Personal Data.

Please read the Security Policy for a better understanding of the security of Personal Data.

1. DEFINITIONS

1.1. Account - a functional part of the Site, through which the Client has the opportunity to pay for the use of the Platform Tools and can manage the receipt of the Tools.

1.2. Client - a legal entity or an individual entrepreneur who registers on the Site, integrates Plerdy on its website, and receives the Tools.

1.3. Data Subject - a common name for the Client and the User.

1.4. Employee - an individual who works under an employment contract or any other contract with Plerdy and receives a salary for it.

1.5. Personal Data - any information directly or indirectly allowing identification of the Client and/or the User. For example, name, surname, phone number, and IP address.

1.6. Plerdy Platform Site (hereinafter “Site”) - a web page or group of web pages on the Internet, which are located at: https://www.plerdy.com/, through which the Client receives Tools from Platforms.

1.7. Plerdy Platform (hereinafter referred to as the “Platform” or “Plerdy”) - a tool that allows realization of the Client's business goals in the field of marketing research by optimizing sales, analyzing User behavior, and using Tools, which increases site conversion rates.

1.8. Products - the common names of the Client's goods, services, and products.

1.9. Third-Party - a natural or legal person, government agency, institution, or body other than the Client or User.

1.10. Tools - algorithms are consisting of actions performed by the Platform for the Client in digital marketing to improve the site's conversion and sales of the Client's Products.

1.11. User - a natural person or legal entity that interacts with the Client (through its website) and receives products from the Client.

2. APPLICATION OF SECURITY POLICY

2.1. The Security Policy applies exclusively to Personal Data processed by Plerdy when granting access to Tools and paying for such access by the Client.

2.2. The Security Policy does not apply to Personal Data not processed by Plerdy, including but not limited to accepting payment from the Client for providing access to the Tools.

2.3. The Security Policy does not apply to User Personal Data processed exclusively by the Client, but not processed by Plerdy.

3. EMPLOYEE ACCESS

3.1. Plerdy Employee access is strictly controlled by our access control rules and technical controls.

3.2. Only a limited number of Plerdy employees can access the Personal Data of Data Subjects.

3.3. Only Plerdy employees who need Personal Data to provide access to the Tools have access to such data.

3.4. Plerdy Employee authentication provides an additional layer of Personal Data security.

3.5. Only a limited number of qualified Plerdy Employees tasked with providing technical support and access to the Tools are allowed access to Personal Data.

3.6. Pre-approved physical access to processing Personal Data is only provided to Employees with a valid business case for such physical access.

3.7. Each Employee is responsible for maintaining access to Personal Data, and is responsible for any loss of data as a result of such Employee's violation of the terms of the Security Policy, Plerdy's instructions, and internal regulations regarding the use of Personal Data.

3.8. Plerdy trains its Employees on the rules of handling Personal Data, and each Employee signs a non-disclosure agreement (“NDA”) to protect Personal Data.

4. PROTECTION OF PERSONAL DATA

4.1. Personal data may be transferred and stored outside the European Economic Area ("EEA") to provide our Tools to Clients or Users. Please note that Personal Data may be transferred to Third Parties outside the EEA. In the transfer of Personal Data to a Third Party, such a person is responsible for the storage and processing of Personal Data.

4.2. We may use the following methods to protect Personal Data in accordance with the article "Security of processing" 32 GDPR:

4.2.1. pseudonymization and encryption of Personal Data;

4.2.2. ability to ensure constant confidentiality, integrity, availability and fault tolerance of Personal Data processing systems;

4.2.3. regular testing, evaluation and measurement of the effectiveness of technical and organizational measures to ensure the security of processing Personal Data.

4.3. The Plerdy server is located in the Federal Republic of Germany in the Hetzner data center DIN ISO/IEC 27001 and the Client's Personal Data may be transferred to this country.

4.4. Plerdy does not store Personal Data related to payment for access to the Platform Tools. Payment for access to the Platform Tools is made using the Paddle service, which stores Personal data related to the payment for access to the Platform Tools. Plerdy does not have access to Personal Data related to payment for access to the Platform Tools. The Paddle service has the appropriate SOC and ISO certificates to ensure the security of Personal Data. Plerdy is not responsible for storing Personal Data processed by the Paddle Service.

4.5. Plerdy uses two-factor authorization (2FA) to send emails to store the Client's Personal Data. That is, to gain access to the Tools, the Client must confirm the right of access to the Account as follows: (i) receive an email with a code to his/her email; (ii) keep the received code in the appropriate field of the Platform Site during the authorization process. Plerdy uses the SMTP mail protocol to perform 2FA. Due to 2FA, the Platform has additional confirmation that the Client who owns the Account has access to the Account, and is not a third party.

5. DDoS PROTECTION

5.1. Distributed Denial of Service is literally a "distributed denial of service". During such an attack, Clients may not have access to the Platform Tools.

5.2. The platform uses maximum and modern means of protection against DDoS attacks, which minimizes the likelihood of loss of Personal Data and lack of access to the Tools.

5.3. Plerdy uses the following types of protection against DDoS attacks:

5.3.1. Protection against all types of DDoS attacks (SYN Flood, UDP / ICMP Flood, HTTP / HTTPS);

5.3.2. secure IP address;

5.3.3. Traffic filtering using specialized equipment and software methods;

5.3.4. use of Intrusion Prevention Systems (IPS);

5.3.5. Protecting the Platform server.

5.4. To provide additional protection against DDoS attacks, content delivery services, Internet security services, and distributed domain name server services, Cloudflare services act as an intermediary between the website visitor (the "Client") and the Cloudflare hosting provider, acting as a reverse proxy.

6. SSL/TLS PROTECTION

6.1. SSL is a cryptographic protocol that provides a secure connection between the Platform and the server.

6.2. The Plerdy Site has an SSL certificate that allows all information on the Site, including Personal Data, to be transmitted and processed over a secure protocol.

6.3. The Cloudflare service provides the SSL certificate, which includes the following security features:

6.1.1. Complete end-to-end encryption using a self-signed certificate on the server;

6.1.2. TLS 1.3: Use the latest version of the TLS protocol to improve security and performance;

6.1.3. Certificate validity: ECDSA SHA256 2023-03-02 (Managed by Cloudflare) and SHA256 RSA 2023-03-02 (Managed by Cloudflare).

7. PROCEDURE IN CASE OF BREACH OF PERSONAL DATA SECURITY

7.1. In case of unauthorized disclosure and/or loss of Personal Data, the Platform takes the following steps:

7.1.1. Immediately notify the Data Subject of such violations;

7.1.2. Takes all necessary measures to stop further disclosure;

7.1.3. Audits security systems to prevent further leakage of Personal Data;

7.1.4. Takes action to minimize losses from such leakage of Personal Data;

7.1.5. Takes action to recover damages from the Data Subject.

7.2. The Platform trains its Employees on how to perform the algorithm of actions in case of a Personal Data security breach.

7.3. The Platform evaluates and monitors the reduction of losses from personal data breaches, ensures cooperation between Employees and the Data Subject, and regularly reviews the personal data breach response plan.

8. CHANGING SECURITY POLICY

8.1. The Platform has the right to change the provisions of the Security Policy if a change is made to the methods and means of ensuring the security of Personal Data.

8.2. In the event of changes to the Security Policy, the Platform trains its Employees and adds new provisions to this Security Policy.

8.3. The Client is obliged to read the new terms of the Security Policy, and the Platform is not responsible if the Client has not read the new terms of the Security Policy.

8.4. Electronic or otherwise stored copies of the Security Policy are considered genuine, complete, valid and enforceable versions of this Security Policy in effect at the time of the Client's visit to the Site. If the Client uses the Tools after updating the Security Policy, He/she agrees with the new rules of personal data retention.

9. CONTACTS

9.1. The Client has the right to contact the support service of the Platform at: [email protected], to ensure their rights, in accordance with the terms of this Security Policy, or in case of violation of their rights, to leave a response or to ask a question.

Articles from the blog