Kinner Lake Ltd (“Company”) is committed to provide transparency regarding the security measures which it has implemented in order to secure and protect Personal Information (as defined under applicable law, including the EU General Data Protection Regulation (Regulation 2016/679) (“GDPR”)) processed by the Company for the purpose of providing its services.

This information security policy (“Security Policy”) outlines the Company’s current security practices as of the “Last Updated” date indicated below. We will keep updating this Security Policy from time to time, as required by applicable laws and our internal policies.

As part of our GDPR compliance process (available here) we have implemented technical organizational monitoring protections, and established an extensive information and cyber security program, all with regards to the Personal Information processed by the Company. Company ensures its employees, contractors, as well clients, comply with this Security Policy.

Physical Access Control

The Company secures access to its offices and ensures that solely authorized personnel have access. Further, an alarm system is installed within the Company’s premises which is activated at all times during non-working hours. The Company secures any physical access to facilities that contain Personal Information, such as the Company’s offices and data servers. The Company’s servers are located in protected facilities whereas the physical access is controlled by professional security staff. Further, the Company has entered in to applicable and binding processing agreements with each provider of a data server. In addition, when the Personal Information is transferred to the applicable servers it is always transferred using secured and methods of encryption. The Company balances its approach towards physical security by considering elements of control that include architecture, operations, systems, performance, compatibility and interoperability.

System Access Control

Access to all data processing systems is solely via Company’s user authentication systems. Company uses authentication and has the ability to block access in any case of failed attempts or inactivity for a prolonged period of time. The aforementioned is carried out automatically by the system. There is clear identification or which employees are entitled to access the data and monitoring of such access at all times. In addition, remote access and wireless computing capabilities are restricted and require that both user and system safeguards are in place. The systems are also protected and solely authorized employees may access the systems by using a password. All passwords are changed regularly in accordance with the Company’s password guidelines.

Transfer Control

The goal of transfer control is to ensure that Personal Information cannot be read, copied, modified or removed by unauthorized parties, when such Personal Information is in motion including during their transport or storage in the applicable data center. The Company prevents any creation of copies and has incorporated prevention of non-digital output transmission of the data sets (including the Personal Information). Further, any access to the Personal Information from beyond the Company network is solely accessible by means of a secured VPN. Lastly, any and all transfers of the Personal Information (either between the servers, from client side to server side and between Company’s designated partners) is secured (HTTPS) and encrypted.

Organizational and Operational Security

It is the responsibility of the individuals across the Company to comply with these practices and standards. The Company educates its employees and service providers, consultants and contractors and raises awareness, risk and assessment with regards to any processing of Personal Information through training sessions and applicable employee manuals. Internal security testing is carried out on a regular basis. Further, the Company’s IT and DevOps team ensures security of all hardware and software available within the Company, such as: installation of anti-malware software on devices to protect against malicious use and malicious software (additional controls may be implemented based on risk), virus detection on endpoints, email attachment scanning, system compliance scans, information handling options for the data exporter based on data type, network security, and system and application vulnerability scanning, use secured email transfer, etc.

Data Access Control

The access to the Personal Information is restricted to solely the employees that require access thereto and is protected by passwords and user names. Access to the Personal Information is secured by VPN and is highly managed by access control policies. The Company uses high level security measures to ensure that the Personal Information will not be accessed, modified, copied, used, transferred or deleted without specific authorization. The Company performs ongoing audits of any and all access to the database and any authorized access is immediately reported and handled. Company revokes access to Personal Information immediately upon termination of employment or an employee.

Data Retention

Personal Information and raw data are all deleted automatically as soon as such data and Personal Information is no longer required in order for the Company to provide its services, all in accordance with applicable laws.

Job Control

Employees are bound to follow the Company’s policies and procedures and breaking or not following these will result in disciplinary actions up to and including termination based on local law. Employees and data processors are all signed on applicable and binding agreements all of which include applicable data provisions and data security obligations. Further, as part of the employment process, employees undergo a screening process applicable per regional law. An employee will not gain access to the data until the Company has ascertained trust that the employee is well educated and responsible to handle the Personal Information, in a secure manner, to the extent required. In addition, the Company holds annual compliance training which includes education for employees in data security.


Last Updated: March 30th, 2020