1. Measures for ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and services2. Measures of pseudonymization and encryption of personal data3. Measures for ensuring the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident 4. Processes for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures in order to ensure the security of the processing5. Measures for user identification and authorization6. Measures for the protection of data during storage7. Measures for ensuring limited data retention 8. Measures for allowing data portability and ensuring erasure

Security Practices

At Smilecloud, protecting and securing your personal data is our top priority. Below is a comprehensive outline of our technical and organizational measures that aim to:
– protect the confidentiality, integrity, and availability of your data;
– protect the systems that provide our Services and related support;
– protect our source code and other proprietary data against theft or attempts at unauthorized alteration;

1. Measures for ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and services

Information security

We have implemented several security-related policies and procedures designed to ensure the confidentiality, integrity, and availability of stored data. We apply these policies in our day-to-day operations and review them regularly. These policies include the following measures:

  • executive review and support mechanism for all security protocols, with oversight by our designated security official;
  • clear roles and responsibilities related to information security;
  • procedures for overseeing third-party service provider security measures;
  • regular risk assessments that could impact Smilecloud assets, including people, processes, information, and technology;
  • swift assessment and response to any security incidents impacting Smilecloud systems processing Customer Data, ensuring root cause analysis and corrective measures;
  • mechanisms to record any deviations from our security protocols;
  • procedures to recognize and evaluate security risks, develop counteractive strategies approved by our Information Security Officer and company executives, and monitor the deployment of such strategies.

Employee onboarding and access

We have implemented control measures regarding our staff's access to your data. The normal operation of our Services involves, in certain circumstances, access by our staff to the systems that store and process Customer Data (for example: to respond to your support request or to fix a problem regarding the Services). Our internal policies prohibit staff access to Customer Data except when it is essential and requires logging of any such access. On the occasion of employment, we carry out appropriate background checks, sign confidentiality agreements and conduct awareness and training regarding our security policies and procedures.

2. Measures of pseudonymization and encryption of personal data

Pseudonymization

We prioritize the privacy of Customer Data. Where appropriate, we use pseudonymization techniques to transform personal data so that the data cannot be attributed to a specific data subject without additional information.

Data encryption in transit and at-rest

For data in transit, we employ the TLS (Transport Layer Security) standard to ensure secure data transfer. This security measure encrypts the data before transmission. It involves endpoint authentication, ensuring your data remains protected even if communications are intercepted during transmission between the user and our Services.

Amazon, our chosen cloud service provider, also upholds the highest standards for data encryption, both in transit and at rest. Communicating data between servers takes place via a secure channel, and the data is always encrypted during this process. For data at rest, Amazon ensures that all stored data is encrypted. Data-at-rest encryption is vital as it protects your data from potential threats, such as system compromises or data exfiltration.

For a deeper understanding, you can refer to Amazon's specific resources that elaborate on encryption methods in transit and at rest here.

3. Measures for ensuring the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident 

Restoration and Business Continuity

As part of our commitment to data security and to ensure the ongoing availability of our Services, Smilecloud has a robust business continuity plan in place. This plan ensures timely restoration and access to personal data in the event of any physical or technical incident. Key features of our business continuity plan include:

  • a dedicated team responsible for initiating, coordinating, and overseeing the response to any incidents affecting data availability;
  • periodic assessments to identify potential threats to our infrastructure and data, followed by a strategic prioritization of risks to ensure the most critical assets receive the highest protection;
  • a structured approach detailing the processes to follow when an incident occurs, ensuring swift action to mitigate the impact and recover as quickly as possible.
  • regular testing of our business continuity strategies to validate their effectiveness, followed by reviews to make necessary adjustments based on the findings and evolving threat landscapes.

Data recovery

In the event of a physical or technical incident, we have protocols and backup mechanisms in place to ensure the timely restoration of personal data.

4. Processes for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures in order to ensure the security of the processing

Regular security evaluations

Our teams conduct regular testing, assessments, and evaluations of our technical and organizational measures. This proactive approach ensures our data processing operations' ongoing security and effectiveness.

Third-party security

We have implemented third-party vendor evaluation procedures to analyze the operational and security impact of new tools and services used to provide or improve our Services or the capabilities of our staff. We consider and assess the risk associated with introducing new services against criteria such as the future contractual relationship, the security practices implemented by the provider, and the technical characteristics of the evaluated service. The assessment considers the impact on the personal data processed and establishes whether the provider has implemented adequate personal data protection measures.

5. Measures for user identification and authorization

User identification and authorization

Smilecloud employs Auth0, a leading identity platform, to manage user identification and authorization, providing enhanced security, a streamlined experience, and a scalable infrastructure. Users have the flexibility to authenticate via popular platforms, including Google and Apple, offering a seamless and secure sign-in experience.

Access management

Inside Smilecloud, advanced user identification methods are implemented, requiring multifactor authentication and stringent authorization processes to grant access to personal data.

6. Measures for the protection of data during storage

Recognizing the significance of security in the digital age, we've opted for AWS S3, specifically hosted in Amazon’s Ireland availability zones, to cater to our data storage needs. Amazon Web Services (AWS), the world's most comprehensive and broadly adopted cloud platform, boasts a security framework that often surpasses the rigors of traditional in-house systems.

Our choice of AWS S3 isn't arbitrary; it's anchored in AWS's reputation for scalability, robustness, and commitment to the highest security standards. AWS is subjected to recurrent external security, privacy, and compliance evaluations supporting 143 security standards and compliance certifications, including PCI-DSS, HIPAA/HITECH, FedRAMP, GDPR, FIPS 140-2, and NIST 800-171.

To delve deeper into the expansive security measures AWS offers or to view a comprehensive and continually updated list of certifications, you're encouraged to visit the AWS Compliance resource center.

Physical security

The physical locations where personal data is processed are safeguarded with comprehensive security measures, including surveillance, access controls, and security personnel.

Event logging

Access, processing, and transmission events related to personal data are logged and monitored to detect and swiftly respond to anomalies.

System configuration

We maintain a secure system configuration, which includes strict default configurations, regular patches, and updates.

7. Measures for ensuring limited data retention 

According to our Data Retention Policy, we retain personal data only for as long as is necessary for its intended purpose, following which it is securely deleted.

8. Measures for allowing data portability and ensuring erasure

You may download Customer Data for portability as described in our Contract. In addition, upon valid requests, we ensure the permanent erasure of Customer Data from our systems.

Last updated: 18.12.2023