Common use of Information Security Policy Clause in Contracts

Information Security Policy. An information security policy governing how data processing, protection and privacy of personal data is ensured in compliance with relevant legislation, regulations and as required in the processor Information Security Policy, and to ensure assistance to the controller with compliance for exercising the data subjects’ rights, assistance to the controller in relation to audits and inspections, and assistance to the controller in relation to ensuring compliance with the obligations pursuant to Articles 32 – 36, are implemented. The processor’s personnel with access to personal data are subject to confidentiality obligations. The processor performs a risk assessment on processing activities before processing the personal data or launching new modules, components and features as part of Zensai’s Services and Platforms The processor retains its security documents pursuant to its retention requirements after they are no longer in effect. The processor’s Information Security Policy may be sent to the controller on request. All critical assets required for running the business are identified, have an owner and are documented in a register that is kept up-to-date by the pointed-out employer. The processor classifies personal data to help identify it and to allow for access to it to be appropriately restricted. The processor’s personnel must obtain authorisation prior to storing personal data on portable devices or remotely accessing personal data. The processor informs its personnel about relevant security procedures and their respective roles. The processor also informs its personnel of possible consequences of breaching the security rules and procedures. The processor will only use anonymous data in training. The processor’s personnel and authorised and approved third party users protect assets from unauthorised access, disclosure, modification, destruction or interference. The processor’s personnel have no physical access to physical components nor data centres for processing activities since the processor’s Services and Platforms is hosted on a cloud platform. The processor controls that vendors use industry standard processes to delete personal data when it is no longer needed.