DATA PROTECTION AND SECURITY POLICY

Last Modified: 23.02.2021

Hoopla Digital Ltd. (“Company”, “we” or “us”) takes data security seriously and has created this data security overview and policy (“Security Policy”) to disclose our practices in safeguarding Personal data processed through our services (“Service(s)”). We have implemented the below technical and organisational measures to protect the personal data, processed by us, against loss, unlawful acts and destruction, alteration, unauthorised disclosure or access, etc.

As part of our the UK-GDPR and EU GDPR compliance process we have prepared this Security Policy to provide you with a summary of the security measures and policies, further, we require our partners and employees to comply with these standards and implement the same security measures when working with us.

THIS SECURITY POLICY OUTLINES THE COMPANY’S CURRENT SECURITY PRACTICES AS OF THE “LAST UPDATED” DATE INDICATED ABOVE. WE WILL KEEP UPDATING THIS POLICY FROM TIME TO TIME, AS REQUIRED BY APPLICABLE LAWS AND OUR INTERNAL POLICIES.

 

System Access Control

Access to corporate systems is restricted and is based on procedures to ensure appropriate approvals are provided solely if needed. In addition, remote access and wireless computing capabilities are restricted and require both user and system safeguards. The systems are also protected, and solely authorised employees may access the systems by using designated password and user name protections. As an example the AWS RDS Database has restricted access in a VPC network.

 

Physical Access Control

The Company secures physical access to its offices and ensures that solely authorised persons have access such as employees and visitors. The offices are protected by an alarm system and CCTV. We work with Google and Amazon AWS as our main data processor, therefore if you need more information we recommend you also review Google’s Security Policy and Data Processing Terms and/or Amazon’s Security Policy, Overview of Security Processes and Data Processing Addendum. When Personal data is transferred to the applicable servers it is always done in a secure and encrypted manner. Further, the Company has entered in to applicable processing agreements with all service providers.

 

Data Access Control

Access to Personal data is restricted to solely the employees that “need to know” and is protected by passwords and user names. Access to Personal data is secured, anonymised, and aggregated by our service providers ensuring no raw personal data is accessible. Therefore, personal data cannot be accessed, modified, copied, used, transferred or deleted by any employees. Each employee is able to perform actions solely according to the permissions determined by the Company. Further, the Company has ongoing reviews of which employees’ have authorisations to assess whether access is still required. The Company revokes access immediately upon termination of employment. Authorised individuals can solely access Personal data that is established in their individual profiles.

 

Organisational and Operational Security

The Company educates its employees and service providers, consultants and contractors and raises awareness, risk and assessment with regards to any processing of Personal data. Our IT team ensures security of all hardware and software by installing anti-malware software on computers to protect against malicious use and malicious software as well as virus detection on endpoints and system and application vulnerability scanning. It is the responsibility of the individuals across the Company to comply with these practices and standards.

 

Transfer Control

Both Google’s and Amazon’s Data Centres are connected via high-speed private links to provide secure and fast transfer between data centres. This is designed to prevent personal data from being be read, copied, modified or removed without authorisation during electronic transfer or transport or while being recorded onto data storage media. Google and Amazon transfer data via Internet standard protocols.

 

Data Retention

Personal data is deleted as soon as is legally applicable.

 

Job Control

Employees, partners and applicable processors are all subject to agreements which include data security obligations. As part of the employee training process, employees are provided with access to corporate systems to ensure they are well educated and able to handle the Personal data in compliance with all Company policies. Employees are bound to comply with this Security Policy in addition to internal security policies and procedures. Non-compliance with any such policies or procedures shall result in disciplinary actions. 

 

Availability Control

The Company’s servers include an automated backup procedure. The Company has a backup concept which includes automated daily backups. Periodical checks are preformed to determine that the backup have occurred.