Personal Data Security
Last updated: 01.11.2020
Voluum pays great attention to protecting personal data and complying with the law when it collects, processes and uses such data. We want you to feel safe when you visit our site and use our services. Here you can find out about how we secure our customers’ and users’ data.
Voluum uses various security technologies and procedures that help to protect data from unauthorized access, use, disclosure, alteration or destruction, for example:
- Only qualified and authorized employees are permitted to access your Data, and they may do so only for permitted business functions;
- We use encryption in the transmission of your Data between your system and ours, and we use firewalls to help prevent unauthorized persons from gaining access to your Data;
- We maintain physical, electronic and procedural safeguards in connection with the collection, storage and disclosure of your Data;
- We rely only on vendors who ensure an appropriate level of security of your Data.
More information about our approach to privacy and compliance you can find in our Privacy Policies, Cookies Policies and End-user Privacy Policies available on our website. You can find more information about security measures we use – here.
II. DATA CENTER & INFRASTRUCTURE SECURITY
- All employees authenticate to Voluum Infrastructure using individual certificates. Where passwords are allowed, we leverage multi-factor authentication or are protected by single sign on solutions that enforce multi-factor authentication;
- We have the procedure of handling of security incidents designed to promptly and systematically respond to security and availability incidents that may arise. This process includes incident investigations, prompt communication with customers, third parties and authorities, and impact assessments and improvements. The incident response plan is tested and refined on a regular basis.
III. PRODUCT SECURITY
- Security measures are designed to protect all of the Voluum products. Each product takes advantage of common application development security best practices as well as infrastructure security and high availability configurations. Whether our products are free or paid, feature-rich or lightweight, we work hard to maintain the security of Data you entrust with us;
- By default all communications from your end users and your visitors with the Voluum systems are encrypted using industry-standard communication encryption technology. Voluum currently uses Transport Layer Security (TLS), with regular updates to ciphersuites and configurations;
- Payments supplied sensitive / credit information is transmitted via Secure Socket Layer (SSL) technology and then encrypted into our payment gateway providers database only to be accessible by those authorized with special access rights to such systems and are required to keep the information confidential. After a transaction, your private information (credit cards, social security numbers, financials, etc.) are not stored on our servers;
- Access to Voluum systems is only possible after logging in. User passwords are encrypted and can be changed at any time. We use advanced methods of user authorization, such as two-factor authentication, access keys and list of authenticated devices.
- User passwords are encrypted and can be changed at any time. Users are automatically logged out after a set period of inactivity;
- We continuously monitor whether your Data is secure and available for use at all times. Our security department observe security alert sources for the latest information on new system vulnerabilities and proactively assess each of them against our environment. We also actively watch for updates from the providers of the technologies we use for security information;
- To help ensure availability of our systems in the event of a disaster, we replicate data across multiple data centers. We perform daily backups of your Data, which are tested regularly. We implemented business continuity plan to provide the services in the event of an emergency;
- Taking into account the protection of your Data we adapt privacy by design and privacy by default policies. Privacy in the design phase means that at the stage of planning new activities or modifications in already implemented action (e.g. implementation of a new IT system, organization of a new type of marketing activities, provision of a new service for clients) under which your Data processing will occur, legal and internal requirements together with good practices for security will be considered. Default data protection means processing of only such your Data that is necessary to achieve a specific service goals;
- We are constantly testing and improving existing and new products for the highest level of security.
- When developing our products, we use extensive safety verification standards. We regularly perform technical audits and penetration tests to ensure the highest level of security;
- Risk assessment is carried out on an ongoing basis. Top risks are selected and risk treatment plans are prepared. The risk assessment, top risk selection, and risk treatment plans are reviewed and monitored;
- The risk assessment includes not only technical and organizational safeguards, but also the degree to which the privacy of your data is ensured. Therefore, we also conduct periodic Data Protection Impact Analysis (DPIA);
- To help keep all our engineering, support, and other employees on the same page with regard to protecting your Data, Voluum developed and maintains a Personal Data Protection Policy. The policy covers data handling requirements, privacy considerations, and responses to violations, among many other topics. With this policy and the myriad protections and standards in place, we also ensure our employees are well-trained for their roles. General security awareness training is offered to all new employees and covers Voluum security requirements. After initial training, different training tracks are available based on an employee’s role. Recurring training is provided through regular updates, notices, and internal communications;
- We appointed a Data Protection Officer who in particular watches over the security of your Data, monitors our compliance with GDPR, and is a point of contact for you in all matters regarding Data protection; here you have contact to our Data Protection Officer: [email protected].
- Each day, confidentiality policies are implemented at Voluum and adhered to by employees and associates;
- We are committed to maintaining the confidentiality of any person who has access to your Data and systems containing Data;
- We regularly train employees in security awareness and how to respond to any incident that may adversely affect your Data;
- Access to your Data and systems storing it is possible only by Trusted Partners – under the authority of Voluum and after verification of the entity.
VI. PHYSICAL SECURITY
- Within our headquarters, we employ a number of industry-standard physical security controls. Physical security measures include: on-premise security guards, video monitoring, guests ID verification, electronic access cards and additional intrusion protection measures;
- Access to the data centre infrastructure and any company locations is only available to authorised personnel and trusted partners.
VII. TRUSTED PARTNERS
- We rely only on providers who ensure an appropriate level of security of your Data. We take care of your data therefore we periodically verify our suppliers with accordance to compliance, safeguards and existence of security measures;
- We may transfer Data to a country outside of the European Economic Area (EEA), i.e. to the territory of the United States of America, in order to protect storage and processing of data, using IT services, as well as operating the Site and providing our services, in accordance with applicable laws, with appropriate safeguards in place, only by using standard contractual clauses adopted by the European Commission (EU Commission Decision on standard contractual clauses for the transfer of Personal Data to processors established in third countries under Directive 95/46/EC (the “Model Contract Clauses”), or based on other applicable transborder data transfer mechanisms;
- If you are located in the EEA and want to check the safeguards which we have put in place to protect your Data transferred outside of the EEA and your privacy rights in these circumstances you can find these here.
If you have any questions regarding how we secure our customers’ and users’ data, you may contact us using the information below:
CentralNic Poland sp. z o.o., with a registered office at ul. Lubicz 17G, 31-503 Kraków, Poland incorporated under the laws of Poland and registered in the companies register of the National Court Register held by District Court Krakow – Srodmiescie in Cracow XI Commercial Division (Sąd Rejonowy dla Krakowa – Śródmieścia w Krakowie XI Wydział Gospodarczy) under (KRS) no. 0000830352, having EU VAT ID: PL5272922087 and the share capital in the amount of 5 000 PLN