App Growth Network (‘AGN’, agency) provides a SaaS product (referred to as ‘Appollo’) to its clients. A big part of Appollo is data collection: from multiple online platforms to a single dashboard. Because this data is coming from our clients mostly, AGN wants to ensure that this data is secure and avoid adversely impacting our customers, incurring penalties for non-compliance and suffering damage to our reputation. Thus, we outline data practices, making sure clients and internal resources have access as require per their work responsibilities.
It is not anticipated that this policy can eliminate all malicious data theft. Rather, its primary objective is to increase user awareness and avoid accidental loss scenarios, so it outlines the requirements for data breach prevention.
2.1 In Scope
This data security policy applies to information gathered on behalf of AGN clients from marketing platforms, as well as any sensitive information sharedbetween the client and the agency. Therefore, it applies to every server, database and IT system that handles such data, including any device that is regularly used for email, web access or other work-related tasks. Every user who interacts with company IT services is also subject to this policy.
2.2 Out of Scope
Information that is classified as Public is not subject to this policy. Other datacan be excluded from the policy by company management based on specific business needs, such as that protecting the data is too costly or too complex.
The company shall provide all employees and contracted third parties with access to the information they need to carry out their responsibilities as effectively and efficiently as possible.
a. Each user shall be identified by their unique company email, so as to trackpotential data breaches and account for their causes.
b. The use of shared identities is permitted only where they are suitable, such as training accounts or tools that are used internally, and do not pertainto client data.
c. Each user shall read this data security policy. By reading this document, you agree to its contents, in the otherwise case, you can bring up any concerns to an executive at the company for further clarification.
d. Records of user access may be used to provide evidence for security incident investigations.
e. Access shall be granted based on the principle of least privilege, which means that each program and user will be granted the fewest privileges necessary to complete their tasks.
f. Any data used by Appollo is stored on out-sourced servers, access to whichis given in accordance with the following sub-section.
3.3 Access Control Authorization
Access to company IT resources and services will be given to employees through a password management tool to avoid password theft. Permission toshare said passwords has to come either from Fouad Saeidi, AGN CEO, an executive in charge of a certain project, or a senior member of the IT/Analytics team.
A client has to agree (verbally or otherwise) to sharing their information with AGN.
3.4 Network Access
a. All employees and contractors shall be given network access in accordance with business access control procedures and the least-privilege principle.
b. Any information on the network is subject to this data policy and is deemed private, unless otherwise is confirmed by an executive or a client themselves.
3.5 User Responsibilities
a. All users must lock their screens whenever they leave their desks to reduce the risk of unauthorized access.
b. All users must keep their workplace clear of any sensitive or confidential information when they leave.
c. All users must keep their passwords confidential and not share them.
3.6 Application and Information Access
a. All company staff and contractors shall be granted access to the data and applications required for their job roles.
b. All company staff and contractors shall access sensitive data and systems only if there is a business need to do so and they have approval from higher management.
c. Sensitive systems shall be physically or logically isolated in order to restrict access to authorized personnel only.
3.7 Access to Confidential, Restricted information
a. Access to data classified as ‘Confidential’ or ‘Restricted’ shall be limited toauthorized persons whose job responsibilities require it, as determined by the Data Security Policy or higher management.
b. The responsibility to implement access restrictions lies with the IT/Analytics department.
4. Technical Guidelines
Access control methods to be used shall include:
-Role-based access model
-Server access rights
-Web authentication rights
-Database access rights
Access control applies to all networks, servers, workstations, laptops, mobile devices, web applications and websites, cloud storages, and services.
5. Incident Reporting Requirements
a. High-priority incidents discovered by the IT Security department shall be immediately escalated; the IT manager should be contacted as soon as possible.
b. The IT Security department shall also product a monthly report showing the number of IT security incidents and the percentage that were resolved.
6. Ownership and Responsibilities
-Data ownersare employees who have primary responsibility for maintaining information that they own, such as an executive, department manager or team leader.
-Information Security Administratoris an employee designated by the IT management who provides administrative support for the implementation, oversight and coordination of security procedures andsystems with respect to specific information resources.
-Usersinclude everyone who has access to information resources, suchas employees, trustees, contractors, consultants, temporary employees and volunteers.
-The Incident Response Teamshall be chaired by an executive and include employees from departments such as IT Infrastructure, IT Application Security, Legal, Financial Services and Human Resources.
Any user found in violation of this policy is subject to disciplinary action, up to and including termination of employment. Any third-party partner or contractor found in violation may have their network connection terminated.
8. General Data Protection Regulation (GDPR) Provision
• App Growth Network needs to perform a contract with you
• You have given App Growth Network permission to do so
• Processing your personal information is in App Growth Network legitimate interests
• App Growth Network needs to comply with the law
If you are a resident of the European Economic Area (EEA), you have certain data protection rights. If you wish to be informed what Personal Information we hold about you and if you want it to be removed from our systems, please contact us.
In certain circumstances, you have the following data protection rights:
• The right to access, update or to delete the information we have on you.
• The right of rectification.
• The right to object.
• The right of restriction.
• The right to data portability
• The right to withdraw consent
App Growth Network follows a standard procedure of using log files. These files log visitors when they visit websites. All hosting companies do this and a part of hosting services’ analytics. The information collected by log files include internet protocol (IP) addresses, browser type, Internet Service Provider (ISP), date and time stamp, referring/exit pages, and possibly the number of clicks. These are not linked to any information that is personally identifiable. The purpose of the information is for analyzing trends, administering the site, tracking users’ movement on the website, and gathering demographic information.
Note that App Growth Network has no access to or control over these cookies that are used by third-party advertisers.
Further policies are followed as outlined in section 3 of this document.
Third Party Privacy Policies
You can choose to disable cookies through your individual browser options. To know more detailed information about cookie management with specific web browsers, it can be found at the browsers’ respective websites.
Another part of our priority is adding protection for children while using the internet. We encourage parents and guardians to observe, participate in, and/or monitor and guide their online activity.
App Growth Network does not knowingly collect any Personal Identifiable Information from children under the age of 13. If you think that your child provided this kind of information on our website, we strongly encourage you to contact us immediately and we will do our best efforts to promptly remove such information from our records.