Last Updated: July 19, 2023

Nipendo Ltd. (“Company” or “we”) is committed to providing transparency regarding the security measures we have implemented to secure and protect Personal Data as defined under applicable data protection law, including without limitation, Israel’s Protection of Privacy Law, 1981 and the regulations enacted thereunder.

This information security policy outlines the Company’s security, technical, and organizational practices.

As part of our data protection compliance process, we have implemented technical, physical and administrative security measures to protect Personal Data, including upholding standards of ISO 27001 and SOC 2 Type II.

Physical Access Control

The Company ensures the protection of the physical access to the data servers that store Personal Data. The data processed by the Company is stored in Company’s private server farm. Further, the Company secures physical access to its offices to ensure that solely authorized individuals such as employees and authorized external parties (maintenance staff, visitors, etc.) can access the Company’s offices.

System Control

Access to the Company’s database is restricted to approved personnel, including by ensuring safeguards related to remote access and wireless computing capabilities. Employees are assigned private passwords that allow access or use related to Personal Data in accordance with role and solely to the extent such access or use is required. The Company monitors user access to the data and the passwords used to gain login access.

Data Access Control

The Company ensures that access to Personal Data is restricted to permissioned employees, ensuring that Personal Data shall not be accessed, modified, copied, used, transferred or deleted without specific authorization. Access to the Personal Data, as well as any action involving the use of the Personal Data, requires a username and password, which is routinely changed and fully encrypted. Each employee is able to perform actions according to the permissions determined by the Company. Individual access is logged, and any unauthorized access is automatically reported. Further, the Company conducts ongoing reviews of employee authorizations to assess whether access is still required. Authorized individuals can access only the Personal Data established in their individual profiles, and the Company revokes access upon termination of employment.

Organizational and Operational Security

The Company invests in a multitude of efforts and resources to ensure compliance with the Company’s security practices, including via ongoing employee training. In addition, the Company implements applicable safeguards for its hardware and software, including firewalls and anti-virus software in order to protect against malicious software.

Transfer Control

All transfers of Personal Data between the client and the Company’s servers are protected using encryption safeguards, including encryption of the Personal Data prior to transfer. In addition, where applicable, the Company enters into data processing agreements, in accordance with applicable laws.

Availability Control

The Company’s servers include an automated backup procedure on a daily basis.

Data Retention

Personal Data is retained for as long as needed to provide the services or as required under applicable laws. Individuals may request data deletion, subject to certain limitations as detailed in the Company’s Data Subject Rights Notice. 

Job Control

All of the Company’s employees are required to execute an employment agreement which includes, where applicable, confidentiality provisions as well as provisions binding the employees to comply with applicable data security practices. In addition, employees undergo a screening process subject to applicable requirements. In the event of a breach of an employee’s obligation or noncompliance with the Company’s policies, the Company will take appropriate remediation actions.

Updates to this procedure

We will assess, once per year, the necessity of updating this procedure, including by assessing whether any material changes have been made to the database systems, to our information processing practices, or if there are new technological risks with respect to the database systems.