Staytus
Privacy Policy Privacy Statement DPA MTSA TOM

Technical and Organisational Measures to Protect Personal Data

Staytus, Inc. respects the rights and privacy of its customers and guests for which we process personal data in connection with the offering of our products and services.

Staytus has implemented and maintains a comprehensive written information security program ("Information Security Program") that includes technical and organizational measures to ensure a level of security appropriate to the risk, including measures to protect the confidentiality, security, integrity, and availability of Personal Data and to protect against unauthorized access, use, disclosure, alteration or destruction of Personal Data. Staytus has developed this Information Security Program taking into account (1) the state of the art; (2) the costs of implementation; (3) the nature, scope, context and purposes of processing; and (4) the risk of varying likelihood and severity for the rights and freedoms of natural persons.

In particular, the Information Security Program includes the following measures to ensure the protection of Personal Data:

  • Encryption – technical security measures to guard against unauthorized access to Personal Data that is being transmitted over an electronic communications network, including a mechanism to encrypt Personal Data in electronic form while in transit and in storage on networks or systems to which unauthorized individuals may have access, consistent with industry standards.
  • Access Controls – policies, procedures, and physical and technical controls: (i) to limit physical access to its information systems and the facility or facilities in which they are housed to properly authorized persons; (ii) to ensure that all members of its workforce who require access to Personal Data have appropriately controlled access, and to prevent those workforce members and others who should not have access from obtaining access; (iii) to authenticate and permit access only to authorized individuals and to prevent members of its workforce from providing Personal Data or information relating thereto to unauthorized individuals; and (iv) upon termination of an employee or contractor, to revoke access to the employee or contractor's access to any Personal Data.
  • Asset Management and Audit Controls – appropriate controls to address (i) critical asset identification and asset management, (ii) third-party risk management, (iii) configuration and change management for software systems, and (iv) hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic information, including appropriate maintenance, monitoring and analysis of audit logs.
  • Security Awareness and Training – a security awareness and training program for all members of Staytus' workforce (including management), which includes training on how to implement and comply with its Information Security Program.
  • Security Incident Procedures – policies and procedures to detect, respond to, and otherwise address security incidents, including procedures to monitor systems and to detect actual and attempted attacks on or intrusions into Personal Data or information systems relating thereto, and procedures to identify and respond to suspected or known security incidents, mitigate harmful effects of security incidents, and document security incidents and their outcomes.
  • Assigned Security Responsibility – designated security official responsible for the development, implementation, and maintenance of its Information Security Program. Staytus shall, upon the request of any customer, provide the name and contact details of the person responsible for security.
  • Contingency Planning – policies and procedures for responding to an emergency or other occurrence that damages Personal Data or systems that contain Personal Data, including policies and procedures that are designed to ensure products and services are uninterrupted, a data backup plan and a disaster recovery plan (including regular testing on the effectiveness of such plans).
  • Data Integrity – policies and procedures to ensure the confidentiality, integrity, and availability of Personal Data and protect it from disclosure, improper alteration, or destruction.
  • System Configurations – policies and procedures for managing changes to production systems, applications and databases, including without limitation, processes for documenting testing and approval of changes into production, security patching, and authentication.
  • Secure Development – policies and procedures to ensure that development environments are protected from malicious or accidental development or code updates that may create vulnerabilities or compromise the confidentiality, integrity, and availability of Personal Data.
  • Testing – processes to regularly test the key controls, systems and procedures of the Information Security Program to ensure that they are properly implemented and effective in addressing the threats and risks identified.
  • Risk Assessment Program – a risk assessment program to help identify foreseeable internal and external risks to the confidentiality, integrity, and availability of Personal Data and to determine if existing controls, policies, and procedures are adequate.
Staytus
Privacy Policy Terms DPA TOM