Data Security Policy

Definition

World Options and subsidiaries companies will hereafter be referred to as “World Options”

1. Purpose

This policy establishes an effective, accountable and transparent framework for ensuring high standards of data security at World Options.

2. Scope

This policy applies across all entities or subsidiaries owned, controlled, or operated by World Options and to all employees, including part-time, temporary, or contract employees.

3. Policy Statement

Physical security

The World Options office is under 24x7 security protection, at both premises level and floor level to ensure only authorised individuals have access to the building and the World Options office. At the floor level, smartcard readers are present to authorise individuals before entry. Employees are granted access to the office only after authorisation using smart cards. Critical locations in the office are accessible only to authorized individuals.

Important documents are stored in cabinets that can only be accessed by pre-authorised individuals. Fire alarms are in place to detect and mitigate damage in the unlikely event of a fire. Regular fire drills are also conducted by the premises management team to educate employees about emergency evacuation procedures. A policy has been implemented to approve and regulate visitor access to the building.

World Options hosts its application and data in industry-leading AWS Cloud Services, whose data centres have been thoroughly tested for security, availability and business continuity.

Application security

All of World Options applications are hosted in AWS Cloud Services. The infrastructure for databases and application servers is managed and maintained by AWS Cloud Services.

At World Options, we take a multifaceted approach to application security, to ensure everything from engineering to deployment, including architecture and quality assurance processes complies with our highest standards of security.

Application Architecture

The application is initially protected by Amazons Web Services’ firewall which is equipped to counter regular DDoS attacks and other network related intrusions. The second layer of protection is World Options own application firewall which monitors against offending IPs, users and spam. While the application can be accessed only by users with valid credentials, it should be noted that security in cloud-based products is a shared responsibility between the company and the businesses who own those accounts on the cloud. In addition to making it easy for administrators to enforce industry-standard password policies on users, our applications also incorporate features aimed at securing business data on the cloud:

World Options uses a multi-tenant data model to host all its applications. Each application is serviced from an individual virtual private cloud and each customer is uniquely identified by a tenant ID. The application is engineered and verified to ensure that it always fetches data only for the logged-in tenant. Per this design, no customer has access to another customer’s data. Access to the application by the World Options development team is also controlled, managed and audited. Access to the application and the infrastructure are logged for subsequent audits.

The in-line email attachment URLs for the product are public by design, to enable us to embed links within the email for end-user ease. This can be made private on customer request.

Application Engineering and Development

Our engineers are trained in industry-leading secure coding standards and guidelines to ensure our products are developed with security considerations from the ground-up. A security review is a mandatory part of application engineering process at World Options. The security review leverages static code analysis tools, in addition to manual reviews, to ensure adherence to our highest standards.

Quality Assurance

Besides functional validation and verification, the quality assurance process at World Options also subjects application updates to a thorough security validation. The validation process is performed by a dedicated testers who attempt to ethically hack the application to discover and demonstrate vulnerabilities in the application. An update to the application does not get the stamp of approval from the quality assurance team if vulnerabilities (that can compromise either the application or data) are identified.

Data Security

World Options takes the protection and security of its customers’ data very seriously. World Options manages the security of its application and customers’ data. However, provisioning and access management of individual accounts is at the discretion of individual business owners.

The World Options development team have limited access to data on production servers. Changes to the application, infrastructure, web content and deployment processes are documented extensively as part of an internal change control process.

Our products collect limited information about customers - name, email address and phone - which are retained for account creation. Postal address is requested and retained by World Options PCI compliant payment processor for billing, along with the date of expiry of credit card and CVV when wallet accounts are used.

World Options takes the integrity and protection of customers’ data very seriously. We maintain history of two kinds of data: application logs from the system, and application and customers’ data. All data is stored in Cloud Services’ state of the art cloud computing platform. Data is stored in multiple locations on mirrored cloud databases.

Application logs are maintained for a duration of 90 days. Customers’ data is backed up in two ways:

• A continuous backup is maintained in different datacenters to support a system failover if it were to occur in the primary datacenter. Should an unlikely catastrophe occur in one of the datacenters, businesses would lose only five minutes of data.

• Databases are synced.

Different environments are in use for development and testing purposes, access to systems are strictly managed, based on the principles of need to do/know basis appropriate to the information classification, with Segregation of Duties built in, and reviewed on a quarterly basis.

Data Deletion

When an account is requested to be to deleted, all personal data associated with the account will be deleted within 30 business days. Personal data cannot be deleted from an account that has an outstanding balance. World Options products also offer data export options which businesses can use if they want a backup of their data before deletion.

Operational Security

World Options understands that formal procedures, controls and well-defined responsibilities need to be in place to ensure continued data security and integrity. The company has clear change management processes, logging and monitoring procedures, and fall back mechanisms which have been set up as part of its operational security directives.

Operational security starts right from recruiting an engineer to training and auditing their work products. The recruitment process includes standard background verification checks (including verification of academic records) on all new recruits. All employees are provided with adequate training about the information security policies of the company and are required to sign that they have read and understood the company’s security-related policies. Confidential information about the company is available for access only to select authorised World Options employees.

Employees are required to report any observed suspicious activities or threats. The human resources team takes appropriate disciplinary action against employees who violate organizational security policies. Security incidents (breaches and potential vulnerabilities) can be reported by customers through our portal at worldoptions.com or via email: gdpr@worldoptions.co.uk

World Options maintains an inventory of all information systems used by employees for development purpose. Only authorized and licensed software products are installed by employees. All employee information systems are authorized by the management before they are installed or put to use.

The company has a Data Protection Policy, approved by the Board of Directors.

Network Security

Network security is discussed in detail in this section from the perspective of the development centre, and the network where the application is hosted.

The World Options office network where updates are tested, monitored and managed is secured by industry-grade firewalls and antivirus software, to protect internal information systems from intrusion and to provide active alerts in the event of a threat or an incident. Firewall logs are stored and reviewed periodically. Access to the production environment is via SSH and remote access is possible only via the office network.

All World Options products are hosted in AWS, with security managed by Zen Internet. Our team monitors the infrastructure 24x7 for stability, intrusions and spam using a dedicated alert system. The World Options application has an in-built spam protection system for businesses that use it, while our team monitors and blocks individual accounts and IP addresses which attempt to access the World Options applications.

4. Responsibilities

Regulatory Compliance

All formal processes and security standards at World Options are designed to meet regulations at the industry, state and European Union levels.

Use of our service by customers in the European Economic Area (“EEA”), will include the processing of information relating to their customers. In providing our service, we do not own, control or direct the use of the information stored or processed on our platform at the direction of our customers, and in fact we are largely unaware of what information is being stored on our platform and only access such information as reasonably necessary to provide the service (including to respond to support requests), as otherwise authorised by our customers or as required by law. We are Data Processors for our end customers, but Data Controllers for the customers from whom we collect data on our platform for purposes of the European Union (“EU”) on our platform for purposes of the European Union (“EU”) General Data Protection Regulation (GDPR). Our EEA based customers, who control their customer data and send it to World Options for processing, are the “Controllers” of that data and are responsible for compliance with the GDPR. In particular, World Options customers are responsible for complying with the GDPR and relevant data protection legislation in the relevant EEA member state before sending personal information to World Options for processing.

As the processors of personal information on behalf of our customers, we follow their instructions with respect to the information they control to the extent consistent with the functionality of our service. In doing so, we implement industry standard security, technical, physical and administrative measures against unauthorized processing of such information and against loss, destruction of, or damage to, personal information as more fully described in World Options Data Protection Policy.

We work with our customers to help them provide notice to their customers concerning the purpose for which personal information is collected and sign Standard Data Processor Agreement (for data processors) with them to legitimize transfers of personal data from EU to processors established in third countries as may be required under the GDPR.

Reporting issues and threats

If you have found any issues or flaws impacting the data security or privacy of World Options users, please write to gdpr@worldoptions.co.uk with the relevant information so we can get working on it right away.

Your request will be looked into immediately. We might ask for your guidance in identifying or replicating the issue and understanding any means to resolving the threat right away. Please be clear and specific about any information you give us. We deeply appreciate your help in detecting and fixing flaws in World Options and will acknowledge your contribution to the world once the threat is resolved.

Records management

Staff must maintain all records relevant to administering this policy and procedure in electronic form in a recognised World Options recordkeeping system.

All records relevant to administering this policy and procedure will be maintained for a period of 5 years.

5. Terms and definitions

General Data Protection Regulation (GDPR): the General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) is a regulation by which the European Parliament, the Council of the European Union and the European Commission intend to strengthen and unify data protection for all individuals within the European Union (EU). It also addresses the export of personal data outside the EU.

Data Controller: the entity that determines the purposes, conditions and means of the processing of personal data

Data Processor: the entity that processes data on behalf of the Data Controller

Data Protection Authority: national authorities tasked with the protection of data and privacy as well as monitoring and enforcement of the data protection regulations within the Union

Data Protection Officer (DPO): an expert on data privacy who works independently to ensure that an entity is adhering to the policies and procedures set forth in the GDPR

Data Subject: a natural person whose personal data is processed by a controller or processor

Personal Data: any information related to a natural person or ‘Data Subject’, that can be used to directly or indirectly identify the person

Privacy Impact Assessment: a tool used to identify and reduce the privacy risks of entities by analysing the personal data that are processed and the policies in place to protect the data

Processing: any operation performed on personal data, whether or not by automated means, including collection, use, recording, etc.

Profiling: any automated processing of personal data intended to evaluate, analyse, or predict data subject behaviour

Regulation: a binding legislative act that must be applied in its entirety across the Union

Subject Access Right: also known as the Right to Access, it entitles the data subject to have access to and information about the personal data that a controller has concerning them

6. Related legislation and documents

• Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)

• World Options Data Protection Policy

7. for more information

Contact our Data Protection Officers who are the World Options Board of Directors by emailing: gdpr@worldoptions.co.uk