Polar Cape Security Practices and Policies

Our customers can trust that Polar Cape has made GDPR a priority and has devoted significant and strategic resources toward our efforts to comply with GDPR

Physical Security

Customer data is never to be replicated outside of the production environment and is never to be replicated onto employee workstations. Employee devices are required to time out and lock after a maximum of ten minutes of inactivity.

Key internal policies at Polar Cape include:

  • No customer data to be stored on Polar Cape premises or in cloud services owned
    by Polar Cape.
  • No production data is to be used in test or development environments

Access Control

All customer data is considered highly sensitive and protected and access is least privilege.
Only authorized and trained members of the Polar Cape support team have access to customer systems and user data.

Polar Cape is fit for the General Data Protection Regulation customer systems and user data.
Those who do have access to data are only permitted to view it for troubleshooting purposes.

We maintain a list of members of the Polar Cape support teams with access to customer environment.
These members are approved by the customer account manager. Another list allows all relevant roles to access code, as well as the development and test environments.
These lists are reviewed quarterly and on role change. Upon role change or leaving the company, the credentials of Polar Cape employees are deactivated,
and their sessions are forcibly logged out. From there, all accounts are removed or changed.

Key internal policies at Polar Cape includes:

  • Customer account team onboarding must ensure new team members reads and understands the customer processing instructions defined in the relevant Data Processing Agreement

Network

Polar Cape Macedonia uses Deutsche Telekom as its network service provider. See Telekom’s commitment to GDPR and network security here.

Email encryption

Office 365 secure communication is used with Transport Layer Security (TLS).
Emails containing personal information are labelled accordingly and deleted as per the retention policy for that label.

Security Awareness and Confidentiality

Data protection awareness and customer data access policies are covered during employee onboarding as appropriate to the role
and employees are updated as relevant policies or practices change. Employees also sign a confidentiality and Non-disclosure Agreement. In the event that a security policy is breached by an employee, Polar Cape reserves the right to determine the appropriate response, which may include termination.

Information Security Governance

We have conducted an information audit to map data flows and documented what personal data we hold,
where it came from, who we share it with and what we do with it. We have nominated a data protection lead and security governance has been added as a standard reporting area on our steering board where we manage information risks in a structured way so that management understands the business impact of personal data related risks and manages them effectively.