Data Breach Policy

Introduction

Airtame makes continuous efforts to protect the confidentiality, integrity and availability of the confidential information and personal data of employees, customers and vendors. As part of these exercises, Airtame will respond promptly to investigate, contain and mitigate any security incident that could lead to a data breach following the internal procedures intended for that purpose. If a data breach occurred, a notification will be provided to all the affected individuals and/or data authorities in accordance to applicable contractual and legal requirements.

To clear out the scope of the policy, Airtame offers the following definitions:

Confidential information includes all information of Airtame’s employees and customers (both existing and potential), not generally known to the public.
Personal data includes any information related to an identifiable natural person. Personal Data includes, but is not limited to, names, addresses, email addresses, and phone numbers.
Data breach is defined as the unauthorized access of unencrypted data that compromises the confidentiality, integrity or availability of that information.

By definition, a data breach could occur not only virtually but also physically through unauthorized access into Airtame offices or devices. A data breach potentially includes any breaches that might affect third-party vendors that provide services to Airtame.

Incident response procedure

Airtame maintains a Security Incident Response Plan based on guidelines from the National Institute of Standards and Technology’s (NIST) Computer Security Incident Handling Guide.

As part of every employee responsibilities, immediate notification of any actual or suspected data breach must be reported without undue delay to the Information Security team. This will trigger the different processes described in the Incident Responsible Plan in order to determine if the reported incident actually involves a potential data breach. In case of a data breach, the plan defines the measures required to manage the incident and prevent further damage.

In this regard, a data breach can happen in various forms so every case and measures to be taken will be assessed on an ad-hoc base.

Notification procedure

Following the Security Incident Response Plan , the Breach Notification Team (BNT) is responsible to handle the internal and external communication if a data breach has been discovered. In the meantime, the Information Security team will work on containing and mitigating the incident as defined by the process while the CFO, as legal advisor, and the rest of the team follow the Data Breach Notification Process in order to determine if a notification of supervisory authorities and affected data subjects is required.

Notification commitment as data processor

Airtame in its role of data processor commits to a notification via email to affected data controllers -customers and/or partners-, specifically to the primary business contact registered upon contract signing, as soon as possible but no later than 72 hours of reasonable suspicion of a Data Breach, following GDPR guidelines. If there is an operational impact, an update can also be seen on https://status.airtame.com/.

Notification commitment as data controller

Airtame in its role of data controller commits to a notification via email to affected Airtame employees and customers/vendors/partners, when acting as data controller with regards to their employees’ personal data, as required by applicable law and following the Data Breach Notification Process.