Airtame makes continuous efforts to protect the confidentiality, integrity and availability of the confidential information and personal data of employees, customers and vendors. As part of these exercises, Airtame will respond promptly to investigate, contain and mitigate any security incident that could lead to a data breach following the internal procedures intended for that purpose. If a data breach occurred, a notification will be provided to all the affected individuals and/or data authorities in accordance to applicable contractual and legal requirements.
To clear out the scope of the policy, Airtame offers the following definitions:
Airtame maintains a Security Incident Response Plan based on guidelines from the National Institute of Standards and Technology’s (NIST) Computer Security Incident Handling Guide.
As part of every employee responsibilities, immediate notification of any actual or suspected data breach must be reported without undue delay to the Information Security team. This will trigger the different processes described in the Incident Responsible Plan in order to determine if the reported incident actually involves a potential data breach. In case of a data breach, the plan defines the measures required to manage the incident and prevent further damage.
In this regard, a data breach can happen in various forms so every case and measures to be taken will be assessed on an ad-hoc base.
Following the Security Incident Response Plan , the Breach Notification Team (BNT) is responsible to handle the internal and external communication if a data breach has been discovered. In the meantime, the Information Security team will work on containing and mitigating the incident as defined by the process while the CFO, as legal advisor, and the rest of the team follow the Data Breach Notification Process in order to determine if a notification of supervisory authorities and affected data subjects is required.
Airtame in its role of data processor commits to a notification via email to affected data controllers -customers and/or partners-, specifically to the primary business contact registered upon contract signing, as soon as possible but no later than 72 hours of reasonable suspicion of a Data Breach, following GDPR guidelines. If there is an operational impact, an update can also be seen on https://status.airtame.com/.
Airtame in its role of data controller commits to a notification via email to affected Airtame employees and customers/vendors/partners, when acting as data controller with regards to their employees’ personal data, as required by applicable law and following the Data Breach Notification Process.