GDPR WHITEPAPER

OTORIO Ltd. welcomes the positive changes GDPR brings. GDPR is both an obligation and an opportunity to build privacy-friendly products while further fostering customer trust. This document provides a summary of OTORIO’s efforts to align and comply with the GDPR, in the context of our platforms and services.

OTORIO’S TECHNOLOGY AND SERVICES

OTORIO’s platform (including its software, algorithms and/or code), does not access, use, store or otherwise process personal data on behalf of its customers. The only information we process are the basic log-in details of users within our platform. Accordingly, OTORIO’s position is that we are not a Data Processor with respect to the GDPR. However, OTORIO does act as a Data Controller of certain basic personal information, as set out in our privacy policy.

GDPR

  • GDPR Strategy.
    • OTORIO has created internal processes to map and understand GDPR to our solution set and create a privacy compliance strategy suitable to the size and scope of our business.
    • OTORIO has created an internal taskforce with members of different disciplines (Engineering, Security, Product Development, and Customer Success) to implement our ongoing privacy compliance strategy.
    • C-Level Executives are personally involved in the oversight of our strategy implementation.
    • OTORIO provides training and awareness for our employees regarding key privacy and data security requirements. We also deliver annual lectures on privacy awareness.
    • During the new employee onboarding process, OTORIO provides an overview of information security and privacy and its importance in our company's operations. We also cover our company's policies and procedures regarding the handling of personal data.
    • As part of ongoing training, OTORIO provides refresher courses on information security and privacy. We also update employees on any changes in the regulation. We conduct continuing education events on specific topics, such as data breaches and how to identify and mitigate risks related to personal data.
    • We believe that ongoing education and training are essential to maintaining compliance and protecting personal data.
  • Privacy Policy. OTORIO has prepared a privacy policy, which is available here: https://www.OTORIO.com/privacy-policy.
  • Data Processing Agreement. Given OTORIO’s position that we are not a Data Processor, we have not signed any data processing agreements (“DPA”) with our customers.
  • Vendors and Service Providers. Most of OTORIO’s vendors and service providers are large, established companies, like Amazon (Web Services) or Microsoft (Azure). These companies have stated their compliance with the GDPR. OTORIO is currently in the process of ensuring we have appropriate DPAs in place with all of our business partners, vendors and service providers where access to personal information is provided.
  • Security.
    • Our products are developed according to industry accepted best practices for Secure  Software Development Life Cycle (SSDLC). In this regard, our processes were audited and OTORIO obtained IEC 62443 4-1 certification.
    • Although OTORIO is not a data processor with respect to GDPR, we still maintain industry and enterprise-ready safeguards, including processes and tooling, with respect to the data we process. To solidify these efforts, OTORIO is currently pursuing SOC2 (Type 2) certification and ISO27001.
    • In support of our certifications and pursuit of ISO27001, below is a high-level summary of the safeguards we’ve implemented:
      • Data encryption in motion of all sensitive data.
      • All personal data is secured and accessed on a need-to-know basis.
      • We log all changes to access policies and permissions.
      • Permissions are reviewed periodically.
      • Users are deliberately managed via policies and procedures.
      • Endpoints are protected.
      • An external MSSP monitors our security software.
    • The following measures for ensuring ongoing confidentiality, integrity, and availability of the Services’ processing systems are continuously maintained by:
      • Full data encryption in transit.
      • There is an audit trail of user permissions, active monitoring of security threats and code vulnerability scanning.
      • OTORIO implements processes for regularly testing, checking and assessing technical and organizational measures in order to ensure the security of data processing: our services undergo annual penetration tests. Audits are performed on a regular basis.
      • OTORIO has processes in place to identify and handle security incidents.
  • Response to data requests. To date, we have not received any data subject requests. Should the need arise, we have the internal capability to respond to requests to grant access, correct or review data created by our customers.
  • Data transfers.
    • Incorporated Entity. OTORIO is incorporated in the State of Israel and does not have additional subsidiaries located in the United States or other countries that do not offer adequate level of data protection (see: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32011D0061 Accordingly, at this stage, there is no need for OTORIO to implement an intercompany agreement for data transfer purposes.
  • Ongoing compliance.
    We do not consider GDPR compliance a one-time exercise. Therefore, we are committed to periodically review our roadmap and ensure ongoing compliance.

  • If you have any additional questions about the GDPR, please contact us at [email protected].

  • Disclaimer: The information in this document may not be construed or used as legal advice about the content, interpretation or application of any law, regulation or regulatory guideline. Independent legal counsel should be obtained in order to understand the applicability of any law or regulation on their processing of personal data.

  • Last updated: May 18, 2023