+ Legal Terms
IT Data Protection and Retention Policies
TABLE OF CONTENTS
3 Data Description
4 Data Access
5 Information Security Management System
7 Data Rationale
8 Data Retention 9 Data Removal 10 VOTIX Data Privacy 11 Data Security
12 Service Organization Controls (SOC)
This document defines the Data Handling and Storage (DHS) Policy for VOTIX VOTIX LLC. as a global vendor has developed the current data protection and retention policy for its solutions. The information held by VOTIX represents one of its most valuable assets. It is therefore essential that all information for which it has responsibility is used, communicated, transferred, stored, and disposed of in a manner that complies with legal and regulatory requirements, and within the broader information management and security framework. VOTIX is committed to protect the information that it retains. This policy and associated practices and procedures have been agreed to by VOTIX Leadership and the IT department.
The policy relates to VOTIX information systems, and covers all information within the VOTIX Databases that is or may be:
• Stored on computers and/or servers
• Transmitted across networks
• Stored on removable and other electronic media
3 DATA DESCRIPTION
VOTIX solutions may capture the following data from customers:
• Customer basic information (Company name, Industry, Contact name, Email address, Contact phone)
• Drone Devices inventory (Fleet)
• Drone Operational Logs, images and footage
• Pilots certifications, licenses, skills, contact information such as email and phone VOTIX solutions separate customer data from system data. Customers have complete access and governance over their data. VOTIX may retain anonymized
4 DATA ACCESS
The following security roles enable access to the VOTIX databases:
• Application Administrator. Read/write access to system production databases.
• Developer: Read/write access to development and testing databases. VOTIX has decentralized databases and developers have limited access to their development database as required for their job.
• Data/AI Specialists: Read access to summarized databases. Only the team members listed above will have the access granted to the VOTIX databases. Authentication against the VOTIX active directory ensures proper authentication.
5 INFORMATION SECURITY MANAGEMENT SYSTEM
As a global framework, VOTIX based its policies and best practices in two main industry standards:
– ISO 27001: International standard that specifies a management system that is intended to bring information security under management control.
– GDPR: The General Data Protection Regulation is a regulation in EU law on data protection and privacy for all individual citizens of the European Union but can also be used as basis in other regions in the world.
All processes and controls at VOTIX aim to meet the requirements outlined in these frameworks.
All data stored on the VOTIX databases is preserved for business intelligence and system capabilities enhancement, including operational safety. Therefore, there is no elimination process in place unless a customer explicitly requests removal or anonymization from the databases.
7 DATA RATIONALE
To proceed with Business Intelligence and operational enhancement and safety processes, data retention needs to be anonymized by the IT department. This data is never shared with any third party.
8 DATA RETENTION
VOTIX has implemented retention policies and processes that require deleting or anonymization at the end of the 18th month (or before) as per customer request, for all the essential and personal information. This means we will remove or anonymize information like: contact name and last name, personal telephone number and personal email address, and any other information the law or customers demand to be deleted or anonymized. This means that only the product usage information will be retained for VOTIX to generate statistics about products used by company size or industry.
9 DATA REMOVAL
All customer digital records are deleted or transferred from the VOTIX database only when a customer explicitly requests VOTIX to do so, or as required by local data protection legislation.
10 VOTIX DATA PRIVACY
Data Privacy is defined as the relationship between technology and the legal right to, or public expectation of privacy in the collection and sharing of data.
The following levels of data access are defined by the governance team:
• Highly Confidential: Tenants, Providers, User records, legal information, Personal Data, all other.
• Restricted: Specific GPS-identifiable drone missions and zones, video streaming, captured media, email aliases & passwords.
• Internal Only: Day-to-day email, Billing, Operational Reports, all other Administrative Information.
• Public: Services, Value Proposition, Marketing Material, Website Contents, Approved Media Release.
Any breach of information will be analyzed, and the correspondent actions will be reviewed by the legal and HHRR team based on the level of data explained above.
11 DATA SECURITY
All systems must be protected considering human control, physical security and administrative, to mitigate the risks associated with threats of malicious software and hacking techniques.
• Workstations are protected by system imaging and antivirus software with automatic update capability in terms of virus signatures. Users are not allowed to disable them.
• The Virtual Private Network Techniques (VPN tunnel) are implemented to provide secure connections with external networks.
• Software installation on a device can only be done with the proper authorization of the IT department.
• Role-based access to data is enforced and monitored.
• Software development is segmented and distributed to avoid having full access to the VOTIX platform source code.
• Enterprise-grade development tools (such as Microsoft DevOps) govern development and safeguard source code.
12 SERVICE ORGANIZATION CONTROLS (SOC)
SOC 1, 2, and 3 Reports:
• AWS: https://aws.amazon.com/security/
• Microsoft: https://docs.microsoft.com/en-us/microsoft-365/compliance/offering-soc?view=o365-worldwide