Privacy

Privacy and Security Policy

A. Privacy Policy

As the provider of the website IATA.cortex-service.airside.cloud (hereinafter “ Supplier’s Website”), software, hardware and services (hereafter ”Services”) we at ADB Safegate (hereinafter “Supplier”) are Controller as defined in applicable data protection law, more specifically the General Data Protection Regulation (EU) 2016/679 (hereinafter “GDPR”), and are therefore responsible for the Personal Data of the Supplier’s Website user. As a user of Supplier’s Website and Services you consent to the Supplier use of your Personal Data and Customer Data under this privacy policy and you acknowledge, accept and consent that the Supplier uses your Personal Data and Customer Data as necessary for the Supplier to provide the Services to you. Your privacy is important to the Supplier and the Supplier is committed to protecting your privacy. This privacy policy explains how the Supplier collects and uses Personal Data, what Personal Data the Supplier uses and for what purposes such data is used.

Personal Data means personal information about you as defined in the GDPR.

Customer Data means all information provided by you to the Supplier which is not Personal Data.

1. Date Controller vs. Data Processor?

Per default, the Supplier is considered to be a “Data Controller” in accordance with the GDPR. The Supplier is not a “Data Processor” as its Services do not involve activities which make the Supplier “processing Personal Data on behalf of you” as defined in the GDPR. In case that you or the Supplier become a Data Processor, we may enter into a separate data processing agreement. The Supplier shall ensure that (a) in its role as Data Controller, it only uses the Personal Data and Customer Data for the purpose of providing its Services and in accordance with the GDPR; (b) its personnel and subcontractors that are involved for the fulfilment of the Services have committed themselves to confidentiality and comply with the GDPR, (c) it takes appropriate technical and organizational measures, insofar as this is possible and required for the fulfilment of the GDPR, (d) upon reasonable request, it makes available to the other Party all information necessary to demonstrate compliance with the obligations under GDPR.

2. What Personal Data and other Customer Data does the Supplier collect?

Website visit – Customer Data only: When you access Supplier’s Website, the Supplier collects Customer Data information that includes the type and version of browser that you are using, the browser language, the operating system and platform, the date and time of access, the time zone setting, your access status/http status code and the data volume  transferred, cookies, how you used Supplier’s Website, the registrations and actions performed, page response times, download errors, length of visits, page interaction information.

Website forms – Personal Data as provide by you: When using the Supplier’s webforms and the Supplier platform, the Personal Data the Supplier collects may include names, surnames, e-mail addresses, postal addresses, phone numbers, payment details, user specific settings, your preferences in receiving marketing information from us, your communication preferences and other Personal Data provided by you when you sign up for the Services and when you use the Services. The Supplier will only use your Personal Data to the extent necessary to fulfil the Services and for purposes which are compatible with providing the Services, such as directing advertisement regarding the Services to you.

Business contacts: When you engage with the Supplier through emails, negotiations, telephone calls, contractual documents, the Supplier will maintain a copy of your contact details in order to be able to contact you and as such provide the Services as required.

Supplier software products: The Supplier uses Customer Data and Personal Data in accordance with “Product Data Sheets” that can be requested by you from the Supplier. In case, such a Product Data Sheet does not exist, this Privacy and Security Policy shall solely apply.

When using Personal Data, the Supplier complies with all applicable data protection laws and regulations, in particular (but not limited to) GDPR.

3. Cookies

Supplier also uses cookie files to improve and personalize your use of the Services. When you use the Supplier Services, the Supplier saves cookie files on your computer. Cookies are small text files that, unless you have adjusted your browser setting to refuse cookies, our system will send your device when you visit Supplier’s Website. Cookies collect standard internet log information and visitor behavior information. The cookie files help with the functionality of Supplier’s Website and allow Supplier’s Website to identify your browser and to recognize what preferences you have and what settings you have made. Users of Supplier’ Services and visitors of Supplier’s Website may always choose to accept or decline the Supplier use of cookies. If you block cookies, this may affect your ability to use Supplier’s Website. You can access more information about cookies at http://www.allaboutcookies.org .

Supplier uses the following Cookies:

●      Functional and Required Cookies. We use necessary cookies which allow visitors to navigate the key features on Supplier’s Website.

●      Analytics and Performance Cookies. We use analytics and performance cookies to collect information about how visitors interact with Supplier’s Website.

●      Session Cookies. We use session cookies to operate our Services.

●      Preference Cookies. We use preference cookies to remember your preferences and various settings.

●      Security Cookies. We use security cookies for security purposes.

4. How do we collect Personal Data and Customer Data?

Supplier may use information from you when you use our Services or register on Supplier’s Website, respond to a survey, fill out a form, use live chat, open a support ticket or enter information on Supplier’s Website and when you provide feedback to us on our site.

Supplier may also use Personal Data and Customer Data you provide directly to the Supplier via Websites, e-mail, EDI, and other interactions such as your registration on Supplier’ systems and platforms as a customer, partner or supplier, your purchase orders, and participation in Supplier events.

5. How does the Supplier use your Personal Data and Customer Data?

The Supplier only uses Personal Data and Customer Data to the extent necessary to provide the Services and for purposes which are compatible with providing the Services, such as directing periodic emails to you regarding your order and advertisement regarding Services and/or other products offered by the Supplier. Customer Data is only used in order to provide the Services to you.

Unless otherwise provided, the Supplier stores Personal Data and Customer Data collected directly by the Supplier in a secured database within Microsoft Azure Servers preferably of your region/continent. Personal Data and Customer Data is used to contact you and to manage your account. The Supplier may also follow up after you have had contact with the Supplier through live chat, email of phone enquiries.

Supplier may use automated decision making in using your information when providing its Services.

When the Supplier uses Personal Data and Customer Data, the Supplier complies with all applicable data protection laws as well as any laws and regulations applicable to the Services provided to you.

When Personal Data and Customer Data is collected or used directly by the Supplier it will be stored on servers or cloud service platforms within the EU.  Should Personal Data be submitted to or stored by any third party in so called Third Countries, countries outside the EU, then you acknowledge that the Supplier cannot guarantee that the same level of protection can be offered as that provided for by the GDPR.

6. How long does the Supplier store Personal Data and Customer Data?

Supplier will only store Personal Data and Customer Data for a limited period. The Supplier ensures that Personal Data and Customer Data will be deleted when it is no longer necessary to retain it to provide the Services, or for purposes which are compatible with providing the Services.

Personal Data and Customer Data provided by you to the Supplier is retained for the duration of your subscription of the Services and for a longer period if it is required by applicable laws, for example for any legal, accounting, backup or reporting requirements or similar purposes.  

7. Direct marketing and the right to opt-out

The Supplier may use your Personal Data to provide information regarding the Supplier Services to you as Supplier’s Website user, including regular electronic newsletters that you can subscribe to. You have the right to object to the use of your Personal Data for direct marketing under applicable data protection laws. If you wish to object to direct marketing, please contact the Supplier by sending an e-mail to  privacy@adbsafegate.com or click or the unsubscribe link provided with the respective communication.

8. Subject Access Requests

You are entitled to additional information regarding the use of your Personal Data. In case you want to know what Personal Data the Supplier stores about you and how your Personal Data is used, please contact the Supplier by sending an e-mail to privacy@adbsafegate.com (“Subject Access Request”). If you make a Subject Access Request by electronic means, the Supplier will provide information regarding the use of your Personal Data in a commonly used electronic form. The information provided by the Supplier shall include the following:

(1) the purposes of the use;

(2) the categories of Personal Data concerned;

(3) the recipients or categories of recipients to whom your Personal Data has been or will be disclosed, in particular recipients in third countries or international organizations;

(4) where possible, the envisaged period for which your Personal Data will be stored;

(5) whether you are entitled to request rectification or erasure of Personal Data or restriction of Personal Data or to object to the use or to lodge a complaint with a supervisory authority;

(6) where Personal Data is not collected from you, available information as to the source of the Personal Data;

(7) the existence of automated decision-making, including profiling;

(8) where Personal Data is transferred to a third country or to an international organization, information regarding the appropriate safeguards relating to the transfer;

(9) a copy of the Personal Data undergoing usage.

9. Rights relating to Personal Data

You are entitled to request rectification or erasure of your Personal Data and to object to the use of your Personal Data. You may also request restriction of the use of your Personal Data. The Supplier is required to update or rectify your Personal Data if the Personal Data the Supplier holds on you is inaccurate. The Supplier may also be required to delete your Personal Data, in example if you withdraw your consent to its use or if the Personal Data the Supplier stores about you is incorrect or irrelevant. Deletion may not be required for data that must be retain as required by applicable laws.

Supplier undertakes to respond to requests regarding rectification, erasure or restriction of Personal Data, as well as to objections to the use of Personal Data, in a timely manner. When the Supplier receives a request, which is justified according to applicable data protection laws, the Supplier shall comply with the request and delete or rectify the Personal Data or restrict or cease the use of such data.

You have the right to receive the Personal Data, which has been provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit such data to another controller without hindrance from the controller to which the Personal Data have been provided. You also have the right to lodge a complaint with a supervisory authority.

Requests under this paragraph shall be sent to the Supplier by e-mail to privacy@adbsafegate.com.

10. User responsibility

As Supplier’s Website and Service user it is important that you are aware of your responsibility for the related risks. You are responsible for protecting and updating your account information to prevent unauthorized access to your account.

You are also responsible to abide by all applicable laws and regulations. Where you process your own Customer and Personal Data you act as the Data Controller, hence you are responsible for compliance with applicable data protection laws. This entails ensuring the rights of the data subjects and in particular to erase your Customer Data and Personal Data when you no longer need it for the purposes specified by you. If you use free text fields, you are responsible for ensuring that free text fields do not generate processing of excessive or irrelevant Personal Data. You are further responsible for your sharing of your Customer Data and Personal Data, for example when providing access to third parties.

11. Is the Supplier using Customer Data and Personal Data with Third Party Tools, Subcontractors and Authorities?

Supplier uses your Personal Data and Customer Data confidentially, unless otherwise agreed with you. The Supplier does not sell or trade your data. The Supplier does not, without your consent, transfer or share it with third parties.

The Supplier may use subcontractors for the purpose of performing its Services to you. The Supplier has subcontractors such as infrastructure providers, content delivery networks, customer service, email delivery, banking operation, credit card networks, website hosting, and consultants including for IT-support and accounting. The Supplier ensures that its subcontractors are liable to keep your Personal Data and Customer Data confidential by signing confidentiality agreements or data privacy agreements with such subcontractors.

In order to be able to provide Services and products to you, the Supplier uses the following third-party programs and tools of subcontractors including, but not limited to, those as listed below. A link is provided to each of the tool´s own privacy statement (“Third Party Tools”).

Jira: https://www.atlassian.com/trust

MS AppCenter : https://docs.microsoft.com/en-us/legal/termsofuse

Outlook (Office 365): https://privacy.microsoft.com/en-gb/privacystatement

Chargebee: https://www.chargebee.com/privacy/

While using such Third-Party Tools be advised that your access and use of such Third Party Tools are governed solely by the terms and conditions of their providers, and that the Supplier is not liable for, and makes no representations as to such other services and products provided by the Third Party Tools, including, without limitation, their content or the manner in which they handle data (including your data) or any interaction between you and the Third Party Tools provider(s).

The supplier may further reveal your Personal Data and Customer Data to third parties, including the competent supervisory authority, if it is required by applicable data protection laws or other applicable laws and regulations.

The Supplier ensures that access to your Personal Data and Customer Data is limited to the personnel and subcontractors who require such access to perform the Services and other activities which are compatible with providing the Services subject to confidentiality not less restrictive than defined herein.

B. Security Policy

1. General

Your security is important to the Supplier and the Supplier is committed to protecting your Personal Data and your Customer Data. The Supplier ensures that the Supplier will take all reasonable measures to protect your Personal Data and Customer Data and to prevent unauthorized access to such data.

The Supplier wants to make you aware of the risks which are inherent in data transmissions over the Internet since such transmissions are never completely secure. When you provide your Personal Data and Customer Data to the Supplier over the Internet you are responsible for the risks of unauthorized access and loss of data which the transmission entails.

The Supplier has implemented and maintains several technical and organizational security measures to keep your Personal Data and Customer Data safe when stored by the Supplier. Such security measures include encryption, firewalls, antivirus, and security monitoring which can reasonably be expected in accordance with applicable market standards.

If the security of Supplier’s Website, Services and the Personal Data and Customer Data be compromised, the Supplier reserves the right to take any appropriate action as set out in the relevant data protection laws, including notifying you and the appropriate regulator of such a breach where required by law.

Supplier’s Website may carry links to other websites that are not affiliated to nor controlled by the Supplier. Should you access these sites from Supplier’s Website, the Supplier accepts no liability or responsibility over the content, privacy policies, data handling or practices of these sites.

2. What are the security measures and means?

Agreements:  With its employees, subcontractors and partners who have access to the Customer Data and Personal Data on a “need to know” basis, the Supplier shall put appropriate agreements in place to safeguard applicable confidentiality and data privacy obligations. 

Firewall: All servers and software are protected by secured connection and firewalls provided by Microsoft Azure cloud services.

Office access: the Supplier’s office is only accessible via registered badge and not open to the public.

Endpoint security: The Supplier uses a permission-based authorization, network-based authorization and geographical based authorization. If a user fails to authenticate in any way or uses services outside of the correct networks or devices, or if he is outside of the approved geographical areas, access will be denied.

Network security: All network traffic is separated and segregated based on user access level. Network access rules are enforced by firewalls and are in place to stop users from using services they are not privileged to. We tend to use Active Directory integration as much as possible

Data integrity: Regular backups are performed and stored. These backups ensure the integrity of Supplier’s data and the continuity of Supplier’s Services.

Information security: Personnel is made aware of their responsibility of keeping the Supplier’s company data secure. They are made aware of the dangers of data loss or leaks. Use of external storage devices (USB keys, drives, etc.) is discouraged .

Application Security

ADB Safegate team uses multiple methods to enforce application security: a dedicated user management system, encrypted traffic, code reviews that check that new features do not open the application to security risks, encryption at iOS application.

Service Security

ADB Safegate offers CORTEX SERVICE platform as a service (deployed as true multi-tenant SaaS solution running on Microsoft Azure). In addition, ADB Safegate has DevOps teams are responsible for high-quality applications, performance, and security. ADB Safegate has procedures and tools/technology that enable these teams to be effective in their management of the platform and to ultimately minimize downtime, security threats, and any other disruptions to our clients’ operations.  

The Service Business Line has the responsibility to manage the ADB Safegate CORTEX SERVICE SaaS platform. It is responsible for developing and implementing comprehensive including procedures and policies designed to maintain our service level agreements and protect communications, systems, and assets from both internal and external threats for CORTEX SERVICE service and all supporting infrastructures. 

ADB Safegate CORTEX SERVICE runs in the Microsoft Azure environment which provides the required load-balancers, fault-tolerance,backupsand auto-failover. Our SaaS solution is constantly monitored and scaled to ensure maximum uptime and performance. 

Also, for further security - ADB Safegate CORTEX SERVICE relies on Microsoft Azure for hosting the various environments used by our clients. Azure meets a broad set of international and industry-specific compliance standards, such as ISO 27001, NIST SP800 - 53/171, FedRAMP, HIPAA, SOC 1, and SOC 2, as well as many country-specific standards. Rigorous third-party audits, such as by the British Standards Institute verify Azure’s adherence to the strict security controls these standards mandate. These certifications are represented at Microsoft Azure’s Trust Center (https://azure.com/trustcenter).

General ADB Safegate Security

ADB Safegate adheres to Live cycle management of Administrator accounts. Microsoft Privileged Identity Management (PIM) is used for all infrastructure elevated access rights in IT, including IT Admin access.  Use of Azure Active Directory as identity stack and access management with Single Sign On (SSO) to all core systems.

We minimize the occurrence of known technical vulnerabilities on operator PCs by ensuring vendor support, applying mandatory software updates, and applying timely security updates aligned to the assessed risk. ADB Safegate maintains the following malware defenses: antivirus, anti-spyware, host-based intrusion prevention system. It covers the detection of ransomware, spyware or keyloggers, malware using known backdoors, detection of data being exported or communication with unknown data websites, detection of malware within email or embedded in email attachments, detection of malware propagations, detection with known malicious websites. 

ADB Safegate also analyses email transactions (including attachments or embedded links) and unusual user behavior patterns. We secure end user systems (and data that resides on them) by blocking access to known file transfer and email exfiltration websites. 

Our workstations follow Microsoft Windows Update policies from the Microsoft website.  

System hardening methods are used to reduce the cyber-attack surface by performing system hardening. Acceptable Use policy covers the cleandesk rules, the usage of computers for personal use. ADB Safegate has additional procedures for employees to report lost or stolen assets and a ticketing system that records all incidents of lost or stolen assets. 

ADB Safegate respects the default Windows update from Microsoft. Services are managed via Windows update server. We are using the Office 365 Defender for vulnerability scanning and management to the endpoints and network.

ADB Safegate prevents unauthorized physical access to sensitive equipment, workplace environments, hosting sites, and storage. Security of the workplace environment. Operator PCs are in a secure workplace environment where access is controlled and granted only to employees and other authorized workers and visitors. Only employees who have ADB Safegate badge can enter our building. There are Internal procedures covering the access of visitors.

We prevent the compromise of credentials by reinforcing a Password policy and by implementing a multi-factor authentication.

ADB Safegate has controls in place against malware: CATO, Microsoft ATP Defender, Advanced Threat protection (ATA)& others. Microsoft Defender managed by Intune. The company uses network scan tools (SSCM, SNOW, Lansweeper).

ADB Safegate is developing and updating annually a cyber incident response plan. A formal backup and recovery plan is being created for all critical business lines to support incident response activities. ADB Safegate also has Cyber Insurance for security and privacy liability, network interruption, event response, electronic data, cyber extortion, cybercrime.

Information Security Management System exists at company level, number of entities already work with ISO-27001 label Policies are available on internal document management platform, onboarding via learning management system module Information Security requirements communicated with external partners on as need basis (e.g., risk assessment process, acceptable use policy). Nowadays the Acceptable use policy is a mandatory employee training, and all contractors have to confirm their awareness via an addendum to their ongoing contracts. Security awareness training is provided to employees as part of onboarding and annually for all employees and contingent workers. 

C. Changes, Contact and Complaints

1. Changes to our Privacy and Security Policy

Supplier continues to develop Supplier’s Website and Services. The Supplier keeps its Privacy and Security Policy under regular review and places any updates on this page. This Privacy and Security Policy was last updated: March 2022.

2. Contact

If you have any questions about the Supplier’s Privacy and Security Policy, the data we hold on you, or would like to exercise one of your data protection rights, please do not hesitate to contact the Supplier.

E-mail: privacy@adbsafegate.com

3. Complaints

Should you wish to report a complaint or if you feel that the Supplier has not addressed your data privacy concerns in a satisfactory manner, you may contact the Supplier at privacy@adbsafegate.com. .