Data Protection Policy

1. Introduction: This policy outlines the data protection practices of Everbee, developed in accordance with our commitment to ensure that personal data is securely and responsibly managed.

2. Scope: This policy applies to all personal and sensitive data processed, stored, or transmitted by our application, encompassing both user data and data accessed from third-party services.

3. Policy Statements:

3.1 Network Protection:

  • We deploy advanced firewalls and access control lists to deny unauthorized IPs.
  • Our systems are segmented, and all end-user devices have anti-virus and anti-malware protection.
  • Only approved users can access our system, and we consistently train our team on data protection and IT security.

3.2 Access Management:

  • We employ a stringent user access registration mechanism, ensuring a unique ID for each individual.
  • Shared or default login credentials are strictly prohibited.
  • Regular audits of access rights ensure that only necessary accounts access data. Terminated employees lose access within 24 hours.

3.3 Least Privilege Principle:

  • We adopt the principle of least privilege, ensuring that rights are granted strictly on a need-to-know basis.

3.4 Credential Management:

  • Our password requirements are robust, mandating a mix of characters, numbers, and symbols.
  • Multi-Factor Authentication (MFA) is mandatory for all user accounts.
  • All API keys are encrypted and accessible only by authorized personnel.

3.5 Encryption:

  • Data in transit is encrypted using secure protocols such as TLS 1.2+, SFTP, and SSH-2.
  • PII data at rest is encrypted using at least AES-128 or RSA with 2048-bit key size.

3.6 Risk Management and Incident Response:

  • We have established risk assessment procedures, reviewed annually.
  • An Incident Response Plan is in place, detailing response roles, procedures, and escalation paths. Any security incident is reported within 24 – 48 hours.

3.7 Data Retention and Deletion:

  • Data is deleted securely in alignment with industry standards such as NIST 800-88 when no longer necessary.

3.8 Data Attribution:

  • All data stored is either in a separate database or tagged distinctly to identify its origin.

3.9 PII Specific Measures:

  • PII is retained for a maximum of 30 days post order delivery unless mandated by law.
  • A dedicated privacy and data handling policy is in place for our application.
  • An inventory of assets with access to PII is maintained and updated quarterly.

3.10 Vulnerability Management:

  • Our application undergoes regular vulnerability scanning and penetration testing.

3.11 Logging and Monitoring:

  • Logs are monitored real-time or bi-weekly, and are retained for a minimum of 90 days.

3.12 Audit and Assessment:

  • We will retain all relevant records and cooperate fully with concerned third-party service and assessment procedures.

4. Review: This policy will be reviewed annually to ensure that it remains relevant and effective.