INFORMATION SECURITY

I. General Information

Alice Biometrics, S.L. (“Alice” or “us”) has deployed an Information Security Policy (the “Policy“) under supervision of Alice’s Information Security Officer in order to protect your information. The main features of the Policy are explained below.

Inspired by ISO 27001 international standard on information security management, this Policy’s pillars are information confidentiality, availability, and integrity:

  • Confidentiality: only those authorized can access the information.
  • Availability: authorized users have access to the information and its associated assets when required.
  • Integrity: information remains unchanged and traceable. 

To guarantee the correct implementation of the Policy, Alice implemented controls and reviews in the Policy’s development and maintenance. These are complemented by an internal disciplinary process for cases of non-compliance by Alice employees.

Alice aims for a secure by design infrastructure. To this end, it has independent development and production systems, data encryption protocols, data deletion processes, procedures governing information access and availability, and a team committed to confidentiality. 

II. Encryption

Alice encrypts information in transit and at rest.

  • Transit: when information is in transit from the end service provider to us, or from one of our providers to us, it is at risk of being intercepted by a third party. To reduce this risk, the information is encrypted before being communicated. Then, the connection points between the authorized parties (e.g. our provider and us) are authenticated. Once data is transmitted, it is decrypted and verified at the destination. 
  • Rest: data is stored and kept in Google Cloud Platform (“GCP“). This is a secure environment, where data is encrypted according to the Advanced Encryption Standard (AES) to protect against system intrusions and leaks. 

More information on data encryption at GCP can be found on GCP’s website: https://cloud.google.com/security?hl=es

III. Data Erasure

Along with data encryption, data erasure is an integral part of secure information storage. 

At Alice, data is erased following the erasure deadlines set out in our Data Storage Policy, without limiting users’ exercise of their right to data deletion. Data deletion is a procedure that recognizes users as data subjects and allows them to exercise control over their data. In both cases, information is deleted in accordance with a deletion protocol.

IV. Availability

Information access when needed is an essential point for information security. For this reason, Alice has a permissions system in place that records who is authorized to access the information and a secure password management program. In order to ensure the level of service offered in case of system failures, Alice has in place a continuity management system.

V. Permissions

It is important that only authorized persons have access to information. Therefore, at Alice a strict least-privilege system of authorizations control who has access and to what info they have access to. This control includes a procedure for registration and withdrawal of authorizations, which identifies the persons responsible for handling the information.

We also have a protocol that controls access to information by third parties, such as our lawyers.

VI. Team

All Alice employees, regardless of their position, are committed to the Information Security Policy and have agreed to maintain the confidentiality of the information they handle.

The team is also committed to classifying information according to its sensitivity and confidentiality, using the information for strictly professional purposes, and reporting any security problems encountered.

In particular, the Information Security Officer is in charge of both day-to-day compliance with the Policy and its periodic review, the certification of our security system by independent bodies, for example, ISO 27001, coordination of internal and external audits, and periodic security tests, including penetration tests or pentests

We have implemented a disciplinary process to deal with any breach of the commitments taken by our team under the Policy.