TECHNICAL AND ORGANISATIONAL MEASURES
Description of the technical and organizational measures implemented by the data importer(s) (including any relevant certifications) to ensure an appropriate level of security, taking into account the nature, scope, context and purpose of the processing, and the risks for the rights and freedoms of natural persons:
-
Measures of pseudonymisation and encryption of personal data
Data in transit is transferred by a secured protocol (HTTPS encryption),
Data in transit from device to server and vice versa is encrypted AES 128.
Data at rest is encrypted AES 256.
-
Measures for ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and services
Nayax is implementing strong authentication, multiple replicated sites for full redundancy, all security tools that are implemented are reviewed\updated regularly and the Information security is continuously improving\updating the security settings\policy.
-
Measures for ensuring the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident
Nayax has 3 on-premise data centers over the world that are fully replicated.
-
Processes for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures in order to ensure the security of the processing
Nayax’s production environment is undergoing an external penetration testing once a year and all vulnerabilities that are found are fixed urgently, in addition Nayax is performing regular quarter internal vulnerability scans and all vulnerabilities that are found fixed according to the severity of the findings.
-
Measures for user identification and authorization
Access to DB is limited to small group of employees, that are identified by strong authentication (Complex password, certificate on the laptop and 2FA).
Every access to the DB is logged and alert is sent to the DBA manager.
Access to DB in non-working hours is verified by phone call to the employee.
Access to DCS is authenticated by MFA and strong complex password.
-
Measures for the protection of data during transmission
Data is transferred by encrypted range (HTTPS encryption)
-
Measures for the protection of data during storage
Data in storage is encrypted (AES 256) and the encryption keys are kept separately.
Access to the DB is limited to small group of employees.
Every entry and action on the DB is logged and monitored.
-
Measures for ensuring physical security of locations at which personal data are processed
All Nayax data centers are located in secured facilities that are PCI DSS certified.
The office is located in a secure building (watchman 24/7), access to the building is limited only for employees from the building, access to the office is only by personal RFID of the employee (every access is logged) there are CCTV 24/7 and an alarm system.
-
Measures for ensuring events logging
All security logs are monitored by SIEM/SOC service 24/7.
Security logs are stored for 2 years.
-
Measures for ensuring system configuration, including default configuration
Nayax is performing a review of all system’s configuration every quarter and updating the settings if needed.
-
Measures for internal IT and IT security governance and management
There is a formal information security policy that is updated and approved by the board annually.
The policy is implemented and all security stuff are reporting to the company CISO.
-
Measures for certification/assurance of processes and products
Nayax has 2 certifications:
- ISO 27001
- PCI-DSS Level 1
-
Measures for ensuring limited data retention
All data and information is stored and kept according to the regional law.
-
Measures for allowing data portability and ensuring erasure
The organization is aligned with the privacy laws (GDPR and Israeli privacy Law) every request of data erasure is reviewed DPO and taken care according to the relevant privacy law.