Organisation Security

Information Security Organization of Olive Group:

Our organization has a dedicated Information Security team. This team is tasked with ensuring the confidentiality, integrity, and availability of our data and IT systems. The team is responsible for developing, implementing, and maintaining our comprehensive information security program, which includes policies, procedures, and controls to mitigate cybersecurity risks.

Data Privacy Organization of Olive Group:

Our organization maintains a dedicated data privacy team. This specialized unit focuses on ensuring compliance with data privacy laws and regulations, safeguarding personal and sensitive information, and implementing best practices in data handling and processing. The team’s responsibilities include overseeing data privacy policies, conducting privacy impact assessments, and ensuring that our privacy practices align with legal requirements and industry standards.

Governance structure of Olive Group’s information security function.:

The Structure of our Organization’s Information Security function is as below:

1. Chief Information Security Officer
2. Chief Data Protection Officer
3. Information Security and Data Privacy Team
4. IT Service Manager
5. Incident response and business continuity Team
6. Identifying, tracings, and managing cyber security risk

We manage cybersecurity risk through a structured and continuous process:

1. Risk Identification: We utilize tools such as AWS inspector, New Relic and Airebrake to identify potential risks and security loopholes.
2. Risk Analysis and Prioritization: Each identified risk is evaluated for its potential impact and likelihood, allowing us to prioritize them based on severity. This helps in focusing resources on the most critical risks.
3. Risk Mitigation: We implement appropriate security controls – including technical, administrative, and physical measures – to mitigate identified risks. This includes deploying firewalls, antivirus software, access controls, and conducting regular security training for employees.
4. Monitoring and Reporting: Continuous monitoring of our IT infrastructure helps in detecting any deviations or threats. Regular reports are generated for management review, ensuring they are informed of the current risk landscape.
5. Review and Improvement: Our cybersecurity risk management strategy is regularly reviewed and updated in response to new threats, vulnerabilities, or changes in the business environment.
6. Incident Response: In case of a security breach, our incident response team is equipped to quickly contain, investigate, and remediate the issue, minimizing impact.

Security awareness training we provide to Employee

All new employees are required to complete the following training:

1. GDPR Staff Awareness
2. Cybersecurity Awareness at home
3. Cybersecurity Awareness at office

Sure, tech is cool, but what about keeping things ethical? Ethical AI in education is all about respecting your privacy; everyone gets a fair shot at learning, and the whole experience is safe and secure.

Compliance

Compliance with an industry or regulatory standard:

Olive Group has GDPR and ISO27001 Compliance. Also, we utilize Stripe for processing payments which is PCI Compliant. We are also in the Process of becoming SOC2 compliant.

Technical Information Security

Type(s) of data we will store, process, transmit, or access:

We collect Personal data which are of non sensitive nature. The data we collect are Full Name, Email, Phone Number of a user. These data are collected only for the purpose of user authentication, communication from the Product, reporting and providing required services to users. Out of all data collected, only Email address and Phone Number falls under PII (Personally Identifiable Information. We do not collect and store Protected Health Information (PHI) and Controlled Unclassified Information (CUI)
Necessity for collecting above data and Usage of them
The PII data is needed for the following purpose:

1. User identification and authentication
2. To provide services and features to users like Project creation, asset management, reporting, profile management
3. Communication from the system like email communication related to feature and services, sms notifications etc.

NOTE: We never uses the PII to provide feature and services outside of our applications. Also,the data are not used to marketing related communications.

Encryption of customer or customer-related data at rest or in transit:

There are two approaches for encrypting customer data at rest.

1. We use encrypted database in AWS (AWS RDS). Amazon RDS encrypts our databases using keys you manage with the AWS Key Management Service (KMS).
2. Inside the data tables, we store email and phone number after encrypting it. The password is hashed before we store it in data tables.

The customer data is transit is encrypted using SSL certificate (TLS 1.2)

Data Retention Policy:

We maintain two distinct data retention policies:

1. General Data Retention Policy: This serves as our standard practice for data retention. Under this policy, we keep a data backup for deleted client information for a duration of 90 days. During this period, all client information is soft deleted, meaning it remains in our backups but is inaccessible to clients and users through our products and services. However, clients have the option to request that Olive either reinstates the services using the stored data or provides them with a backup copy. Once the 90-day period elapses, the data undergoes a hard deletion process, where it is permanently erased along with all backups. Beyond this point, the data is irretrievable, neither by the client nor by Olive.
2. Custom Data Retention Policy: This policy is tailored according to the specific contractual agreements made with individual clients. The primary distinction between the general and custom data retention policies lies in the duration of data retention. Other than this, the procedures for data provisioning, backup, retrieval, and destruction remain consistent with those outlined in the general policy.

Customer Data deletion upon leaving:

We delete customer data that contains confidential and non confidential information from the application environment in line with data retention policy and best practices when customers discontinue the service.
Data Classification Policy:
We have a data classification policy in place to help ensure that confidential data is properly secured and restricted to authorized personnel.

Governing access to customer or customer-related data:

We implement following measures collectively to govern access to customer data:

1. Access Control Policies: We implement Role-Based Access Control (RBAC) to ensure employees have access only to the customer data necessary for their roles, adhering to the least privilege principle.
2. Authentication Measures: Strong authentication methods, including multi-factor authentication (MFA), are mandatory for all personnel accessing AWS portal
3. Regular Access Reviews: Access rights are subject to periodic reviews and audits, aligning with job responsibilities and changes, to prevent unnecessary data exposure.
4. Compliance with Regulations: Our practices comply with data protection laws like GDPR ISO 27001, and we conduct regular audits to maintain this compliance.
5. Employee Training: All staff members undergo training on data handling and privacy policies, reinforcing the importance of responsible data access.
6. Incident Response Protocol: A robust incident response plan is in place for any unauthorized access, ensuring prompt action and adherence to regulatory reporting requirements.
7. Advanced Security Technologies: We employ encryption, data masking, and advanced security tools like intrusion detection systems to safeguard customer data effectively.

Vulnerability management and SLA for vulnerability remediation:

Olive’s vulnerability management program involves routine scanning, risk assessment, and prompt remediation of identified vulnerabilities. Key components include:

1. Regular Scanning: Automated tools scan systems and applications for vulnerabilities.
2. Risk Assessment: Each vulnerability is assessed for severity and potential impact.
3. Remediation Strategy: Remediation actions are prioritized based on vulnerability severity.

The SLA is outlined in the following document:

Customer SLA

Business Continuity ​

Securing physical access to your data processing facilities:
Since we use AWS and Azure cloud infrastructures to deploy the database servers, the physical access security is provided by the AWS and Azure

Maintaining continuity of service for customers (e.g. Disaster Recovery, High Availability, Uptime etc.):
We have well defined procedure for our Disaster recovery, backup & restoration and business continuity. Attached is the policy and procedure for Business continuity, Disaster recovery and Backup & Restoration.
Business Continuity and Disaster Recovery
Product and Infrastructure Security​