You entrust us with your data by using our services. We understand that this is a great responsibility, and we do everything in our power to ensure data safety and allow you to control them.
§1 WHO HAS ACCESS TO YOUR DATA
- The data administrator is YetiForce S.A. [al. Jana Pawła II, 00-133 Warsaw, TAX ID: 118-000-24-25].
- In exceptional cases, our trusted partners can also be granted access to data, including:
- Server room and equipment: Atman sp. z o.o. (www.atman.pl)
- Accounting/HR: Credos Accounting Services sp. z o.o. [ul. Domaniewska 47, 02-672 Warszawa, NIP: 5272672650].
- The data may be made available to competent authorities or third parties who submit a request for such information, based on an appropriate legal basis and in accordance with applicable law.
If you have questions about the data we process that concern you, send an e-mail to This email address is being protected from spambots. You need JavaScript enabled to view it. or send a letter to the headquarters of YetiForce S.A., we will happily answer all your questions.
§2 OBJECTIVES AND LEGAL BASIS FOR DATA PROCESSING IN YETIFORCE S.A.
- We collect only the minimum data that is necessary or relevant to us under the conditions described below.
- Websites - we collect only minimal information about the user visiting our website, i.e. session ID, IP address, browser information, and in the case of logged in users also name, surname and e-mail address. The data are collected for analytical and statistical purposes and for the purpose of providing electronic services in the scope of making the content collected on the Website available to Users.
- The legal basis for processing is the necessity of processing to perform the service contract (Article 6 (1) (f) of the GDPR).
- The data processing period depends on the legitimate interest of the controller. The data processing period lasts until the Administrator loses the legitimate interest - but no more than 5 years. After the processing period, the data is irreversibly deleted or anonymized.
- Webforms - in the case of contacting us using electronic contact forms, it is required to provide data, i.e. name, surname, e-mail address, telephone number, content of the inquiry, and additionally we collect data, i.e. the IP address from which the inquiry came, date and time, unique session identifier and basic information about the browser. The User may also provide other data in order to facilitate contact or handling the inquiry.
- The legal basis for processing is the necessity of processing to perform the service contract (Article 6 (1) (b) of the GDPR).
- In addition, in the scope of data that are not necessary to make contact or handle the inquiry - the legal basis for processing is the User's consent (Article 6 (1) (a) of the GDPR), that can be withdrawn at any time, in accordance to the content of § 4.
- The data processing period lasts for the period of performance of the contract, and after its completion until the limitation period for the mutual claims of the Parties, and in the case of personal data processing on the basis of consent - until its revocation. The data processing period may be extended if processing is necessary to establish and pursue any claims or defend against them, and after that time only if and to the extent required by law. After the processing period, the data is irreversibly deleted or anonymized.
- Email - in case of contacting us via email, it is required to provide data, ie. email address and message. Other datawe collect: the IP address where the query originated, the date and time, a unique session identifier and a full header and content of the email along with attachments. The User may also provide other data in order to facilitate contact or handle the inquiry.
- The legal basis for processing is the necessity of processing to take action at the request of the contacting person or in order to perform a contract for the provision of a service. (Article 6 (1) (b) of the GDPR).
- In addition, in the case of data that are not necessary to make contact or handle the inquiry - the legal basis for processing is the User's consent (Article 6 (1) (a) of the GDPR).
- The data processing period lasts for the period necessary to establish and maintain contact or for the period of performance of the contract, and after its completion until the limitation period for the mutual claims of the Parties. In the case of processing personal data on the basis of consent - until its withdrawal. The data processing period may be extended if the processing is necessary to establish and pursue possible claims or defend against them, and after that time only in the case and to the extent that they require this legal provisions. After the above-mentioned processing period, the data is irreversibly deleted or anonymized.
- Newsletter - the user can subscribe to the newsletter on their own, directly via the website or directly from the CRM system. In both cases, we collect data, i.e. name, surname, e-mail address, IP address where the inquiries originated, date and time, unique session ID and basic information about the browser.
- The legal basis for processing is the User's consent (Article 6(1)(a) of the GDPR), which may be withdrawn by the User at any time, in accordance with § 4.
- The data is processed until the consent is withdrawn or after a period of 24 months of inactivity for the newsletter. The period of data processing may be extended if the processing is necessary to establish and assert any claims or defend against them, and after that time only if and to the extent that it will be required by law. After the expiry of the processing period, the data is irreversibly deleted or anonymized.
- Social media portals - the Administrator processes the personal data of Users visiting the Administrator's profiles in social media (Linkedin, Facebook, Twitter, GitHub). This data is processed only in connection with maintaining the profile and on the privacy principles specified in the relevant documents regarding these social media
- The legal basis for processing personal data by the Administrator for this purpose is the Administrator’s legitimate interest (Article 6 (1) (f) of the GDPR) to promote their own brand.
- In addition, in the scope of data that are not necessary to make contact or handle the inquiry - the legal basis for processing is the User's consent (Article 6 (1) (a) of the GDPR).
- The data processing period depends on the legitimate interest of the controller. The data processing period lasts until the Administrator loses the legitimate interest - but no more than 5 years, and in the case of consent - until it is withdrawn. The data processing period may be extended if processing is necessary to establish and pursue any claims or defend against them, and after that time only if and to the extent required by law. After the above-mentioned processing period, the data is irreversibly deleted or anonymized. Please remember that in the case of social networking sites, the owners of these sites are also data administrators and have their own regulations regarding data processing, which you should read. YetiForce is not responsible for the manner of data processing by the above-mentioned entities.
- YetiForce system registration and product registration - the administrator processes data from CRM systems, which are sent automatically from the user's system to the Administrator's system using the API. In the case of offline systems [without internet access], the Administrator processes the data provided below on the basis of e-mail correspondence between the user and the administrator. Below is a list of processed data:
- System registration: system version, app id, crm id, default language, time zone, company size, supplier, company / person name, tax id, address data, company website, links to social media.
- Product registration: system version, app id, crm id, supplier, company size, registration date, registration time, registration status, system key, last error date, last error message, list of purchased products.
- The legal basis for processing personal data by the Administrator for this purpose is the agreement concluded with the User when installing the system. In addition, in the scope of data that are not necessary and do not result directly from the agreement, the legal basis for processing is the User's consent (Article 6 (1) (a) of the GDPR).
- The data processing period is 6 years. The period of data processing may be extended if the processing is necessary to establish and assert any claims or defend against them, and after that time only if and to the extent that it will be required by law. After the expiry of the processing period, the data is irreversibly deleted or anonymized.
- Server and application logs - [incoming and outgoing queries] as well as server and application logs are stored for the purpose of possible determination and pursuit of claims or defense against them. The data collected in the logs include: IP address, date and time, requested URL, browser information and a unique identifier,
- The legal basis for processing is the legitimate interest of the Administrator (Article 6 (1) (f) of the GDPR) to protect their rights.
- The data processing period depends on the legitimate interest of the controller. The data processing period lasts until the Administrator loses his legitimate interest - but no longer than 5 years. The data processing period may be extended if processing is necessary to establish and pursue any claims or defend against them, and after that time only if and to the extent required by law. After the above-mentioned processing period, the data is irreversibly deleted or anonymized.
§3 COOKIES
- Cookie files
- The YetiForce website, like almost all other websites, uses cookies, which are small text information stored on the User's end device (e.g. computer, tablet, smartphone), which can be read by the Administrator's IT system (own cookies) or the ICT of third parties (third-party cookies).
- Cookies are used to ensure the proper display of the website, as well as to adapt the content to the User's choices that are technically important for the operation of the website, e.g. the selected language, and to remember whether consent has been given to display certain content.
- Basic cookies are installed if the User consents via the software settings installed on his or her electronic device. Basic cookies include technical and analytical cookies.
- Technical cookies ensure proper functioning of the website.
- Analytical cookies are used to measure the effectiveness of marketing activities without identifying personal data and to improve the functioning of the website. Thanks to analytical cookies, it is possible to examine website traffic statistics and check the source of traffic, as well as detect abuses, such as the operation of bots. Session cookies remain on the User's device until they leave the website or turn off the software (web browser).
- Persistent cookies remain on the User's device for the time specified in the file parameters or until they are manually deleted by the User.
- Cookie consent.
- During the first visit to the website, the User is shown information about the use of cookies and asked for consent to the use of these files. Thanks to a special tool, the User can manage cookies from the website, disabling individual cookies.
- Moreover, the User can always change cookie settings from his browser or delete cookies altogether. Browsers manage cookie settings in different ways. In the auxiliary menu of the web browser, the User can find explanations about changing cookie settings.
- Please remember that disabling or limiting the use of cookies may cause difficulties in using the YetiForce website, as well as many other websites that use cookies.
§4 RIGHTS OF THE DATA OWNER
- The User has the right to: access the data and request rectification, deletion, processing restrictions, the right to transfer data and the right to object to data processing, as well as the right to lodge a complaint to the supervisory body dealing with the protection of personal data (President of the Personal Data Protection Office).
- To the extent that the User's data is processed on the basis of consent, it can be withdrawn at any time by contacting the Administrator, which does not affect the lawfulness of data processing before its withdrawal.
- The User has the right to object to the processing of data for marketing purposes, if the processing takes place in connection with the legitimate interest of the Administrator, and - for reasons related to the particular situation of the User - in other cases where the legal basis for data processing is the legitimate interest of the Administrator (e.g. in connection with the implementation of analytical and statistical purposes).
If you want to exercise your rights, send an e-mail to This email address is being protected from spambots. You need JavaScript enabled to view it. or send us a letter to the headquarters of YetiForce S.A., we will happily answer all your questions.
§5 SECURITY OF PERSONAL DATA
- The administrator conducts a risk analysis on an ongoing basis to ensure that personal data is processed in a safe manner - ensuring, above all, that only authorized individuals have access to the data and only to the extent that it is necessary due to the tasks they perform. The administrator makes sure that all operations on personal data are recorded and performed only by authorized employees and associates.
- The administrator takes all necessary steps to ensure that its subcontractors and other cooperating entities guarantee the application of appropriate security measures in each case when they process personal data at the request of the Administrator.
§6 LIST OF TECHNICAL AND ORGANIZATIONAL MEASURES
The following list of technical and organizational measures may apply to either part of the organization or the whole, depending on the needs and the data that are processed and protected. For example: "Risk management procedures [ISO 27005] have been implemented" refers only to the server room where data is processed. Below is the full list:
- Implemented a safety management system
- Implemented regular security audits
- External audits (certificates, attestations, customer audits)
- Internal audits, carried out by internal or external auditors
- Technical audits (penetration tests, vulnerability scans, code reviews) conducted by internal or external auditors; Audits of third party activities, carried out by the person responsible for managing third parties
- Data center audits carried out by internal auditors
- Security audits to verify the infrastructure and network performed by the Data Administrator
- Implemented risk management procedures [ISO 27005]
- Implemented change management procedures
- Roles and responsibilities are clearly defined;
- Classification criteria have been defined to identify the stages that should be followed when introducing a change;
- Principles of priority management are applied; risk analysis related to changes is carried out (if the risk is identified, the Security Manager and Risk Manager are involved in approving the change);
- Penetration tests are optionally performed (if applicable); the change is planned and programmed with clients (if applicable);
- The implementation is carried out gradually (1/10/100/1000) and, in case of risk, a procedure for returning to the previous state is provided;
- An a posteriori review of the individual resources affected by the change is carried out;
- All stages are documented in the change management tool.
- Implemented internal procedures for developers: appropriate, documented procedures have been introduced. They describe the principles of secure development, "privacy by design" measures and the code review policy (vulnerability detection, error handling, access and records management, storage and communication security).
- Monitoring services and infrastructure;
- Detection of failures related to production and safety;
- Control of critical functions and sending warning messages to the supervisory system;
- Notification of responsible persons and initiation of appropriate procedures;
- Guaranteeing the continuity of service operation in relation to automated activities;
- Ensuring the integrity of monitored resources.
- Implemented a failure management process to prevent, detect and deal with failures occurring in the service management infrastructures and within the service itself.
- Documentation of the qualification of security events;
- Handling security events;
- Simulation exercises for the crisis unit;
- Emergency response plan tests;
- Communication with customers carried out by the crisis unit.
- Implemented a vulnerability management process:
- Information websites;
- Warnings from creators and producers of implemented solutions;
- Incidents and observations reported by operational teams, third parties or customers;
- Regularly performed internal and external vulnerability scans;
- Technical audits, as well as code and configuration reviews.
- Implemented a process and procedures to ensure continuity of infrastructure operation (availability of equipment, applications and operational processes):
- Introduced measures to counteract natural and environmental threats:
- Installation of lightning rods to limit the effects of electromagnetic waves;
- Location of rooms in zones not at risk of flooding and without seismic risk;
- Installation of uninterruptible power supplies (UPS) with appropriate capacity and backup transformers with automatic power switch;
Automatic load switching to generators with 24-hour endurance;
- Installation of a liquid server cooling system (98% of server rooms do not have AC);
- Installation of heating, ventilation and air conditioning units (HVAC system) to maintain constant temperature and humidity levels;
- Fire detection system management (fire drills are conducted in data centers every 6 months).
- Physical access to the facilities is based on strict perimeter protection, active from the area entrance zone. Each room is classified accordingly:
- Private areas;
- Offices available to all employees and registered visitors;
- Offices under strict supervision, with access limited to specific people;
- Zones that house data center equipment;
- Strictly supervised areas in data centers;
- Data center zones where critical services are located.
- Implemented measures to control access to physical facilities
- Access Rights Policy;
- Walls (or their functional equivalent) between individual zones;
- Cameras installed at entry and exit points of the facility, as well as in server rooms;
- Protected entrances, controlled with access card readers;
- Barriers with laser beams in parking lots;
- Motion sensors;
- Anti-theft mechanisms installed at entry and exit points of data centers;
- Presence detection mechanisms (24/7 physical protection and monitoring);
- A permanent surveillance center controlling the opening and closing of doors.
- Physical access control is based on an access card system. Each card is linked to a specific account, which in turn is linked to a given person. This way you can identify every person in the premises and authenticate the control mechanisms:
- Each person entering the facilities must have an access card with identification data encoded on it;
- The identity of the person must be verified each time before an access card is issued;
- In facilities, each person must carry the card in such a way that it is visible;
- Access cards cannot contain the holder's name or company name;
- The access card must enable immediate identification of the category of person staying on the premises (employee, third party, temporary access, guest);
- The access card is deactivated immediately after its holder loses the right to access the facilities;
- The employee's access card is activated for the duration of the employment contract; for other categories it is automatically deactivated after a certain period of time;
- An access card that is not used for a period of three weeks is automatically deactivated.
- Managing access to individual zones
- The doors are connected to the central access rights management system;
- The card needs to be presented to the reader to unlock the door;
Each person's right of access is verified when the card is read by the reader;
- In the event of a failure of the central access rights management system, the permissions configured at the time of the incident are valid for the duration of the incident;
- The door locks are protected against power outages and remain closed in such situations.
- Keys are stored in centralized places with limited access, separate for each facility, equipped with a depository;
- Each key is identified by a label; an inventory of keys is kept;
- The use of each key is tracked and traced using a special mechanism or paper log;
- The key depository is checked daily according to the inventory.
- Each lock is equipped with two doors and a limited area between checkpoints, which ensures that only one person can pass through at a time;
- One door opens only when the other is closed (mantrap);
- The locks use the same access card system as the other doors and operate on the same principles;
- Presence detection mechanisms check whether there is only one person inside the lock (anti-piggybacking);
- The system is configured to prevent the card from being used for multiple entries or exits (anti-passback);
- A camera placed near the lock monitors people entering.
- Goods may be entered into data centers only using zones designated for this purpose:
- The delivery area is configured in the same way as the passenger lock, differing only in its larger surface area, lack of volume and weight control and the fact that access card readers are only installed outside;
- Only goods pass through the delivery area, people must pass through the passenger lock;
- A camera with no dead angles is placed in the delivery area.
- Third party physical access management
- Each visit must be registered in advance;
- The employee who always accompanies third parties is responsible for them;
- The identity of each person is checked before entering the facility;
- Each third party is assigned a personal access card for one day, which they must return before leaving the facility;
- All persons must carry their access cards in a visible manner;
- Access cards are automatically deactivated at the end of the visit.
- Raising awareness and training employees
- Employee teams affected by these issues receive appropriate training every year;
- Every year, training is held for specific employee teams on how to conduct audits;
- Training courses for specific employee teams regarding technical services are held every year;
- When new employees are hired, training is organized to raise awareness of issues related to information system (IS) security;
- Safety-related messages are regularly addressed to all employees;
- Test campaigns are organized to ensure that all employees respond appropriately in a threat situation.
- Control of logical access to information systems
- Permissions are granted and monitored by managers in accordance with the principle of least privilege and the principle of gradually gaining trust;
- All permissions are, whenever possible, assigned to roles, not individual persons;
- Management of access rights and authorizations assigned to a user or system is based on the registration, modification and cancellation procedure, which applies to managers, the internal IT department and the HR department;
- All employees use personal accounts;
- Connection sessions always have a specific expiration time that depends on each application;
- User identities are verified before any change to authentication methods;
- If an employee loses their password, only their supervisor and the Security Manager are authorized to reset the password;
- User accounts are automatically deactivated if the password is not renewed after 90 days;
- The use of default, general, and anonymous accounts is prohibited;
- A strict password policy is implemented;
- The user does not choose his own password, a password generator is used for this purpose;
- The minimum password length is 10 alphanumeric characters;
- The password must be renewed every 3 months;
- Storing passwords in unencrypted files, web browsers or writing them down on paper is prohibited;
- It is mandatory to use a local password management program approved by security teams;
- Each remote access to the information system is carried out via VPN, requiring the entry of a password known only to the user and a shared key configured in the workstation.
- Managing access of administrative staff to production platforms
- Any access by administrative staff to the production system is done via bastion;
- Administrators connect to bastions via SSH using a pair of individual and named public and private keys;
- Connection to the target system is made either through a shared service account or through a named account via bastions;
- The use of default accounts on systems and devices is prohibited;
Two-step verification, along with full monitoring, is mandatory in the case of remote access by administrative staff and employee access to sensitive circuits;
- Administrators, in addition to the standard user account, have an account dedicated exclusively to administrative tasks;
- Permissions are granted and monitored by managers in accordance with the principle of least privilege and the principle of gradually gaining trust;
- SSH keys are protected by a password that meets security policy requirements;
- In cooperation with the relevant services, a regular review of authorizations and access is carried out.
- Access control to the Panel
- The password selected by the customer must meet the complexity criteria specified in the user interface;
- Only password hashes are stored on the servers;
- The server room offers the option of activating two-step verification in the Customer Panel using a one-time password (OTP) system sent in SMS messages, a mobile application or a compatible U2F key.
- The Customer may limit access to his Customer Panel only to previously specified IP addresses;
- API access tokens can be used for their validity period without the need to subject them to additional controls;
- All customer activities in the Customer Panel or API are recorded;
- The customer can separate technical and administrative tasks related to service management.
- Workplace safety and mobile equipment safety
- Automatic update management;
- Installing and updating antivirus program and regular scanning; • installation of applications from the approved directory only;
- Systematic encryption of hard drives;
- No administrative rights for employees in relation to their workstations;
- Procedure for dealing with a potentially endangered workstation;
- Standardization of equipment;
- Procedure for deleting sessions and resetting workstations after an employee leaves the company.
- Mandatory registration of devices in the central management system before connecting to internal resources (WiFi, e-mail, calendars, address books, etc.);
- Verification of the security policy used in the device (unlocking code, blocking time, encryption of stored content);
- Procedure for remotely wiping devices in case of theft or loss.
- Securing standard workstations
- Securing mobile devices
- Network security
- Maintaining inventory within the configuration management database;
The process of securing a system, called hardening, with guides describing the parameters that need to be modified to ensure a secure configuration;
- Access to Hardware Administrator features is restricted based on checklists;
- All devices are administered through Bastion, according to the principle of least privilege;
- All network hardware settings are retained in backups;
- Logs are continuously collected, centralized and monitored by the network operations team;
- Configuration implementation is automated based on approved templates.
- Business continuity management
- All systems and data necessary to ensure continuity of services, to reconstruct the information system or to conduct analysis after a failure are saved (technical and administrative database files, activity logs, source codes of internally developed applications, server, application and hardware settings, etc.) ;
- The frequency, time and storage methods of backups are defined according to the needs of each saved resource;
- The backup process is monitored and covered by a warning and error management system.
- Recommendations for the client responsible for data processing
- Backup and centralized log storage;
- Viewing logs and analyzing them by a limited number of authorized persons in accordance with the policy of granting permissions and managing access;
- Division of tasks between teams responsible for operations performed on the monitoring infrastructure and teams responsible for operating the service. Below is a list of activities covered by the obligation to keep records:
- Logs of backup servers where customer data is hosted;
- Logs of machines managing the client's infrastructure;
- Machine logs for monitoring infrastructures;
- Logs of antivirus programs installed on all machines;
- Log and system integrity checks, if applicable;
- Tasks and events performed by the client in its infrastructure;
- Network intrusion detection logs and alerts, if applicable;
- Network device logs;
- Logs of surveillance camera infrastructure;
- Administrator machine logs;
- Time server logs;
- Access card reader logs;
- Bastion logs.
§7 CHANGES TO THE PRIVACY POLICY
Questions and concerns regarding this Privacy Policy can be submitted to: This email address is being protected from spambots. You need JavaScript enabled to view it.
- The privacy policy is constantly verified and updated, if necessary. The current version has been adopted and is valid from March 1, 2024