Security Assurance Plan

1. Overview of Security Assurance Plan

This Security Assurance Plan (SAP) provides an overview of the security processes, controls, and solutions Fydelia will use to ensure the integrity, confidentiality, and availability of data collected and processed in providing guest WiFi data capture services. As a data processor, Fydelia is committed to implementing security best practices and meeting the compliance requirements outlined by the customer.

2. Security Governance and Compliance

  • Information Security Governance: Fydelia’s security policies are reviewed and approved by senior management and enforced across all departments. Security responsibilities are clearly assigned to appropriate personnel, including Fydelia’s CISO, IT, and compliance teams.
  • Compliance with Regulations: Fydelia adheres to data protection laws, including GDPR for EU-based customers. We also comply with any applicable industry-specific security standards as required by the customer.
  • Audits and Assessments: We perform regular internal audits to evaluate our security posture and compliance. Additionally, we will facilitate external audits or customer reviews upon request.

3. Risk Management

  • Risk Assessment: Fydelia conducts periodic risk assessments to identify and evaluate potential security threats to our systems and data. Risk levels are categorized and prioritized for remediation.
  • Mitigation Strategies: We implement mitigation strategies for identified risks, focusing on the most critical risks to reduce potential impact and likelihood.

4. Data Protection and Privacy

  • Data Encryption: All data is encrypted in transit and at rest using industry-standard encryption protocols. This includes guest WiFi login data and any associated metadata collected during service provision.
  • Data Access Control: Access to customer data is restricted to authorized personnel only. We enforce multi-factor authentication (MFA) for critical systems, and access permissions are reviewed regularly.
  • Data Retention and Deletion Policy: Fydelia retains data for a standard period of one year unless otherwise specified by the customer in writing. At the end of the retention period, data is securely deleted or anonymized.

5. Incident Response and Management

  • Incident Response Plan (IRP): Fydelia maintains an IRP that outlines procedures for identifying, investigating, and mitigating security incidents. This plan includes roles and responsibilities, escalation paths, and communication protocols.
  • Incident Notification: In the event of a data breach impacting customer data, Fydelia will notify the customer within 24 hours of detection, providing details on the scope, impact, and mitigation steps taken.

6. Technical Security Controls

  • Network Security: Fydelia employs firewalls, intrusion detection systems (IDS), and intrusion prevention systems (IPS) to secure our network. Regular penetration testing is conducted to identify and address vulnerabilities.
  • Endpoint Security: Anti-virus, anti-malware software, and endpoint detection and response (EDR) tools are deployed on all devices accessing customer data. Devices are regularly updated and monitored.
  • Vulnerability Management: We conduct regular vulnerability scans on our systems and apply security patches promptly as part of our patch management process.

7. Physical Security

  • Data Center Security: Fydelia’s servers are hosted in data centers with robust physical security measures, including surveillance, access controls, and environmental monitoring. Data centers comply with recognized certifications (e.g., ISO 27001, SOC 2).
  • Workplace Security: Physical access to Fydelia’s offices is restricted to authorized personnel, with keycard access and visitor logs maintained to prevent unauthorized access.

8. Employee Security Awareness and Training

  • Security Training: All Fydelia employees complete mandatory security training that covers data protection, secure data handling, and recognizing security threats.
  • Ongoing Awareness: Fydelia maintains ongoing security awareness programs to keep employees informed of new security threats and best practices.

9. Customer Responsibilities and Coordination

  • Shared Security Responsibilities: Fydelia requests that the customer communicates any specific security requirements and coordinates security protocols as needed for integrated systems.
  • Security Meetings and Reporting: Fydelia will participate in periodic security review meetings with the customer and provide regular security reports or audit findings as requested.

10. Plan Review and Updates

This Security Assurance Plan is reviewed annually and updated as necessary to reflect changes in security requirements, emerging threats, and evolving customer needs. Significant changes will be communicated to the customer, and their approval may be sought as required.