INFORMATION SECURITY POLICY

[Last Updated: November 11, 2021]

Pic-Time Ltd. (“Company,” “Pic-Time,” “ our” or “we”) is committed to transparency regarding the security measures that it has implemented in order to secure and protect Personal Data (as defined under applicable data protection law, including, without limitation, the EU General Data Protection Regulation (“GDPR”) and the California Consumer Privacy Act (“CCPA”) (collectively, “ Data Protection Regulation”) processed by the Company for the purpose of providing its Service (as such term is defined in the Privacy Policy and Terms Of Service).

This Information Security Policy outlines the Company’s security, technical and organizational measures and forms an integral part of our Privacy Policy . Capitalized terms used herein but not defined herein shall have the meaning ascribed to them in the Privacy Policy .

As part of our data protection compliance process, we have implemented technical, physical and administrative security measures to protect our Visitors', Photographers' and the Customers' (as such terms are defined in our Privacy Policy ) Personal Data as further explained below.

The security objectives of the Company are identified and managed to maintain a high level of security and consist of the following (concerning all data assets and systems):

• Availability - information and associated assets should be accessible to authorized users when required. The computer network must be resilient. The Company must detect and respond rapidly to incidences (such as viruses and other malware) that threaten the continued availability of assets, systems, and information.
• Confidentiality - ensuring that information is only accessible to those authorized to access it, on a need-to-know-basis.
• Integrity - safeguarding the accuracy and completeness of information and processing methods and therefore requires preventing deliberate or accidental, partial or complete, destruction, or unauthorized modification, of electronic data.

Physical Access Control

The Company ensures the protection of the data servers which store the Personal Data for the Company from unwanted physical access.

The data processed by the Company is stored on Microsoft Azure's servers which are located in the EU, the US and Australia. Please see Azure’s security measures here. When the Personal Data is transferred to the applicable servers it is always done in a secure and encrypted manner, encryption by default, at rest and in transit. The Company also secures physical access to its offices by ensuring that only authorized individuals such as employees and authorized external parties (maintenance staff, visitors, etc.) can access the Company’s offices by using security locks and an alarm system, amongst other measures as well.

System Control

Access to the Company’s database is highly restricted in order to ensure that only the relevant personnel who have received prior approval can access the database. The Company has also implemented appropriate safeguards related to remote access and wireless computing capabilities. Employees are assigned private passwords that allow strict access or use to Personal Data, all in accordance with such employee’s position, and solely to the extent such access or use is required. There is constant monitoring of access to the Personal Data and the passwords used to gain access. The Company uses automated tools to identify non-human login attempts and rate-limiting login attempts to minimize the risk of a brute force attack.

Data Access Control

User authentication measures have been put in place in order to ensure that access to Personal Data is restricted solely to those employees who have been given permission to access it and to ensure that the Personal Data is not accessed, modified, copied, used, transferred or deleted without specific authorization for such actions to be done. Any access to Personal Data, as well as any action performed involving the use of Personal Data requires a password and user name, which is routinely changed, as well as blocked when applicable. Each employee is able to perform actions solely in accordance with the permissions granted to him by the Company. Each access is logged and monitored, and any unauthorized access is automatically reported. Furthermore, the Company conducts ongoing reviews of the employees who have been given authorization to access Personal Data, in order to assess whether such access is still required. The Company revokes access to Personal Data immediately upon termination of employment. Authorized individuals can only access Personal Data that are located in their individual profiles.

Organizational and Operational Security

The Company puts a lot of effort and invests a lot of its resources into ensuring that the Company’s security policies and practices are being complied with, including by continuously providing employees with training with respect to such security policies and practices. The Company strives to raise awareness regarding the risks involved in the processing of Personal Data. In addition, the Company has implemented applicable safeguards for its hardware and software, including by installing firewalls and anti-virus software on applicable Company hardware and software, in order to protect against malicious software.

Transfer Control

The Company will conduct transfer impact assessments (“TIA ”) if required by applicable law with respect all transfers of Personal Data and is able to share the TIA upon a Photographer’s or Customer’s request. The purpose of a transfer control is to ensure that Personal Data cannot be read, copied, modified or removed by unauthorized parties during the electronic transmission of such Personal Data or during its transportation or storage in the applicable data center. Furthermore, any and all transfers of the Personal Data (either between the Visitors, the Photographers, the Customers, the Company’s service providers and the Company’s servers) is secured and encrypted. Default encryption is implemented in transit and at rest.

Input Control

The Company ensures the transparency of input controls, including changing and the deletion of data.

Availability Control

The Company maintains backup policies and associated measures. Such backup policies include permanent monitoring of operational parameters as relevant to the backup operations. Furthermore, the Company’s servers include an automated backup procedure. The Company also conducts regular controls of the condition and labelling of data storage devices for data security. The Company ensures that regular checks are carried out to determine whether it is possible to undo the backup, as required and applicable.

Data Retention

Personal Data is retained for as long as needed for us to provide our Service or as required under applicable laws.

Job Control and Third-Party Contractors and Service Providers

All of the Company’s employees are required to execute an employment agreement which includes confidentiality provisions as well as applicable provisions binding them to comply with applicable data security practices. In the event of a breach of an employee’s obligation or non-compliance with the Company’s policies, the Company implements certain repercussions in order to ensure compliance with the Company’s policies. In addition, prior to the Company’s engagement with third party contractors, the Company undertakes diligence reviews of such third-party contractors. The Company agrees with third party contractors on effective rights of control with respect to any Personal Data processed on behalf of the Company. The Company ensures that it enters into data protection agreements with all of its clients and service providers.

Data Subject Request

The Company has an online mechanism to enable individuals to submit a data subject request (“DSR”), furthermore, the Company has implemented internal policies to handle DSRs, subject to applicable data protection laws and contractual obligations.

Contractual Obligations

The Company has ensured all documents, including without limitations, agreements (including online agreements) and privacy policies are compliant with applicable Data Protection Regulation, including, by implementing Data Processing Agreements and where needed Standard Contractual Clauses (either pursuant to the GDPR and adopted by the European Commission Decision 2021/914 of 4 June 2021 which is attached herein by linked reference: https://eur-lex.europa.eu/legal content/EN/TXT/PDF/?uri=CELEX:32021D0914&from=EN or pursuant to the standard data protection clauses adopted pursuant to or permitted under Article 46 of the UK GDPR for transferring Personal Data outside of the EEA or UK).

Additional Safeguards

Measures and assurances regarding U.S. government surveillance (“ Additional Safeguards”) have been implemented due to the EU Court of Justice Case C-311/18, Data Protection Commissioner v Facebook Ireland Limited and Maximillian Schrems decision (“ Schrems II”), these measures include the following:

• encryption both in transit and at rest;
• As of the date included in the “Last Updated” header above, the Company has not received any national security orders of the type described in Paragraphs 150-202 of the Schrems II decision.
• No court has found the Company to be the type of entity eligible to receive process issued under FISA Section 702: (i) an “electronic communication service provider” within the meaning of 50 U.S.C § 1881(b)(4) or (ii) a member of any of the categories of entities described within that definition.
• The Company will not comply with any request under FISA for bulk surveillance, i.e., a surveillance demand whereby a targeted account identifier is not identified via a specific “targeted selector” (an identifier that is unique to the targeted endpoint of communications subject to the surveillance).
• The Company will use all available legal mechanisms to challenge any demands for data access through any national security process that it receives, as well as any non-disclosure provisions attached thereto.
• The Company will notify you (if required and as applicable) if it can no longer comply with the Standard Contractual Clauses or these Additional Safeguards, without being required to identify the specific provision with which it can no longer comply.

Reporting a Security Issue

The Company has invested considerable resources in order to ensure a secure infrastructure for its Service. If you believe that you have found a security vulnerability in our Service, please report it to us via e-mail at: dpo@pic-time.com. Please be sure to include a brief description, detailed steps to reproduce and what the impact may be.