image image

Privacy Policy




Our Commitment

Payatu BV and Hardwear Inc are committed to ensuring the security and protection of the personal information that we process, and to provide a compliant and consistent approach to data protection. We have always had a robust and effective data protection program in place which complies with existing law and abides by the data protection principles. However, we recognise our obligations in updating and expanding this program to meet the demands of the GDPR.

Payatu BV and Hardwear Inc are dedicated to safeguarding the personal information under our remit and in developing a data protection regime that is effective, fit for purpose and demonstrates an understanding of, and appreciation for the new Regulation. Our preparation and objectives for GDPR compliance have been summarised in this statement and include the development and implementation of new data protection roles, policies, procedures, controls and measures to ensure maximum and ongoing compliance.

Hardwear.io – Hardware Security Training and Conference, Netherlands and Hardwear.io – Hardware Security Training and Conference, USA are organized and managed by Payatu BV (based in The Netherlands) and Hardwear Inc (based in the United States).

  • Our preparation includes:
    • Data Protection – our main policy and procedure document for data protection has been overhauled to meet the standards and requirements of the GDPR. Accountability and governance measures are in place to ensure that we understand and adequately disseminate and evidence our obligations and responsibilities; with a dedicated focus on privacy by design and the rights of individuals.
    • Data Retention & Erasure – we have updated our retention policy and schedule to ensure that we meet the 'data minimization' and 'storage limitation' principles and that personal information is stored, archived and destroyed compliantly and ethically. We have dedicated erasure procedures in place to meet the new 'Right to Erasure' obligation and are aware of when this and other data subject’s rights apply; along with any exemptions, response timeframes and notification responsibilities.
    • Data Breaches – our breach procedures ensure that we have safeguards and measures in place to identify, assess, investigate and report any personal data breach at the earliest possible time. Our procedures are robust and have been disseminated to all employees, making them aware of the reporting lines and steps to follow.
    • International Data Transfers & Third-Party Disclosures – where Payatu BV and Hardwear Inc store or transfer personal information outside the EU, we have robust procedures and safeguarding measures in place to secure, encrypt and maintain the integrity of the data. Our procedures include a continual review of the countries with sufficient adequacy decisions, as well as provisions for binding corporate rules; standard data protection clauses or approved codes of conduct for those countries. We carry out strict due diligence checks with all recipients of personal data to assess and verify that they have appropriate safeguards in place to protect the information, ensure enforceable data subject rights and have effective legal remedies for data subjects where applicable.
  • Privacy Notice / Policy – we have revised our Privacy Notice(s) to comply with the GDPR, ensuring that all individuals whose personal information we process have been informed of why we need it, how it is used, what their rights are, who the information is disclosed to and what safeguarding measures are in place to protect their information.
  • Obtaining Consent - we have revised our consent mechanisms for obtaining personal data, ensuring that individuals understand what they are providing, why and how we use it and giving clear, defined ways to consent to us processing their information. We have developed stringent processes for recording consent, making sure that we can evidence an affirmative opt-in, along with time and date records; and an easy to see and access way to withdraw consent at any time.
  • Direct Marketing - we have revised the wording and processes for direct marketing, including clear opt-in mechanisms for marketing subscriptions; a clear notice and method for opting out and providing unsubscribe features on all subsequent marketing materials.
  • Data Protection Impact Assessments (DPIA) – where we process personal information that is considered high risk, involves large scale processing or includes special category / criminal conviction data; we have developed stringent procedures and assessment templates for carrying out impact assessments that comply fully with the GDPR requirements. We have implemented documentation processes that record each assessment, allow us to rate the risk posed by the processing activity and implement mitigating measures to reduce the risk posed to the data subject(s).
  • Special Categories Data - where we obtain and process any special category information, we do so in complete compliance with the GDPR requirements and have high-level encryption and protections on all such data. Special category data is only processed wherever necessary.
Data Subject Rights

In addition to the policies and procedures mentioned above that ensure individuals can enforce their data protection rights, we provide easy to access information via our website, of an individual’s right to access any personal information that Payatu BV and Hardwear Inc process about them and to request information about:

  • What personal data we hold about them
  • The purposes of the processing
  • The categories of personal data concerned
  • The recipients to whom the personal data has / will be disclosed
  • How long we intend to store your personal data for
  • If we did not collect the data directly from them, information about the source
  • The right to have incomplete or inaccurate data about them corrected or completed and the process for requesting this
  • The right to request erasure of personal data (where applicable) or to restrict processing in accordance with data protection laws, as well as to object to any direct marketing from us and to be informed about any automated decision-making that we use
  • The right to lodge a complaint or seek judicial remedy and who to contact in such instances
We may use the Information that identifies you in the following ways:
  • to provide the services and information you request to fulfill our obligations as an event organizer.
  • to provide the content that matches your professional and personal interests.
  • to contact you with information about and invitations for products and services related to your professional and personal interests.
  • for any other purpose that relates to your professional and personal interests.

You may update, withdraw or erase your personal information at any time.

Information Security & Technical and Organizational Measures

Payatu BV and Hardwear Inc takes the privacy and security of individuals and their personal information very seriously and take every reasonable measure and precaution to protect and secure the personal data that we process. We have robust information security policies and procedures in place to protect personal information from unauthorized access, alteration, disclosure or destruction and have several layers of security measures includes (Information Security Access Policy and Password Policy)

GDPR Roles and Employees

Payatu BV has designated Mr. Antriksh Shah as our appointed person, he is responsible for promoting awareness of the GDPR across the organization, assessing our GDPR readiness, identifying any gap areas and implementing the new policies, procedures and measures.

Payatu BV and Hardwear Inc understand that continuous employee awareness and understanding is vital to the continued compliance of the GDPR and have involved our employees in our preparation plans.

If you have any questions about our preparation for the GDPR, please contact Mr. Antriksh Shah on [email protected]

Information Systems Access Policy

I. PURPOSE

The purpose of this policy is to maintain an adequate level of security to protect Payatu BV & Hardwear Inc data and information systems from unauthorized access. This policy defines the rules necessary to achieve this protection and to ensure a secure and reliable operation of Payatu BV information systems.

II. POLICY

Only authorized users are granted access to information systems, and users are limited to specific defined, documented and approved applications and levels of access rights. Computer and communication system access control is to be achieved via user IDs that are unique to each individual user to provide individual accountability.

Who is Affected: This policy affects all employees of Payatu BV and its subsidiaries, and all contractors, consultants, temporary employees and business partners. Employees who deliberately violate this policy will be subject to disciplinary action up to and including termination.

Affected Systems: This policy applies to all computer and communication systems owned or operated by Payatu BV and its subsidiaries. Similarly, this policy applies to all operating systems and all application systems.

Entity Authentication: Any User (remote or internal), accessing Payatu BV networks and systems, must be authenticated. The level of authentication must be appropriate to the data classification and transport medium. Entity authentication includes but is not limited to:

  • Automatic logoff
  • And unique user identifier
  • At least one of the following:
    • Biometric identification
    • Password
    • Personal identification number
    • A telephone call back procedure
    • Token
Workstation Access Control System:

All workstations used for Payatu BV business activity, no matter where they are located, must use an access control system approved by Payatu BV. Active workstations are not to be left unattended for prolonged periods of time, where appropriate. When a user leaves a workstation, that user is expected to properly log out of all applications and networks. Users will be held responsible for all actions taken under their sign-on. Where appropriate, inactive workstations will be reset after a period of inactivity (typically 30 minutes). Users will then be required to re-log on to continue usage. This minimizes the opportunity for unauthorized users to assume the privileges of the intended user during the authorized user’s absence.

Disclosure Notice: A notice warning that those should only access the system with proper authority will be displayed initially before signing on into the system. The warning message will make it clear that the system is in a private network or application and those unauthorized users should disconnect or log off immediately.

System Access Controls: Access controls will be applied to all computer-resident information based on its Data Classification to ensure that it is not improperly disclosed, modified, deleted, or rendered unavailable.

Access Approval: System access will not be granted to any user without appropriate approval. Management is to immediately notify the Security Administrator and report all significant changes in end-user duties or employment status. User access is to be immediately revoked if the individual has been terminated. In addition, user privileges are to be appropriately changed if the user is transferred to a different job.

Limiting User Access: Payatu BV approved access controls, such as user logon scripts, menus, session managers and other access controls will be used to limit user access to only those network applications and functions for which they have been authorized.

Need-to-Know: Users will be granted access to information on a “need-to know” basis. That is, users will only receive access to the minimum applications and privileges required performing their jobs.

Compliance Statements: Users who have access to Payatu BV information systems must sign a compliance statement prior to issuance of a user-ID. A signature on this compliance statement indicates the user understands and agrees to abide by Payatu BV policies and procedures related to computers and information systems. Annual confirmation will be required of all system users.

Audit Trails and Logging: Logging and auditing trails are based on the Data Classification of the systems.

Confidential Systems: Access to confidential systems will be logged and audited in a manner that allows the following information to be deduced:

  • Access time
  • User account
  • Method of access
  • All privileged commands must be traceable to specific user accounts

In addition, logs of all inbound access into Payatu BV's internal network by systems outside of its defined network perimeter must be maintained.

Audit trails for confidential systems should be backed up and stored in accordance with Payatu BV back-up and disaster recovery plans. All system and application logs must be maintained in a form that cannot readily be viewed by unauthorized persons. All logs must be audited on a periodic basis. Audit results should be included in periodic management reports.

Access for Non-Employees: Individuals who are not employees, contractors, consultants, or business partners must not be granted a user-ID or otherwise be given privileges to use the Payatu BV computers or information systems unless the written approval of the Department Head has first been obtained. Before any third party or business partner is given access to Payatu BV computers or information systems, a chain of trust agreement defining the terms and conditions of such access must have been signed by a responsible manager at the third party organization.

Unauthorized Access: Employees are prohibited from gaining unauthorized access to any other information systems or in any way damaging, altering, or disrupting the operations of these systems. System privileges allowing the modification of 'production data' must be restricted to 'production' applications.

Password Policy

I. PURPOSE

The purpose of this policy is to ensure that only authorized users gain access to Payatu BV's information systems.

II. POLICY

To gain access to Payatu BV information systems, authorized users, as a means of authentication, must supply individual user passwords. These passwords must conform to certain rules contained in this document.

Who is Affected: This policy affects all employees of Payatu BV and its subsidiaries, and all contractors, consultants, temporary employees and business partners. Employees who deliberately violate this policy will be subject to disciplinary action up to and including termination.

Affected Systems: This policy applies to all computer and communication systems owned or operated by Payatu BV and its subsidiaries. Similarly, this policy applies to all platforms and all application systems.

User Authentication: All systems will require a valid user ID and password. All unnecessary operating system or application user IDs not assigned to an individual user will be deleted or disabled.

Password Storage: Passwords will not be stored in readable form without access control or in other locations where unauthorized persons might discover them. All such passwords are to be strictly controlled using either physical security or computer security controls.

Application Passwords Required: All programs, including third party purchased software and applications developed internally by Payatu BV must be password protected.

Choosing Passwords: All user-chosen passwords must contain at least one alphabetic and one non-alphabetic character. The use of control characters and other non-printing characters are prohibited. All users must be automatically forced to change their passwords appropriate to the classification level of information. To obtain a new password, a user must present suitable identification.

Changing Passwords: All passwords must be promptly changed if they are suspected of being disclosed, or known to have been disclosed to unauthorized parties. All users must be forced to change their passwords at least once every sixty- (60) days.

Password Constraints: The display and printing of passwords should be masked, suppressed, or otherwise obscured so that unauthorized parties will not be able to observe or subsequently recover them. After three unsuccessful attempts to enter a password, the involved user-ID must be either: (a) suspended until reset by a system administrator, (b) temporarily disabled for no less than three minutes, or (c) if dial-up or other external network connections are involved, disconnected.