Description of the technical and organizational measures implemented by the data importer(s) (including any relevant certifications) to ensure an appropriate level of security, taking into account the nature, scope, context and purpose of the processing, and the risks for the rights and freedoms of natural persons:
Data in transit is transferred by a secured protocol (HTTPS encryption),
Data in transit from device to server and vice versa is encrypted AES 128.
Data at rest is encrypted AES 256.
Nayax is implementing strong authentication, multiple replicated sites for full redundancy, all security tools that are implemented are reviewed\updated regularly and the Information security is continuously improving\updating the security settings\policy.
Nayax has 3 on-premise data centers over the world that are fully replicated.
Nayax’s production environment is undergoing an external penetration testing once a year and all vulnerabilities that are found are fixed urgently, in addition Nayax is performing regular quarter internal vulnerability scans and all vulnerabilities that are found fixed according to the severity of the findings.
Access to DB is limited to small group of employees, that are identified by strong authentication (Complex password, certificate on the laptop and 2FA).
Every access to the DB is logged and alert is sent to the DBA manager.
Access to DB in non-working hours is verified by phone call to the employee.
Access to DCS is authenticated by MFA and strong complex password.
Data is transferred by encrypted range (HTTPS encryption)
Data in storage is encrypted (AES 256) and the encryption keys are kept separately.
Access to the DB is limited to small group of employees.
Every entry and action on the DB is logged and monitored.
All Nayax data centers are located in secured facilities that are PCI DSS certified.
The office is located in a secure building (watchman 24/7), access to the building is limited only for employees from the building, access to the office is only by personal RFID of the employee (every access is logged) there are CCTV 24/7 and an alarm system.
All security logs are monitored by SIEM/SOC service 24/7.
Security logs are stored for 2 years.
Nayax is performing a review of all system’s configuration every quarter and updating the settings if needed.
There is a formal information security policy that is updated and approved by the board annually.
The policy is implemented and all security stuff are reporting to the company CISO.
Nayax has 2 certifications:
All data and information is stored and kept according to the regional law.
The organization is aligned with the privacy laws (GDPR and Israeli privacy Law) every request of data erasure is reviewed DPO and taken care according to the relevant privacy law.