GDPR Compliance Statement

MOCASystem (hereinafter “we”) is committed to ensuring the security and protectionof the personal data we process and to a data protection approach that is consistentand compliant with regulations.

 

Thepurpose of this GDPR Compliance Statement is to describe how we approach ourGDPR compliance program. It will explain how we implement roles, policies,procedures, controls, and measures for data protection in order to ensure continuedcompliance with the GDPR.

What is the GDPR?

The EU General Data Protection Regulation (Regulation2016/679) (GDPR) was put into effect on May 25th, 2018 to strengthenindividuals' rights to personal data and harmonize local data protection lawsacross Europe. The GDPR applies to any organization operating within the EU, aswell as any organizations outside of the EU which offer goods or services to customersor businesses in the EU

The GDPR Principles

We consider the privacy and security of individuals and their data as vitally important.

Our principles for processing personal data are as follows:

● We process personal data lawfully, fairly and in a transparent manner.

● We collect personal data only for specified, explicit and legitimate purposes.

● We collect and keep personal data only to the extent it is necessary in relation to the purposes for which they are processed.

● We ensure that the personal data we store is up-to-date and accurate.

● We comply with the GDPR as a controller that processes the data of users who sign up for Airfob Portal, our mobile access control system. We also do so as a processor that stores personal data on behalf of our users who directly register and manage the data. In addition, Airfob Portal users must also comply with the GDPR as controllers themselves.

● We ensure that the aforementioned principles can be applied to our services, and help our users to comply with the GDPR as well.

Rights of the data subject under the GDPR

With regard to the personal data we store and manage, Airfob Portal users may request the following information from us.

● Personal data we hold about individuals

● The categories of personal data we collect from individuals

● The purpose of collecting and processing personal data

● Data retention periods

● Procedures for the rectification or completion of inaccurate or incomplete personal data

● Where applicable, procedures for requesting the erasure of personal data, or for restricting the processing of personal data and objecting to direct marketing in accordance with data protection laws

● Information concerning all our automated decision-making processes

The above applies only to Airfob Portal users, not to individuals who are registered and managed by these Airfob Portal users. Cases such as these shall be dealt with in accordance with users' own policies.

Plans for GDPR compliance

We have taken, and will take, the following steps to comply with GDPR:

● We have analyzed the personal data collected through our service.

● We have established procedures and policies to restrict the processing of personal data.

● We have updated our response procedures to personal data breaches and incidents.

● We have updated our policies on data protection, data retention, information security, cookies, and privacy.

● We have reviewed all processing activities to identify legal grounds for the processing of personal data and ensure whether each ground is appropriate for the activities concerned.

Protection measures under the GDPR

We take the privacy and security of individuals and their data very seriously and take all reasonable precautionary measures in order to protect the personal data we process.

To protect personal data from unauthorized access, alteration, disclosure or destruction, we have the following information security policies and procedures in place along with multiple levels of security measures:

• Risk management: We evaluate and manage service-related risks as part of our risk management process. Our risk management process is set out in our regulations.

• Information security management: We have information security management systems (ISMS) in place that are aligned with model industry standards, such as ISO 27001 and ISO 27701. They cover the security policies, organizations, processes, and controls that are needed to meet compliance standards and security requirements we have identified.

• Personal security: We have security processes for the employment, retention, and contract termination of individual employees. We carry out background investigations, ensure continued awareness of security standards, and implement physical and logical access controls. In conjunction with legal requirements and restrictions, we also identify and resolve risks, and carry out other security measures according to roles and positions.

• Asset management: We process customer data in accordance with contracts, terms and conditions, privacy policies, or other relevant service documents. We manage the IT resources used in our services in accordance with our in-house standards and processes.

Where data or assets are set to be erased and destroyed, we follow the processes we’ve established to remove equipment and storage media properly prior to physical destruction.

• Access control: Our Airfob Portal service is protected by means of networks and logical security systems. Based on industry standard cloud services, we provide web-based processing for any personal data that has been registered and managed by our users after they sign up for the service, make inquiries, and create their website. Only authorized personnel can access this data processing system.

• Encryption: All network traffic from our Airfob Portal service is encrypted before transmission, and all personal data is encrypted before being stored. In addition, the hardware-based encryption used in our cloud service follows the cloud service provider's policy. For more information on the provider, please see the Privacy Policy on our website.

• Development security: Our Airfob Portal service is developed according to our R&D proceedings. Each step of the development process, including analysis, development, implementation, testing, and distribution, is covered by security requirements and procedures.

• Physical security: Our Airfob Portal service uses industry standard cloud services.

Our cloud service provider defines and maintains physical and environmental controls over production environments. The provider has warranty reports and security certifications that cover these controls. For more information on the provider, please see the Privacy Policy on our website.

• Operations security: We follow industry standards and best practices, such as automation whenever possible and recommendations offered by our cloud service provider, in order to configure the cloud environment that is used securely in our Airfob Portal service. In addition, we keep updating the software we use and resolve reported vulnerabilities through automated and manual measures.

• Vulnerability management: We identify potential vulnerabilities through multiple methods, including scanning, security tests, source code diagnosis, and cyber threat intelligence. Reported vulnerabilities are evaluated and resolved via established processes and measures. We offer a responsible public channel for our security manager to report any issues found.

• Security testing and inspection: We cooperate with a third-party security service provider to carry out regular penetration tests. We manage test results, which are kept confidential, through our processes and measures for managing vulnerabilities.

• Security event management: We monitor the conditions of our data processing system to identify events and incidents that may influence our services and data. Events that may be a security risk are managed through the operational processes of our management and security departments.

• Business continuity and backup: We back up and regularly test customer data to ensure that the Recovery Point Objective (RPO) and the Recovery Time Objective (RTO) can be met under our in-house regulations.

• Endpoint security: We examine and monitor malware to detect malicious programs and files in our employees' work environments. We also have features that filter and block spam and scam emails.

International data transfer

Through our website, we may collect personal data that is necessary for conducting various business activities, such as sales, technical support, and partnerships. The collected personal data is then stored in industry standard cloud services before use. Information on our cloud service provider can be found in our Privacy Policy. When collecting users' personal data, we ensure that we notify and obtain consent from the data subjects.

In addition, as we store the personal data registered and managed directly by our users on their behalf, we ensure that we inform them of the relevant details, scope and obligations through our Data Processing Agreement and receive their consent before doing so.

For more questions about GDPR, please contact us.

For more questions about this Compliance Statement or our data protection policies, please

contact us : support@mocainc.com

GDPR Compliance - Questions & Answers

1. What is the GDPR?

The EU General Data Protection Regulation (Regulation 2016/679) (“GDPR”) was put into effect on May 25, 2018 to strengthen individuals' rights to personal data and harmonize local data protection laws across Europe. The GDPR applies to any organization operating within the EU, as well as any organizations outside of the EU which offer goods or services to customers or businesses in the EU.

2. Does MOCA System comply with the GDPR?

Yes, MOCA System complies with Regulation (EU) 2016/679 ("GDPR").

3. What role does MOCA System play according to the GDPR?

MOCA System acts as a controller that processes the data of users who sign up for Airfob Portal, a mobile access control system.

In addition, MOCA System serves as a processor that stores personal data on behalf of its users, who directly register and manage the data.

As a controller and processer according to the GDPR, MOCA System ensures the secure management of personal data through informed consent, lawful contracts, and appropriate protective measures."

4. What is the role of MOCA System's Airfob Portal users?

Those who use our Airfob Portal service act as controllers for the data subjects they directly register and manage.

The users have authority and responsibility over all the data they directly process, and they are also responsible for carrying out necessary safety measures accordingly.

The users, who directly register and manage data subjects, shall not only evaluate carefully and satisfy themselves that they have a lawful basis under the GDPR for processing the data subjects’ personal data in light of the purposes they are seeking to achieve, but must also prove that they are implementing appropriate measures for data security. This relates to the GDPR principles, such as lawfulness, fairness and transparency, accuracy, purpose limitation, data minimization, storage limitation, integrity and confidentiality. It also relates to individual rights over personal data.

Users must determine whether the Airfob Portal service can securely process personal data (such as through privacy impact assessments etc.) and utilize the services we provide in a safe manner.

5. Does MOCA System access or manage the data of Airfob Portal users?

MOCA System does not access personal data that has been directly registered and managed by Airfob Portal users themselves. We are not responsible for any information, including personal data, processed by the users. The users are responsible for complying with relevant laws and for handling and processing data appropriately.

6. What personal data is processed by MOCA System's Airfob Portal?

MOCA System's Airfob Portal can store emails, nicknames, passwords, company names, names, phone numbers, nationality, and more. The storage of personal data may differ depending on the information directly registered by users.

For more information on the relevant privacy policy, please see our Privacy Policy on our website.

https://www.airfob.com/legal-documents/privacy-policy-en

7. What sensitive information is processed by MOCA System's Airfob Portal?

MOCA System's Airfob Portal utilizes mobile credentials. Sensitive information related to faces and fingerprints is not used.

8. What personal data is processed by MOCA System's Airfob Pass?

MOCA System's Airfob Pass is a mobile application that enables your smartphone to be used as an access card. It stores your name and mobile card information, and allows you to register additional information, such as your department or company name.

For more information on the relevant privacy policy, please see our Privacy Policy on our website.

https://www.airfob.com/legal-documents/privacy-policy-en

9. What measures does MOCA System have in place for protecting personal data?

MOCA System's Airfob Portal encrypts all personal data before storage and provides encrypted communications (https) when transferring data. We utilize verified encryption algorithms (one-way and two-way encryption functions: SHA-256 and AES-256, and TCP communication: TLS 1.2).

In addition, we implement other protective measures, such as inspection logs, data backup, and systems for detecting and blocking web-based attacks.