Personal Data Security Provisions

In the personal data safety insurance, the Tritty inc. employees are guided by the provisions established by the basic laws of the United States.

The Personal Data Security Provisions when processing in information systems

1 These Provisions establish requirements for the personal data security at its processing in information systems, representing a collection of personal data contained in databases, as well as information technologies and technical means to carry out the personal data processing with the use of automation (hereinafter, the Information Systems).

The technical means for the personal data processing is a computer equipment, information and computer systems and networks, transmission, personal data reception and processing tools and means (recording, sound reinforcement, sound reproduction means and systems, intercoms and television devices, documents production, replication and other technical means for processing of speech, graphics, video and alphanumeric information), software (operating systems, database management systems, etc.), information protection tools used in the Information Systems.

2 The personal data security is achieved by eliminating unauthorized, as well as random access to the personal data, which may result in the personal data destruction, modification, blocking, copying, distribution, and other unauthorized activities.

When processing in the Information Systems, the personal data security is provided by the personal data protection system, including institutional arrangements and information protection means (including encryption (cryptographic) means, means to prevent unauthorized access, information leakage via technical channels, software and hardware effects on personal data processing technical means), as well as information technologies used in the Information System. The hardware and software shall meet established data protection requirements in accordance with the laws of the United States of America.

To ensure the personal data security when processing in the Information Systems, the speech information is protected, as well as the information processed by technical means and provided in the form of electrical informative signals, physical fields, paper, magnetic, magneto-optical and other basis media.

3 In the Information Systems, the information security methods and techniques are established by the Technical and Export Control Federal Service and the Federal Security Service of the United States within their powers. When processing in the Information Systems, the sufficiency of the personal data security measures is estimated during the government monitoring and supervision.

4 When processing in the Information Systems, the personal data security measures are an integral part of the work on the creation of the Information Systems.

5 The information security tools used in the Information Systems are processed conformity assessment in the prescribed manner.

6 The Information Systems are classified by the government authorities, municipalities, legal entities or individuals, organizing and / or carrying out the personal data processing, as well as defining the purpose and content of the personal data processing (hereinafter, the Operator), regarding to the processed personal data volume and security threats to the individual, society and state vital interests.

The Information Systems classification procedure is established jointly by the Technical and Export Control Federal Service, the Federal Security Service of the United States of America and the Ministry of Information Technologies and Communications of the United States of America.

7 When processing in the Information Systems, the personal data exchange is carried out via the communication channels, the protection of which is ensured by the implementation of appropriate organizational measures and / or by the application of technical means.

8 The Information Systems placement, special equipment and protection of premises where the procedures with personal data is carried out, as well as security regime organizing in such premises shall ensure the personal data media safety and the information protection tools, they also shall exclude the possibility of uncontrolled penetration or stay in these premises by unauthorized persons.

9 When processing in the Information Systems, possible channels of information leakage are established by the Technical and Export Control Federal Service and the Federal Security Service of the United States within their powers.

10 When processing in the Information Systems, the personal data security shall be provided by the Operator or the person, who has been engaged for the personal data processing by the Operator according to the contract (hereinafter, the Authorized Person). The obligation of the Authorized Person to ensure the confidentiality of the personal data and the personal data security in their processing is an essential condition of the contract.

11 When the personal data processing in the Information Systems, the following shall be provided:

• a) measures to prevent unauthorized access and / or transfer the personal data to persons not entitled to access to such information;
• b) timely detection of the unauthorized access to personal data;
• c) avoidance of impacts on the personal data automated processing means resulting their malfunctioning;
• d) possibility of immediate personal data restoration that has been modified or destroyed as a result of the unauthorized access;
• e) constant supervision to ensure the proper level of the personal data protection.

12 When the personal data processing in the Information Systems, the personal data security measures shall include:

• a) definition of the personal data security threats during their processing, formation of the based threats model;
• b) development the personal data protection system based on the threats model to neutralize the perceived threats using the personal data protection techniques and methods provided for that information system class;
• c) checking the readiness of information security for use with drawing conclusions about the possibility of their use;
• d) installation and commissioning of information security in accordance with the operational and technical documentation;
• e) operational training of persons using the information security devices applied in the information systems;
• f) consideration of the information protection means, operational and technical documentation to them, the personal data media devices;
• g) registration of persons who have access to the personal data in the information system;
• h) monitoring the compliance with the use conditions of the information security tools, provided in the operational and technical documentation;
• i) proceedings and drawing conclusions on the facts of improper storage of the personal data media devices, the use of the information security tools, which may lead to a breach of the personal data confidentiality or other violations, leading to a decrease in the personal data protection level, the measures development and adoption to prevent possible harmful effects of such violations;
• j) description of the personal data protection system.

13 To develop and implement measures to ensure the personal data security at their processing in the information system, the operator or the authorized person may appoint a structural department or an official (employee) responsible for ensuring the personal data security.

14 Persons, who need the access to personal data processed in the information system in order to perform the official (employment) duties, are allowed to the relevant personal data on the basis of the list approved by the operator or by the authorized person.

15 The information system users' requests to obtain the personal data, including those referred in Section 14 hereof, as well as facts of personal data provision to these requests are recorded by the information system automated means in the electronic request log. The content of the electronic log is periodically checked by the relevant officials (employees) of the operator or the authorized person.

16 Upon detection of violations in the order of the personal data provision, the operator or the authorized person shall immediately suspend the provision of the personal data to the information system users till the causes of the violations are identified and eliminated.

17 The implementation of the security information requirements using the information protection tools is entrusted to the tools developers. In the personal data processing in the information systems, the developed encryption (cryptographic) information protection means designed to ensure the personal data security are subject to case studies and control case studies in order to verify compliance with the requirements for the information security. Thus, the case studies are cryptographic, engineering and special studies of the information security means, as well as special information system procedures, and the control case studies are conducted periodically case studies. Specific dates for the control case studies are determined by the Federal Security Service of the United States of America.

18 The results of conformity assessment and / or information security case studies are evaluated during the supervision carried out by the Technical and Export Control Federal Service and the Federal Security Service of the United States within their powers.

19 To ensure the personal data security in its processing in the information systems, the designed information security means are enclosed these means use regulations approved by the Technical and Export Control Federal Service and the Federal Security Service of the United States within their powers. Change in the application conditions for the information security means provided by the above rules is agreed with these federal executive authorities within their powers.

20 To ensure the personal data security in its processing in the information systems, the designed information security means shall be registered using the indexes, or conventional names and registration numbers. The summary of the indexes, conventional names and registration numbers is established by the Technical and Export Control Federal Service and the Federal Security Service of the United States within their powers.

21 The procedures for development, production, implementation and operation of encryption (cryptographic) information security means and the personal data encryption services are established by the Federal Security Service of the United States of America.