All of our servers have control lists (ACLs) that prevent unauthorized requests getting to our internal network.

Multiple authorization levels are used when granting access to sensitive systems, including those storing and processing data. Processes are in place to ensure that authorized users have the appropriate authorization to access any data.

Customers have access only to their own data.

Access to customer data is limited to authorized employees who require it for their job. We are following access management and restrictions based on the need-to-know principle. All our employees and contractors are bound by the non-disclosure agreements.

Nanonets has procedures in place to ensure that requested authorization changes are implemented only in accordance with the guidelines.

Data processing systems used to provide the Nanonets Services must be prevented from being used without authorization. Measures:

• Multiple authorization levels are used when granting access to sensitive systems, including those storing and processing Personal Data. Processes are in place to ensure that authorized users have the appropriate authorization to add, delete, or modify users.

• All users access Nanonets systems with a unique identifier (user ID).

• Nanonets has procedures in place to ensure that requested authorization changes are implemented only in accordance with the guidelines (for example, no rights are granted without authorization).

  If a user leaves the company, his or her access rights are revoked.

• Nanonets has established a password policy that prohibits the sharing of passwords, governs responses to password disclosure, and requires passwords to be changed on a regular basis and default passwords to be altered.

• Personalized user IDs are assigned for authentication. All passwords must fulfil defined minimum requirements and are stored in encrypted form. In the case of domain passwords, the system forces a password change every 3 months in compliance with the requirements for complex passwords.

• Each computer has a password- protected screensaver.

• The company network is protected from the public network by firewalls.

• Nanonets uses up–to-date antivirus software at access points to the company network (for e- mail accounts), as well as on all file servers and all workstations.

• Security patch management is implemented to ensure regular and periodic deployment of relevant security updates.

• Full remote access to Nanonets’ corporate network and critical infrastructure is protected by strong authentication.

Physical Access Controls

Unauthorized persons are prevented from gaining physical access to premises, buildings or rooms where data processing systems that process and/or use Personal Data are located. Measures: 11.1. Nanonets protects its assets and facilities using the appropriate means based on a security classification.

In general, buildings are secured through access control systems (e.g., smart card access system). 11.3. As a minimum requirement, the outermost entrance points of the building must be fitted with a certified key system including modern, active key management.

Depending on the security classification, buildings, individual areas and surrounding premises may be further protected by additional measures. These include specific access profiles, video surveillance, intruder alarm systems and bio metric access control systems.

Access rights are granted to authorized persons on an individual basis according to the System and Data Access Control measures. This also applies to visitor access. • Guests and visitors to Nanonets buildings must register their names at reception and must be accompanied by authorized Nanonets personnel.