Introduction
The company ACTIEFHOST LTD (hereinafter referred to as "Company", "We", "Our"), registered in Bulgaria with UIC 208112896, located at ul. Aleya Alen Mak No. 9, entrance 1, floor 3, apt. 5, Ruse, Bulgaria, is committed to ensuring high standards for information protection, as well as maintaining the security of our clients' data. This security policy aims to define the basic principles, measures and procedures for data and information protection that are applied in the company, including compliance with Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of personal data (General Data Protection Regulation - GDPR).
Security Policy Objectives
- Protection of confidentiality, integrity and availability of client data.
- Compliance with all applicable regulatory requirements and data protection standards, including GDPR.
- Minimization of risk from unauthorized access, loss or damage of data.
- Training of employees on good practices for security and personal data protection.
Scope
This policy covers all processes and systems used for storage, processing and transmission of data, as well as all employees who have access to this data.
1. Personal Data Protection
1.1 Principle of lawfulness, fairness and transparency
The Company collects and processes personal data only in compliance with legislation and in accordance with established purposes. All data processing activities are carried out transparently, with clients being informed about the purposes and methods of processing their personal data.
1.2 Purpose limitation principle
Personal data is collected only for specific, explicitly stated and legitimate purposes, and is not processed in a manner that is incompatible with these purposes.
1.3 Data minimization principle
We collect and process only the personal data that is necessary for fulfilling the purposes of processing.
1.4 Accuracy principle
The Company takes reasonable steps to ensure the accuracy and currency of the personal data it processes.
1.5 Storage limitation principle
Personal data is stored only for the period necessary to achieve the purposes of processing or to fulfill legal obligations.
1.6 Integrity and confidentiality principle
The Company takes measures to ensure the security of personal data, including protection from unauthorized access, use, disclosure, alteration or destruction of data.
2. Information Systems Protection
2.1 Physical security measures
Client data is stored on physically protected servers located in certified data processing centers. Access to the premises is restricted and controlled, with only authorized persons having the right to enter these zones.
2.2 Logical security measures
We use modern cryptographic technologies to protect data during transmission (e.g., TLS/SSL for encryption of internet communications). We implement firewalls, intrusion detection systems and other measures to protect our servers and networks. Each employee has personal access to information and systems, with access being based on work necessity.
2.3 Password management
Passwords for system access are created in accordance with strong password policies and are changed regularly. Access to critical systems and data is restricted to authorized persons.
2.4 Regular audits and monitoring
We conduct regular audits of information systems and network security to identify and correct potential vulnerabilities. Systems are monitored 24/7 for unauthorized access or suspicious activities.
3. Incident Management
3.1 Incident management procedure
Upon detection of an incident that may threaten data security or personal data, we will take the following steps: 1. Immediate notification of responsible persons. 2. Assessment of the scale and impact of the incident. 3. Notification of affected clients in accordance with GDPR requirements (within 72 hours). 4. Conducting investigation and taking corrective actions.
3.2 Incident reporting
All incidents affecting personal data security will be reported to competent authorities and, if necessary, to relevant clients.
4. Data Subject Rights
4.1 Right of access
Every client has the right to request a copy of their personal data that is stored and processed by the company.
4.2 Right of rectification
Every client may request correction of inaccurate or incomplete personal data.
4.3 Right of erasure
Clients have the right to request deletion of their personal data if it is no longer necessary for the purposes for which it was collected, or if its processing is unlawful.
4.4 Right to restriction of processing
Clients may request restriction of processing of their personal data in certain cases, for example when disputing the accuracy of the data.
4.5 Right to data portability
Clients have the right to receive their personal data in a structured, commonly used and machine-readable format, as well as to transfer it to another data controller.
4.6 Right to object
Clients may object to the processing of their personal data for direct marketing purposes or in cases where processing is based on legitimate interest.
5. Staff Training
The Company regularly conducts training for its employees on information security and personal data protection. All employees are familiar with the security policy and procedures for personal data processing.
6. Policy Review and Updates
This security policy is subject to regular review and updates to ensure it continues to meet legal requirements and industry best practices.
Date of last update: April 9, 2025