AdFixus is committed to security and privacy, we ensure we maintain an information security and privacy posture that is consistent with our risk appetite, and aligns with our vision and mission, specifically in relation to consumer privacy.
While we aim to ensure that our solutions do not capture or store any consumer Personally Identifiable Data (PII), we do need to capture customer information as part of normal business practices. In addition, as an innovative technology company, we hold information much of which needs to be secured to protect our business and enable us to operate effectively, within a competitive marketplace.
To this end, we ensure that all staff and contractors have a clear understanding of their information security obligations (in line with our Acceptable Use Policy), and if they are involved in the development of software, they adhere to secure development practices (in line with our Secure Development Policy).
To maintain our information security practices, we operate an information security management system (ISMS) that is implemented and continually improved in line with ISO27001:2022. Given our commitment to information privacy and security, our ISMS was developed at the executive-level, it was developed by our CTO and COO, and accepted by our CEO.
AdFixus is committed to ensuring that our ISMS meets our stakeholders needs and our legal requirements for information security.
Our ISMS, and this policy, aim to achieve the following objectives:
- No consumer PII will ever be collected, apart from IP Addresses, which will be hashed with a different hash per customer.
- No data that relates to a consumer will be transmitted to a third-party.
- No consumer data will be compromised, that is stolen or lost.
- All consumer identifiers will only be anonymous, and able to be decrypted by the first-party only.
- Our solutions will achieve 99.5% up time, with no loss of data.
- All known security vulnerabilities will be addressed within 24hrs.
To achieve this, we focus on four key pillars:
1. Privacy and Confidentiality
AdFixus puts consumer privacy first – this is key to our market proposition – we are a privacy-focused provider that ensures its customers will conform to any foreseeable privacy laws. We believe that consumer data should never be shared with or sold to a third-party, it must only be shared between the customer and the sites that they visit, being the zero-party and first-party respectively.
For this reason, we ensure that the AdFixus Platform does not store any Personally Identifiable Information (PII). We also extend the definition of PII to include any data the relates to an individual, so we see IP Addresses (or any device identifier) as being included within this definition.
Where AdFixus creates an identifier, it is two-way encrypted with the customer and AdFixus holding the keys, so that any identifiers are only able to be unencrypted by our customers, being the owner of this data.
When our customers ask us to log consumer behaviour, this will be linked to this encrypted identifier, preventing AdFixus or any other third-party from linking the logged activities to a consumer.
We practice security by design, ensuring that solutions do not gather and hold unnecessary PII, and in our case we see no need to store unencrypted PII at all. Given this, if our systems are breached and the data that we have stored is published on the web, there is no feasible way to unencrypt identifiers, and link actions to a consumer, effectively nullifying the impact of a breach.
We see integrity as ensuring that consumer identifiers that we create are not able to be inappropriately changed or modified. As such, all our consumer identifiers are encrypted, so that any identifier that is changed will not be able to be decrypted.
We achieve this by ensuring that:
- No third-party can access customer PII data, without the first-party providing their asymmetric encryption keys.
- We do not store any PII, with all processing of PII happening in volatile memory.
- Where we are required by the customer to capture logs, logs are held securely and reliably, linked to an identifier that only the customer is able to decrypt.
Our solution is mission critical for our customers, it can directly impact the accessibility of their websites. It can also impact customer partnerships, where two or more partners are matching consumers (i.e. first-party to first-party matching).
We also store web logs for our customers on request, this information is used by customers to understand their web traffic. For this reason, we have designed our solution to achieve 99.5% up-time (per month), with no loss of data.
We will implement and maintain an Information Security Management System that complies with the ISO27001:2022 standard. All critical processes are documented and continually improved, being reviewed quarterly. The operation of the system is governed at the highest level within our organisation, with the Information Governance Committee consisting of the CEO, COO and CTO.
Through the controlled delivery of our solution and operation of our ISMS, as well as the commitment of our leaders, employees and contractor to this end and the policies that we have in place, we continually ensure that our objectives are met, and our four key pillars are upheld.
If you have any questions related to our Information Security Management System, feel free to contact us by emailing email@example.com.
Last updated on 31 May 2023