1. Introduction and Scope
This document outlines the policies and procedures established by INI.GE Group (hereinafter “the Company”) for the protection of its information assets, systems, and personal data. The purpose of this policy is to ensure the confidentiality, integrity, and availability of data, maintain business continuity, and achieve full compliance with the General Data Protection Regulation (GDPR) of the European Union.
This policy applies to all employees, contractors, and any third parties who have access to the Company's information systems.
2. Definitions
- Personal Data: Any information relating to an identified or identifiable natural person ('data subject').
- Processing: Any operation performed on personal data, such as collection, recording, organization, storage, alteration, use, disclosure, or erasure.
- Data Controller: The entity that determines the purposes and means of the processing of personal data.
- Data Processor: The entity that processes personal data on behalf of the controller.
3. Core Principles of Data Protection
The Company adheres to the following fundamental principles of data processing:
- Lawfulness, Fairness, and Transparency: Data is processed lawfully, fairly, and in a transparent manner in relation to the data subject.
- Purpose Limitation: Data is collected for specified, explicit, and legitimate purposes and not further processed in a manner that is incompatible with those purposes.
- Data Minimisation: Processing is limited to data that is adequate, relevant, and necessary for the purposes for which it is processed.
- Accuracy: Personal data is accurate and, where necessary, kept up to date.
- Storage Limitation: Data is kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.
- Integrity and Confidentiality: Data is processed in a manner that ensures appropriate security, including protection against unauthorized or unlawful processing and against accidental loss, destruction, or damage.
4. Information Security Infrastructure and Technical Measures
4.1. Hosting and Data Residency
Our system architecture is built upon a high-availability, certified, and geographically diversified infrastructure, located entirely within the European Union:
- Primary Infrastructure: Core servers and databases are hosted on the Google Cloud Platform (GCP) in the Belgium region (europe-west1).
- Backup Infrastructure: For disaster recovery and geo-redundancy, data backups are stored in Google EU Multiregional data centers.
- Dedicated Servers: File storage and long-term database archives are located on dedicated servers within an OVH Cloud data center in the France region.
4.2. Access Control
Access to systems and data is strictly governed by the principle of least privilege:
- Administrative Access: Access to the Google Cloud management console is restricted to authorized personnel and is protected by mandatory Two-Factor Authentication (2FA).
- Server Access (SSH): Direct access to server operating systems using passwords is fully disabled. Authorization is performed exclusively via pre-verified cryptographic SSH Keys.
4.3. Network Security
Our virtual network perimeter is secured by the Google Cloud Firewall, configured with a Default-Deny policy. This means all incoming traffic is blocked by default, except for specific ports and services essential for application functionality.
4.4. Encryption
To ensure data confidentiality, we employ modern encryption standards:
- Encryption in Transit: All data transmitted between clients and our servers is encrypted using the Transport Layer Security (TLS) protocol.
- Encryption at Rest: All data stored on Google Cloud Platform and OVH, including databases, files, and backups, is encrypted at the disk level.
5. Data Backup, Retention, and Disaster Recovery
5.1. Backup Strategy
To protect against data loss and ensure business continuity, we employ a multi-layered backup strategy. Backups are performed automatically on a daily basis. Additionally, under specific Service Level Agreements (SLAs), the backup frequency can be increased to up to three times per day upon request.
| Data Type | Frequency | Retention Period | Location |
|---|---|---|---|
| Full Server Snapshot | Daily | 14 Days | Google EU Multiregional |
| Database Archive (SQL) | Monthly (for archive) | 10 Years | OVH (France) & Google Cloud |
| User Files | Real-time (Synchronous) | Persistent (while active) | Google Storage & Google Drive |
5.2. Data Retention Policy
Data retention periods are determined based on the type of data and legal requirements. Server snapshots are retained for 14 days for operational recovery purposes, while SQL database archives are retained for 10 years to comply with regulatory and legal obligations.
6. Monitoring, Logging, and Auditing
To ensure system security and GDPR compliance, we maintain detailed event logs:
- GDPR Audit Logging: The system automatically records all critical actions related to personal data (create, view, edit, delete).
- Centralized Logging: All system and application logs are collected and indexed in a centralized Elasticsearch (Elastic Stack) system. This enables real-time analysis of security events and rapid detection of anomalies.
7. Lawful Basis for Processing
Personal data is processed only when there is a lawful basis to do so under the GDPR, such as the data subject's consent, the performance of a contract, compliance with a legal obligation, or the legitimate interests of the Company.
8. Data Subject Rights under GDPR
In accordance with the GDPR, data subjects have the following rights:
- The right to access: To request information about the personal data we process about them.
- The right to rectification: To request the correction of inaccurate or incomplete personal data.
- The right to erasure ('right to be forgotten'): To request the deletion of their personal data under certain conditions.
- The right to restrict processing: To request the limitation of how their data is processed.
- The right to data portability: To receive their data in a structured, commonly used, and machine-readable format.
- The right to object: To object to the processing of their data for direct marketing or when processing is based on legitimate interests.
To exercise these rights, please contact us using the email address provided in Section 15.
9. International Data Transfers
The Company does not transfer personal data outside the European Economic Area (EEA). All our data centers and sub-processors are located within the European Union (Belgium, France), which ensures an adequate level of data protection as mandated by the GDPR.
10. Sub-processors
In the course of providing our services, we utilize trusted and vetted partners who act as data processors. Our primary sub-processors include:
- Google Cloud Platform (GCP): For infrastructure hosting and data storage.
- OVH Cloud: For dedicated servers, file storage, and archives.
11. Personal Data Breach Management
In the event of a personal data breach, the Company is committed to following the procedures mandated by the GDPR. This includes notifying the competent supervisory authority without undue delay and, where feasible, not later than 72 hours after having become aware of it.
12. Service Level Agreement (SLA)
We guarantee high availability of our infrastructure and rapid recovery times.
| Parameter | Metric |
|---|---|
| Guaranteed System Uptime | 99.5% |
| Server Recovery Time (RTO) from Snapshot | 5 - 10 minutes |
| Database Recovery Time (RTO) from Archive | 1 - 5 hours |
| File System Recovery Time (RTO) | 1 - 5 days |
13. Roles and Responsibilities
The Company's management is responsible for implementing and enforcing this policy. All employees are required to understand and adhere to the rules and procedures outlined in this document as part of their daily activities.
14. Policy Review and Updates
This policy is subject to regular review and updates, at least annually, to reflect changes in technology, regulations, and the business environment.
15. Contact Information
For any questions regarding data protection, your rights, or this policy, please contact us at the following email address: support@ini.ge