Privacy Policy

Data Protection & Information Security Management

I DATA PROTECTION

Introduction

Purpose: This policy outlines SAMAConnect SAL's commitmentto protecting personal data and ensuring compliance with applicable dataprotection laws. Scope: This policy applies to all employees, contractors, andthird parties who process personal data on behalf of SAMAConnect SAL

I.DEFINITIONS
I Personal Data:
Any information relating to an identified or identifiable natural person

I Data Subject:
The identified or identifiable natural person to whom the personal data relates.

I Data Controller:
The entity that determines the purposes and means of processing personal data.

I Data Processor:
The entity that processes personal data on behalf of the data controller.

I Processing:
Any operation or set of operations performed on personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure by transmission, dissemination, or otherwise making available, alignment, combination, restriction, erasure, or destruction.

I Data Breach:
A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data transmitted, stored, or otherwise processed.

I Data Protection Officer (DPO):
The person appointed to oversee data protection strategy and compliance within the organization.




II.Compliance with Data Protection Laws
I Legal Framework:
Ensure compliance with relevant data protection laws and regulations, including the General Data Protection Regulation (GDPR) and other applicable laws.

I Data Protection Officer (DPO):
DPO responsible for overseeing data protection strategy and implementation to ensure compliance with legal requirements.

I Policy Review:
Regularly review and update the data protection policy to reflect changes in laws and regulations.




III.Data Processing Principles
I Lawfulness, Fairness, and Transparency:
Process personal data lawfully, fairly, and transparently.

I Purpose Limitation:
Collect personal data for specified, explicit, and legitimate purposes and not process it further in a manner that is incompatible with those purposes.

I Data Minimization:
Ensure that personal data is adequate, relevant, and limited to what is necessary in relation to the purposes for which it is processed.

I Accuracy:
Keep personal data accurate and, where necessary, up to date.

I Storage Limitation:
Retain personal data no longer than is necessary for the purposes for which the personal data is processed.

I Integrity and Confidentiality:
Process personal data in a manner that ensures appropriate security, including protection against unauthorized or unlawful processing and against accidental loss, destruction, or damage.




IV.Data Subject Rights
I Access and Rectification:
Ensure data subjects can access their personal data and request corrections if inaccurate.

I Erasure and Restriction:
Allow data subjects to request the erasure of their personal data or restriction of its processing under certain conditions.

I Data Portability:
Provide data subjects with the right to receive their personal data in a structured, commonly used, and machine-readable format.

I Objection:
Respect the right of data subjects to object to the processing of their personal data in certain circumstances.

I Automated Decision-Making:
Ensure data subjects are not subject to decisions based solely on automated processing, including profiling, unless certain conditions are met.




V.Data SECURITY Rights
I Security Measures:
Implement appropriate technical and organizational measures to protect personal data against unauthorized access, disclosure, alteration, or destruction.

I Access Controls:
Restrict access to personal data to authorized personnel only.

I Encryption:
Use encryption to protect personal data during transmission and storage.

I Regular Audits:
Conduct regular audits and assessments of data security practices to identify and mitigate risks.




VI.Data Retention and Disposal
I Retention Policy:
Define retention periods for different types of personal data, ensuring data is not kept longer than necessary for the purposes for which it is processed. Establish clear guidelines for data retention based on regulatory requirements and business needs.

I Secure Disposal:
Implement secure disposal methods for personal data that is no longer needed, such as:
Shredding physical documents - Securely deleting electronic files - Using certified data destruction services for hardware.

I Archiving:
Properly archive personal data that must be retained for legal or business reasons.




VII.Appropriate Use of Information Technology Systems
I Acceptable Use Policy (AUP):
Establish and enforce an Acceptable Use Policy for information technology systems, outlining acceptable and unacceptable uses of company IT resources. Include provisions on email use, internet access, software installation, and data storage. Require employees to acknowledge and adhere to the AUP.

I Monitoring:
Implement monitoring mechanisms to ensure compliance with the AUP.

I Mobile and Remote Work:
Define policies for secure mobile and remote work, including the use of secure connections (VPN) and guidelines for handling personal data outside the office.




VIII.Business Continuity and Disaster Recovery
I BC/DR Plan:
Develop and maintain a Business Continuity and Disaster Recovery (BC/DR) plan to ensure the resilience and availability of critical business functions.

- Identify Critical Systems and Data:Identify and document all critical systems essential for business operations, including IT infrastructure, communication systems, and key business applications.Identify and classify critical data necessary for business operations, such as customer data, financial records, and operational documents.

- Establish Backup and Recovery Procedures:Implement regular data backup procedures to ensure all critical data is backed up securely and consistently.Develop detailed recovery procedures for all critical systems, including step-by-step instructions for restoring systems and data.

- Regularly Test and Update the BC/DR Plan:Conduct regular tests of the BC/DR plan, including simulated disaster scenarios and actual recovery exercises.Regularly review and update the BC/DR plan to reflect changes in business operations, technology, and regulatory requirements.

I Incident Response Integration:
- Integrate incident response procedures into the BC/DR plan to address data breaches and other security incidents.
- Develop a detailed incident response plan that includes:
1. Identification and classification of incidents.
2. Initial response and containment measures.
3. Investigation and analysis of incidents.
4. Communication and notification protocols.
5. Recovery and remediation actions.

I Post-Incident Review:
Conduct a post-incident review after each significant incident to assess the effectiveness of the response and identify areas for improvement




IX.Information Security Practices and Access Controls
I Security Policies:
Develop and implement comprehensive information security policies that address access control, data encryption, network security, and incident response.

I Access Control Measures:
Use role-based access controls (RBAC) to ensure that employees only have access to the data necessary for their job functions.

I Employee Training:
Provide regular training to employees on information security best practices, phishing awareness, and secure data handling.

I Incident Management:
Establish procedures for reporting and responding to information security incidents, including unauthorized access, data breaches, and malware infections.




X.Training and Awareness
I Legal Requirements:
Disclose personal data to governmental or law enforcement authorities only when required by law.

I Minimization:
Limit the scope of data disclosed to what is strictly necessary to comply with the legal request.

I Transparency:
Inform data subjects about data disclosures to governmental or law enforcement authorities, unless prohibited by law.




XI. Data Incidents/Breaches
I Definition and Scope:
A data incident or breach refers to any unauthorized access, disclosure, alteration, or destruction of personal data that compromises the confidentiality, integrity, or availability of the data. This policy applies to all data incidents and breaches involving personal data processed by SAMAConnect SAL, including those affecting employees, clients, and partners.

I Incident Identification and Reporting:
 - Implement systems and tools for detecting potential data incidents and breaches, such as intrusion detection systems, monitoring software, and user activity logs.
- Establish clear procedures for reporting data incidents and breaches, including a dedicated email address, phone number, and online incident reporting form. Require employees, contractors, and partners to report any suspected data incidents or breaches immediately to the IT department or Data Protection Officer (DPO).

I Incident Response Team (IRT):
 - Form an Incident Response Team (IRT) comprising key personnel from various departments. Assign specific roles and responsibilities, such as incident commander, technical lead, legal advisor, communications coordinator, and HR representative.
- Provide specialized training for IRT members on incident response procedures, forensic analysis, and communication protocols.

I incident Response Procedures:
 - Conduct an initial assessment, implement containment measures, and conduct a thorough investigation to determine the root cause of the incident.
- Develop detailed recovery procedures and verify the integrity and functionality of restored systems and data before resuming normal operations.
- Conduct a post-incident review to evaluate the effectiveness of the response, identify lessons learned, and implement improvements.

i Notification and Communication:
 - Notify senior management and relevant stakeholders about the incident, providing regular updates on the response and recovery efforts.
- Notify affected individuals promptly, providing clear and concise information about the breach, the potential impact, and steps they can take to protect themselves. Report the incident to relevant data protection authorities within the required timeframes if mandated by law.- Prepare and execute a communication plan for addressing media inquiries and public concerns.

i Documentation and Record-Keeping:
Maintain a detailed incident log and create comprehensive incident reports for each significant incident. Store incident reports securely and ensure they are accessible to authorized personnel for future reference and audits.

i Continuous Improvement:
Conduct regular audits of incident response practices and use the results to continuously improve incident response procedures. Provide ongoing training and awareness programs for employees on identifying, reporting, and responding to data incidents and breaches.

I INFORMATION SECURITY MANAGEMENT SYSTEM

                                                                                                                                                              
INTRODUCTION
Information is considered one of the most critical assets of SAMACONNECT SAL and it is comparable with other company assets in that there is a cost in obtaining it and value in using it. The loss,misuse or breach can be costly and illegal. The intent of this policy is to maintain and protectthe information assets of the company.

In addition, the main objective followed by SAMACONNECT SAL, in a world that is getting more connected through technology developments with ever increasing dependencies on information, is to establish and maintain adequate and effective security measures for clientsand users to ensure that the confidentiality, integrity and availability of information is not compromised.

It is fundamentally important that the information systems where these information residesare fit to purpose in order to consistently build and maintain trust with customers, partners,stakeholders and employees and to safeguard SAMACONNECT brand and reputation.This document describes the policy and procedures for protecting information and preventingany unauthorized disclosure, breach, modification, non privileged access, misuse, and illegaldestruction.




I. COMPLIANCE WITH ISO 27001/27002
SAMACONNECT addresses the requirements of the ISO/IEC 27001:2013 standard which is an internationally recognized standard that sets out requirements for information security.

Also it aligns with ISO/IEC 27002:2013 that accompanies the standard and sets out the code ofpractice for information security controls to enable the requirements to be achieved.

The decision to use an established standard for the baseline is to:
- Enable SAMACONNECT to benchmark the controls operating and have a structured approach toachieve ‘best in class’ status.
- Enable SAMACONNECT to quickly assess and incorporate 3rd party provider’s operating controls tothose of SAMACONNECT




II. INFRASTRUCTURE SECURITY
- The infrastructure is always to ensure the confidentiality, integrity, and availability (CIA) of information.
- Components setup to protect the data being stored, accessed, or transmitted.
- Create accountability within the network and other computing resources in which individuals have access.
- Ensure that all critical functions of infrastructure are documented, have operational processes, and disaster recovery plans to provide continuity of operation.
- Follow established standards for all infrastructure components (physical or virtual)containing SAMACONNECT information.
- In addition to IT Security team, individual user is responsible for the information technology equipment and resources under their control
- Physical and electronic access to our buildings and data centers is monitored




III. NETWORK seCURITY
On our end and with our network security partners, we commit to maintain the confidentiality,integrity, and availability of information and information systems, and to ensure that they aremanaged effectively and lawfully.

- Network devices and components are inventoried
- Communications within the system and between interconnected systems are mapped
- Data flows between interconnected systems are mapped
- Network integrity is protected
- Communications and control networks are protected
- A baseline of network operations and expected data flows for users and systems is established and managed
- Incidents on Network are communicated to appropriate parties




IV. ENDPOINT SECURITY
The practice of endpoint security consists of securing a user's computer or device against bothinternal and external threats from the internet. The goal of endpoint security controls is to protectthe attack surface to minimize the risk of network infiltration and compromise.

- By supporting industry leading practices, security policy dictates the type of endpointconfiguration required
- Apply best security practices as per this policy for Endpoint devices
- Apply security updates as per this policy for Endpoint devices
- Application whitelisting is applied on endpointS
- Asset inventory is reported and updated on regular basis including all the details of hardware,operating systems, and applications changing and configurations
- All endpoint updates, patches, and configurations will go through change management procedure.
- Security applications installed to ensure right protection for endpoints
- Detection of unprotected endpoints is done via IT Security Team.
- Identify, track, and detect abnormal behaviors or malicious activities
- Apply any required security or encryption standards necessary to protect endpoints that are identified as storing sensitive or confidential institutional data.
- Manage reuse or final disposition of expired, obsolete devices, and unwanted endpoints in asecure manner and appropriately treat the stored information on these endpoints.




V.SECURITY MONITORING AND OPERATIONS
With the constant change in technology and cyber threats, monitoring is an ongoing activity toprotect company from data breaches and ensure compliance with regulations.

- Security logs are determined, documented and reviewed
- Cyber threat information and Event data are collected from multiple sources
- Correlation rules updated continuously to keep up with the changing threat landscape
- Latest operating systems, applications, and device information are checked
- Accurate list of hosts and components is defined
- Vulnerability assessment is performed
- Continuous vulnerability monitoring of devices on network
- Network access and user authorization is reviewed
- User and device behavior is monitored for anomalies
- The Network is monitored to detect potential cybersecurity events
- The physical environment is monitored to detect potential cybersecurity events
- Personnel activity is monitored to detect potential cybersecurity events
- External service provider activity is monitored to detect potential cybersecurity events
- Event detection information is communicated to appropriate parties
- In case of Alert, IT Security Team will execute response actions
- In case of Incident/Breach, Incident Response Team will execute response actions
- Detection processes are continuously improved and tested.




VI.INCIDENT HANDLING AND RESPONSE
I PREPARATION:
- List of assets is compiled
- Assets are classified and ones that hold critical and sensitive data are identified
- Security events that should be investigated are determined
- Response plans are prepared and managed
- Roles and responsibilities of personnel in case of incident are enlightened.
- Incident Emergency contact list is prepared with phone numbers, mobile numbers,emergency contact numbers, email addresses, public keys etc..

I DETECTION AND ANALYSIS
- Events data is collected from systems, security tools, and publicly available resources
- Notifications from identification precursors and indicators are investigated
- Determine whether an incident has occurred
- Investigation and gathered evidences are documented
- The impact of the incident is understood
- Prioritize handling the incident based on the relevant factors
- Report the incident to the appropriate internal personnel and external organizations

I CONTAINMENT, ERADICATION, AND RECOVERY
- Evidence is acquired, secured and documented.
- Incident is contained
- Vulnerabilities that were exploited are identified and mitigated
- Malware and inappropriate material are removed
- Affected systems are returned to operation state
- Normal functionality of affected systems is confirmed
- Additional monitoring to look for future related activity is implemented

I POST-INCIDENT ACTIVITY
- Follow up report is created
- Lessons learned and if necessary meeting is held
- Recovery plan is updated
- Recovery strategies are updated
- Reputation is repaired




VII. DATA SECURITY
All data storage, processing, transfers, and disclosures complies with General Data Privacy andRegulations (GDPR) and California Consumer Privacy Act (CCPA).

- Access to data is limited to business need-to-know and segregation of duties
- Disclosures/transfers of data to third parties are managed aligned with data protection legalization
- Data processing logs are kept
- Periodic audits and performance reviews are performed
- Privacy and security controls are implemented and reviewed
- Privacy awareness is an ongoing education at the company




VIII. DATABASE SECURITY
Database security doesn’t mean only the roles and responsibilities of the DBA, or database administrator, but also user access, provisioning, auditing, and policy enforcement.

- Sensitive data is encrypted in all states.
- Updates are installed once available.
- Access is limited by IP access list and User access control.
- Backups are encrypted and stored on separate network storage device.
- Critical data is available for recovery
- For audit purposes, access is logged.




IX. APPLICATION SECURITY
We work on our end, with our development partners, and solutions providers to prevent, detect and correct security weaknesses during the development, acquisition of applications and whileusing existing applications and APIs.

- Development, testing and production environments are separated
- Security measures in the software development life cycle are ensured
- Applications and APIs must pass the application security assessment before released intoproduction
-Routine checks on data leakage is performed
- Security assessment of applications and APIs are periodically performed




IMPROVEMENT CONTINUITY
SAMACONNECT is committed to continuously improving its ISMS effectiveness and compliance withISO/27001/2 requirements. SAMACONNECT accomplishes this through regular management reviews andaddressing risks that may adversely affect the ISMS

                                                     


                                                          Last edited 17/11/2025
Company by
Explore
Home
About
Support
ContactFeatures
Utility
Privacy PolicyFAQs
Terms & Conditions
Privacy Policy
Copyright ©

©2025 SAMA Connect. All Rights Reserved.
7th Floor Vanrise Building, Gallery Semaan, Lebanon, Baabda, Lebanon, 1003 I +961 79 002 141