INFORMATION SECURITY POLICY

Purpose

This Information Security Policy provides an overview of the security controls developed by EGG to ensure that all staff, tools and services comply with rules and guidelines related to security and confidentiality.

The language of notification, alert, use and others regarding the treatment of data expressed in this document on the rights of users, are automatically displayed in the language of origin of the user in question.

Organization

EGG has defined an organizational structure with reporting lines, authorities, and responsibilities for the development, implementation, operation, maintenance, and monitoring of the systems related to security and confidentiality.

EGG Compliance Director acts as the primary responsible of EGG's system controls.

This policy will be reviewed at least once a year and when there are changes that may affect corporate management with respect to Information Security.

All staff are responsible for information security and therefore must understand and comply with this policy and associated documents. Failure to do so may result in disciplinary action.

This policy was established and approved by EGG’s Leadership team on 01/2022.

Policies

New employees and contractors

The People & Culture Area acts as responsible for developing, implementing, maintaining, and monitoring the process affecting security and confidentiality, according to the new Employees/contractors.

Before new employees or contractors are granted access to any resource of the company, they must sign copies of all the documents listed in the On boarding checklist as a part of the hire onboarding process.

Privacy and conditions

EGG privacy policy and conditions to external users are available on our Private Policy website

Because of changes in business and technology, EGG may need to modify the Privacy Policy on its Public Website.

Access control

EGG applies logical access controls to ensure that data and equipment are secure and can only be accessed by authorized personnel.

All network and system access requires a unique network user ID and password for identification and authorization purposes.

Shared accounts are prohibited. Single sign-on method and two factor authentication are implemented to access EGG systems.

EGG conducts access reviews quarterly to ensure that each role has adequate access to data and information systems.

All accesses are disabled according to what is indicated in the off boarding policy.

Access to the production environment and data are controlled and limited only for the EGG Technology area. The accesses are managed with the Google authentication system.

EGG enforces 2-factor authentication for EMPLOYEES and CONTRACTORS using Google 2FA with either SMS notifications or Google Authenticator.

Software development

EGG has a development process based on the agile methodology Scrum that uses Git to manage code and work items through sprints with objectives defined.

Software changes are tracked in Git, code reviewed and tested in a test environment before release to production. These test environments and production are physically and logically separate environments. System enforced segregation of duties exists between developers generating the code and developers releasing changes into the production environment.

EGG software development team are following OWASP Top10 guidelines for secure code development.

Production systems

EGG platform is hosted on Amazon Web Services. Network and operational security controls are implemented as part of the security standards requirements. Notifications for the third party providers are evaluated for potential risk.

Penetration testing is performed at least once per year. Results are reviewed by management and tracked through resolution as part of its Risk assessment procedure.

Logging and analysis

EGG platform logs every transaction using Segment.io which persists every event sent in a Data Warehouse which is managed by AWS and backed up every hour with monthly snapshots. EGG platforms also keep a special log entry for detecting unsuccessful logging access attempts.

Log reviews are conducted quarterly to determine if a particular event has been previously logged in the different reviews. If during this initial investigation there's an event that does not fit the normal profile, it should be flagged and a more detailed investigation is required. During an investigation, it might be necessary to gather information from other sources such as change management systems, anti-malware, and IDS, among others.

Data in transit

EGG uses Grade A+ transport-level security (as measured by ssllabs.com) to encrypt data in transit with TLS1.3.

External user passwords for the customers signing up directly with EGG are stored hashed and salted within the database and these cannot be decrypted.

Data retention

All user data is retained as long as it exists as a user and is encrypted at rest with AES-256.

Backups

Users Data backup process consists of a full database backup every 24 hours, we keep 20 days of those. These backups are stored in S3. Client data only resides in the production environment encrypted at rest with AES-256. Backup Data is encrypted using AES-256 with automatic key management and provisioning as it's allowed by S3 Storage Encryption at rest mechanism. Encryption is enforced at the Storage level.

Subprocessors security

EGG uses certain SubProcessors to assist in providing the services; these service providers may store and process personal data.

The list of SubProcessors and their functions within EGG are available to anyone who requests it. EGG reserves the right to remove, amend, change or add SubProcessors.

Data removal

User agreements state that students might request total or partial data removal at any time. This request can be executed by authorized personnel only and the sender must be a valid user account with administrative rights on the team the user is trying to delete.

The student is notified, through the same ticket used for data removal requests, immediately that her request for data deletion has been completed.

Antivirus

EGG installs the antivirus software ESET on all Technology computers; the IT area performs monitoring to ensure that all Antivirus clients are updated.

The information stored on local disks is secured by encryption with ESET FDE.

Training and awareness

EGG Security Awareness Training is a formal process for educating employees and contractors about computer security and the correct use of information.

Third party

Where there is a business need to disclose any sensitive information of EGG to third parties (such as business partners and contractors), or grant third parties access to sensitive information, the Area Director executes a confidentiality agreement or an agreement that incorporates confidentiality provisions.

Information classification

EGG implements appropriate information classification controls, based upon the results of formal risk assessment.

Reporting incidents

Reporting information security incidents related to: breaches, failures, concerns, and other complaints are described in the incident management policy including guidance on escalation and resolution.

Risks management

Risk assessments are performed periodically to identify threats and vulnerabilities for the in-scope systems. Mitigation strategies are discussed based on the results of the risk assessment. The Risks management policy mandates an annual review of the risk assessment and update to the implementation plan, policies, and procedures to address changes that could affect the system.

Monitoring

Compliance with the policies and processes descripted in this document are monitored with independent reviews by both Internal and External Audit on a periodic basis.