Skip to content Skip to footer
Request a demo
Richiedi una demo
Close

CLOUD SERVICE POLICY

1. INTRODUCTION

This document outlines the Information Security agreements for contracted Cloud services and the information to be provided by Lascaux srl (hereinafter referred to as the “Provider”).

2. SHARED RESPONSIBILITY FOR INFORMATION SECURITY

Regarding the assumption of responsibility for the roles that ensure information security, in particular for the activities (where applicable) related to:

  • System and device hardening;
  • Backup;
  • Cryptographic controls;
  • Management of technical vulnerabilities;
  • Incident management;
  • Environment segregation;
  • Service monitoring and log collection;
  • Protection of information upon contract termination;
  • Authentication and access control.

It is agreed that both the Client and the Provider are responsible, each for their own areas of competence, as contractually defined. As a general principle, the responsibility for carrying out the activities that ensure Information Security lies with the party holding the passwords of the accounts with administrative privileges over the environments to be secured.

3. PROTECTION OF INFORMATION

The object of the Agreement is the provision of the AskMe.It Service, in the type, with the methods, technical characteristics, limitations, and at the economic conditions in force at the time of its conclusion and published on the website www.askme.it.

3.1 GUARANTEES

The Provider guarantees to its Clients, in addition to the implementation of appropriate measures for the protection of personal and special data required by the EU Regulation 679/2016, the adoption of a set of suitable measures for the protection of all data, including the adoption, application, and certification of compliance with the voluntary security standard ISO/IEC 27001:2013 “Information technology – Security techniques – Code of practice for information security management” and compliance with the following guidelines:

  • ISO/IEC 27017:2015 “Information technology — Security techniques — Code of practice for information security controls based on ISO/IEC 27002 for cloud services”;
  • ISO/IEC 27018:2019 “Information technology – Security techniques – Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors”.

Further information is provided with particular reference to the following controls:

  1. Authentication and Access Control

    Access to the Service provided by the Provider is guaranteed through the personal credentials of the Users. The chosen credentials must comply with the security criteria enforced by the system and are stored in the Provider’s database through appropriate encryption mechanisms that guarantee their confidentiality. The user account associated with these credentials is granted permissions strictly necessary for viewing and modifying the data within the User’s competence.

  2. Cryptographic Controls

    Data transmitted from the user’s browser to the Provider’s server delivering the Service is protected by the HTTPS protocol. If, during the provision of the service, fields containing sensitive or special data are explicitly identified, appropriate at-rest encryption mechanisms may be defined. All criteria mentioned herein are valid for Production environments where the service is installed. Consequently, test environments should not be used to store real personal data.

  3. Technical Vulnerability Management

    Technical vulnerabilities are managed on a cyclical basis through an instrumental vulnerability detection process on assets (with a frequency proportional to the exposure level of the assets), input from vendors and interest groups in contact with the technical competence centers, as well as possible triggers from monitoring tools or user reports.

    The communication and remediation of technical vulnerabilities always follow a procedure agreed between the parties and defined during the transition phase (change management) and in any case are determined by the severity of the vulnerabilities.

  4. Virtual Machine Hardening

    Hardening activities on virtual machines are performed by the Cloud Service Provider (Provider) in accordance with its internal Policies.

  5. Sharing of Roles and Responsibilities

    The roles and responsibilities regarding the provision of services offered by the Provider are described in the document “General Terms and Conditions of Sale,” which constitutes an integral part of the Contractual Documentation.

  6. Environment Segregation

    Data segregation among the different tenants managed by the Service and the access allowed to the users of the Service is guaranteed through appropriate control mechanisms, defined according to the Provider’s development Policies.

  7. Service Monitoring

    To ensure the proper functioning of the service, the application and all the resources allocated to it are constantly monitored to verify compliance with the agreed SLAs and to allow timely intervention in the event of Service interruptions.

  8. Service Monitoring

    To ensure the proper functioning of the service, the application and all the resources allocated to it are constantly monitored to verify compliance with the agreed SLAs and to allow timely intervention in the event of Service interruptions.

  9. Data Retention

    The Provider guarantees the secure retention of user data and, as required by the GDPR, deletes such data once the purposes for which it was collected have been fulfilled. Unless otherwise agreed with the Service Client , the Provider deletes the personal and special data of data of Service users after four years of inactivity.

3.2 INFORMATION PROCESSING

The information entrusted to the Provider is processed by the Provider on behalf of the Client according to the applicable jurisdiction, which is European and Italian. The processing is carried out solely and exclusively for the contractual purposes, unless otherwise specified in explicit agreements with the Client. In particular, the Provider undertakes not to use the information for commercial purposes other than those provided for in the Privacy Notice without the Client’s explicit authorization, and declares that such authorization shall never constitute a prerequisite for the provision of its services.  

The information is hosted in Italy, within one or more of the Aruba Datacenters (unless otherwise explicitly agreed with the Client). Processing activities are carried out exclusively by qualified personnel, formally appointed in accordance with Privacy regulations and duly instructed for that purpose.

3.3 INFORMATION DISSEMINATION

In the event of a request from Judicial or Administrative Authorities (e.g., Police, Carabinieri, Guardia di Finanza, Judiciary) for the delivery of information entrusted to the Provider by the Client, the Provider shall promptly notify the Client of such request, except where prohibited by the Authority itself.

The Provider does not control or monitor the information and/or data and/or content entered into the infrastructure by the Client or by any third parties authorized through such infrastructures; in any case, Lascaux is and remains unrelated to the activities carried out independently by the Client and/or any third parties authorized by the Client, when accessing remotely via the Internet through their access credentials to their respective virtual infrastructures.

In any event, once the Client has gained access to the Service, the Client shall be the sole Data Controller, pursuant to Legislative Decree 196/2003 and European Regulation No. 679/2016 (GDPR), of any data entered and/or processed within such infrastructures.

3.4 INCIDENT NOTIFICATION

The Provider undertakes to promptly notify the Client of cybersecurity incidents (data breaches) that involve or result in:

  • Unauthorized access;
  • Data loss;
  • Data alteration;
  • Improper disclosure of data.

Such incidents may be detected through monitoring and control tools or via reports.

Notification shall be made by email (to the contact indicated by the Client), normally no later than the day following the detection of the incident. After its closure, an Incident Report describing the event and the actions taken shall be sent to the Client.

The Client may report any anomalies detected in the purchased services via the customer.lascaux.it Portal. The Provider shall be required to resolve the reported problems based on the SLAs specified in the relevant document, available for download from the portal customer.lascaux.it portal.

3.5 USE OF SUB-SUPPLIERS

The Provider does not foresee the use of sub-suppliers in the provision of Cloud services. Any use of sub-suppliers in the provision of contracted services is subject to the Client’s explicit consent (in the form of a signed letter), and the Client must be informed of:

  • the name of the sub- suppliers,
  • the country/countries in which the information processing activities are carried out.

When requesting such consent, the Provider guarantees that it has extended to the sub-supplier (or to the peer service provider) the information necessary to ensure compliance with Information Security regulations, and that the sub-supplier has undertaken to comply with them.

3.6. BACKUP E RESTORE

Client data backup is intended to allow restoration in the event of adverse events. The backup/restore service is always provided by the Provider to the Client, except in cases where, due to the nature of the service or by contractual stipulation, the Client is responsible for it independently.

Where due, Client data backup is guaranteed in duplicate copies for all data performed incrementally from Monday to Friday and as a full backup on Saturday and Sunday. Any exceptions requested by the Client may concern “non-production” environments or data.

Originals and backup copies are stored in different locations, and data transfer to an alternative location occurs only under cryptographic protection in case of transport on magnetic media. Unless otherwise contractually agreed, the initiation of data restore activities in case of an incident is always guaranteed, at the latest, within the following business day after the event requiring restoration. The total duration of the restore activity depends on the volume of data to be restored.

3.7 TERM AND TERMINATION

The Agreement governs the provision of the Service to the Client starting from the date of its execution. The The Agreement shall remain in force until the expiry of the AskMe.It Service purchased by the Client, with the right of withdrawal for each Party to be notified to the other Party in accordance with the agreed procedures. Upon termination of the Agreement, Lascaux shall deactivate the Service.

Without prejudice to the provisions of the other documents forming part of this Agreement, the Client acknowledges and accepts that, upon the expiry of the Service and, in any case, upon termination of the Agreement for any reason whatsoever, the Parties shall be automatically released from their respective obligations. The Client further acknowledges and accepts that it is the Client’s sole responsibility to obtain and maintain a copy of the data and/or information and/or content processed through the Service(s), it being understood that once the Agreement is terminated or the Service has expired, such data and/or information and/or content may no longer be recoverable.

In any case, the Client hereby releases Lascaux from any and all liability for any total or partial loss or damage to data and/or information and/or content entered and/or processed by the Client through the Service(s). The restoration of such data and/or information and/or content entered and/or processed by the Client shall remain the sole responsibility of the Client, subject to reactivation of the relevant Service, if necessary by entering into a new Agreement.

3.8 INTELLECTUAL PROPERTY

The software, as well as any other copyright or other intellectual property right, is the exclusive property of Lascaux and/or its licensors; therefore, the Client does not acquire any right or title in this regard and is required to use them only for the duration of the Agreement. In the case of Licenses and Services provided by third-party providers through Lascaux, the Client, for itself and/or for third parties to whom it has granted permission to use the Service and the License, acknowledges having reviewed the applicable terms and undertakes to use them in accordance with the conditions indicated on the respective websites, exclusively for its own personal use.

The Client undertakes to accept and respect intellectual and/or industrial property rights as set forth in the Service Use Policy. The Client further declares to be aware that the Licenses and Services are concluded between the Client and the holder of the related copyright, with the exclusion of any liability on the part of Lascaux. The Client is expressly prohibited from marketing the Software, the Service, and/or the License as an agent, reseller, dealer, distributor, Lascaux licensee, or in any other capacity, and, in any case, from marketing or using them as if they were Lascaux services. The Client is further prohibited from using Lascaux’s trademarks and/or images and/or promotional material, and more generally, any intellectual and/or industrial property rights used by or belonging to Lascaux.

About Us

Support

Contacts

Close

About Us

Support

Contacts

Close