Cloud Security Statement

1. Overview

Obaro Retail (Pty) Ltd, registration number 1998/001675/07, (hereafter referred to as “Obaro”) is hosted and delivered by DiaMatrix PTY (Ltd) (www.domains.co.za) (hereafter referred to as “Cloud Provider”). While the Cloud Provider is responsible for the security of its actual data centres and hosting platforms, Obaro is responsible for managing, maintaining, and securing the website/s content, and registered user information (Client Information, Personal Information and Personally Identifiable Information).

A core focus of our Cloud Security Strategy aligns with our organisational Information Security Management System (ISMS) and focusses on the following key controls areas.
• Confidentiality – Data is only accessed by those with the right to view the data.
• Integrity – Data can be relied upon to be accurate and processed correctly.
• Availability – Data can be accessed when needed.

2. Facilities and Architecture

The Obaro Corporate Website and Obaro Online Store is designed for redundancy and the expectation that failures will happen. Our websites and applications are stored in secure environments, completely managed by a first-class cloud vendor DiaMatrix Pty Ltd.

The Cloud Provider is responsible for the data centres that host the Obaro Corporate Website and Obaro Online Store. For more information about security at those data centres, please go to the appropriate links below:

Obaro Corporate Website and Obaro Online Store is currently hosted in South Africa (http://www.diamatrix.co.za/contact).

3. Certification

The Cloud Provider is responsible for managing the security of the cloud. They have been certified by third-party organisations and are compliant with the applicable laws and regulations. The list of such certifications and compliance statements can be found in the links below:
http://www.diamatrix.co.za/accreditations

Obaro Corporate Website and Obaro Online Store are subject to strict information security assessments, conducted by independent third parties, to ensure compliance with security standards such as the Open Web Application Security Project (OWASP) Application Security Verification Standard (ASVS) before public release.

4. Data Storage

Access to data at rest is cryptographically secured using industry-standard encryption. Additionally, all communications with the Obaro Corporate Website and Obaro Online Store are protected with HTTPS using TLS.

5. Data Backups

Customer data is backed up daily and stored in an encrypted state.

6. Data Retention

Customer information and data (Obaro Online Store) is retained indefinitely while you are our customer. In the event that you opt to deregister as a user / customer from the Obaro Online Store, one month later your data is moved into a secure storage archive and removed from production database. As a part of our effort of not storing unnecessary data too long the data is then removed from the archive when one year has passed from you deregistering as a user / customer from the Obaro Online Store.

7. People and Access

Within Obaro, only a few trusted members of our web development team have access to the production environment for the purposes of maintaining our cloud services and assisting our customers. Additionally, we monitor all access to the Obaro Corporate Website and Obaro Online Store.

Customers are responsible for maintaining the security of their own login information.

8. Information Security Incident Management

Every care is taken by Obaro to protect personal data from incidents (either accidentally or deliberately) to avoid a data protection breach that could compromise security.

8.1 Definition
An incident in the context of this Cloud Security Statement is an event or action which may compromise the confidentiality, integrity or availability of systems or data, either accidentally or deliberatly, and has caused or has the potential to cause damage to the company’s information, assets and/or reputation.

An incident includes but is not restricted to, the following:
• Loss or theft of confidential or sensitive data or equipment on which such data is stored.
• Attempts (failed or successful) to gain unauthorised access to information or system(s)
• Unauthorised disclosure of sensitive / confidential data
• Human error

8.2 Overview of Information Security Response Plan
The Obaro information security incident response plan consists of the following:
• Confirm the Incident.
• Contain the Incident.
• Assess Risks and Impact.
• Report the Incident.
• Resolve the Incident and provide a post-mortem report.

9. Privacy

In-line with the Protection of Personal Information Act 4 of 2013, Obaro understands the importance and is committed to ensure the privacy of your personally identifiable information. For more information, please see our Privacy Policy.

10. Reporting Issues

At Obaro we take any reports of vulnerabilities seriously. If you encounter a security issue with any of our online services, please report it to [email protected]. We have an internal SLA for responding to such issues and are committed to addressing security issues promptly.

Please note that it is against our Information Security Policy to run automated security scanning tools against our system without prior approval.