06 – Security & Privacy Practices

POS SYSTEMS AND AUTOMATION FOR HOSPITALITY

Security & Privacy Practices

SECURITY PRACTICES

BMyIT is responsible for the security measures set out in the Managed Services Agreement, and shall maintain and implement the following technical and organizational measures in relation to the security of the Customer Configuration. Customer remains the primary system/account administrator and is responsible for the integrity, security, maintenance and appropriate protection of Customer Data by:

(i) selecting and purchasing appropriate security Services;

(ii) implementing appropriate encryption and logical access controls; and

(iii) maintaining appropriate application security controls.

Certain BMyIT services are available to help Customers meet these requirements.

Physical Security – Data Centers

The following physical security controls apply to Customer Data residing in data center or office premises either owned or leased by BMyIT or its Affiliates in connection with the provision of Services to Customer (and expressly excludes third party hosting Services):

A. Servers and devices dedicated to Customer’s use as part of the Customer Configuration provided by BMyIT will be located in a controlled access data center (or portion thereof) either operated by or dedicated to use by BMyIT or its Affiliate.

B. BMyIT operates or audits the use of an electronic access control system which logs access to physical facilities.

C. Access to the raised production floor of the data halls will be restricted to BMyIT employees or its agents who need access for the purpose of providing the Services. Access within data center facilities is in zones and provisioned based on physical access rights required by a given individual. Access to designated “meet me” rooms will be available to customers, subject to data center escort policies.

D. The data center will be monitored by video surveillance, recording to a centralized location, and viewed by the onsite security force.

E. BMyIT limits access to physical facilities to authorized individuals by approved security authentication methods.

F. Except as specifically stated in the Agreement, BMyIT will not relocate the Customer Configuration from a BMyIT data center in one country to a data center in another country without Customer’s express written permission.

G. Following the termination of the Agreement or a Customer Configuration, BMyIT will wipe data from those hard drives and storage devices dedicated to Customer use prior to re-use.

Security Controls Audits & Reporting

BMyIT may engage qualified third party auditors to perform examinations of its systems and services in accordance with the best practice recommendations of ISO 27001 for the purpose of auditing BMyIT’s compliance with SSAE 18 compliance frameworks and the AT 101 compliance framework (based upon select Trust Services Principles); and/or equivalent industry standards.

BMyIT’s SOC report(s) or suitable equivalent standard(s) as specified by BMyIT is available to Customer upon Customer’s request subject to BMyIT’s SOC distribution requirements. Not all BMyIT Services are included in the scope of the SOC report(s) or audits described in this Section, for details Customer should contact the BMyIT account manager.

Administrative Controls

A. Screening.

BMyIT will perform pre-employment background screening of its employees who have access to Customer’s account, and is committed to employee supervision, training, and management.

B. BMyIT Access.

BMyIT will restrict the use of administrative access codes for Customer’s account to its employees and other agents who need the access codes for the purpose of providing the Services. BMyIT personnel who use access codes shall be required to log on using an assigned username and password.

C. Customer Access.

As the primary system administrator, Customer is responsible for the management of their account, including creation, change management, and termination, and enforcement of related remote working and password controls.

Payment Card Industry – Data Security Standard (PCI-DSS)

With respect to the security of cardholder data, as that term is defined in the Payment Card Industry – Data Security Standard, which BMyIT may possess or otherwise store, process or transmit on Customer’s behalf, BMyIT agrees to provide (i) those physical, technical, and administrative safeguards described in the Agreement and (ii) the Services selected by Customer and described in the Agreement; provided that Customer remains responsible for ensuring all PCI-DSS requirements are met with respect to such cardholder data. BMyIT maintains PCI-DSS Service Provider, or equivalent, accreditation with regards to dedicated hosting Services (excluding managed virtualization services).

Reports of and Response to Security Breach

BMyIT will report to Customer as soon as reasonably practicable in writing and in accordance with applicable law, of a material breach of the security of the Customer Configuration which results in unauthorized access to Customer Data resulting in the destruction, loss, unauthorized disclosure or alteration of Customer Data of which BMyIT becomes aware. Upon request, BMyIT will promptly provide to Customer all relevant information and documentation that BMyIT has available to BMyIT regarding the Customer Configuration in connection with any such event. BMyIT shall be under no obligation to notify routine security alerts in respect of the Customer Configuration (including pings and other broadcast attacks on firewalls or edge servers, port scans, unsuccessful log-on attempts, denial of service attacks, packet sniffing, or other unauthorized access to traffic data that does not result in access beyond IP addresses or headers, or similar incidents) save as otherwise specifically set out in the Agreement.

Customer Data Return

The Services enable Customer to retrieve, correct, or delete Customer Data. Depending on the Services, Customer may not have access to the Customer Configuration or Customer Data during a suspension of Services, or following the termination of the Agreement. Customer is responsible for retrieving a copy of Customer Data prior to the termination of the Agreement. BMyIT may delete Customer Data at any time following termination of the Agreement.

PRIVACY PRACTICES

Customer and BMyIT will comply with applicable laws in relation to their collection and processing of any Sensitive Data in the provision and use of the Services. If and to the extent the Australian Privacy Laws and the EU Directive 95/46/EC or the EU General Data Protection Regulation (EU) 2016/679 (together with any transposing, implementing, or supplemental legislation “GDPR”) applies to the processing Personal Data (as defined in the GDPR) BMyIT will process Personal Data only in accordance with Customer’s instructions, except as required by applicable law, and Customer acknowledges that this Agreement, together with Customer’s configuration and use of the Services, represents its complete instructions to BMyIT on the processing of such Personal Data.