Personal Data Security Policy

A. For ordinary website visitors:

The personal data collected are further categorized into the data of ordinary visitors and the data of the users of the website services, as follows: During your navigation on the website, data is collected about the use of the website ("usage data") for purposes of analyzing the use and monitoring and improving the website and the services provided. Usage data may include your IP address, geographic location, browser type and version, operating system, referral source (from which page you arrived at the website), duration of visit, page views and navigation paths of the website, as well as information about the timing, frequency and manner of use of the website and its services by you. The source of the usage data is Google Analytics. How Google Analytics collects and processes data can be found here: www.google.com/policies/privacy/partners/.

The above personal data of website visitors is limited to the information required for the operation and improvement of this website and our services in accordance with the applicable personal data legislation. The Company collects and processes data exclusively for the purposes of the legal and proper operation of the website and to offer visitors and users of the website the best possible user experience.

B. For corporate customers:

In the context of using the website, personal data is collected and processed in the event that the Customer expresses interest (i) in any of the Company's products (ii) for cooperation with the Company and (iii) for communication with the Company.

In particular, in all the cases under (i) to (iii) above in which the Customer, a natural or legal person, expresses an interest in some of the Company's services, data is collected which, depending on the type of business, may also be personal data and which include the following: company name, contact person, management details, postal code, telephone numbers, email, activity. The above personal data of the users of the website services are used by the Company in order to contact you for the purposes of information about its products and services.

C. as Responsible and Executor of the Processing, in accordance with the EU General Data Regulation. 2016/679

1. Clarifications on the processing of personal data of Customers
2. By purchasing services/products made by the Customer through his communication with the Company, he declares that he wants the Company to undertake on his behalf the completion of a task or the mediation between the Client and a third party for the completion of a task in the capacity of the Company as a provider of internet services and software applications.
3. The Company, based on the information/data declared by the Customer on its website/order form, should include him in a homogeneous category and calculate, based on his statements, the appropriate and proportional product/service for the Customer. In order to do this, it is necessary for the Customer to declare the specific categories of personal data of its customers to which the Company will gain access for the provision of specific services and support and which will be indicated in the relevant fields of the order form. These data are objectively essential for the fulfillment of the purpose and the operation of the service provided. Correct and complete information on the information requested by the Company constitutes an obligation of the Customer. It is possible that inaccurate or incomplete information on the information requested by the Company may establish the right to request the Company even to cancel or terminate the service provided at any time.
4. For as long as the service contract remains in force, the Company will process the data of the Customer or customers following a specific, case-by-case order that is necessary for its operation, based on the express consent granted by the Customer herein stage through the service/product order or at any other subsequent stage.
5. After the Customer places the software/service order, completed in all fields, the Company will proceed, for the reasons mentioned above, in each act or series of acts of processing the Customer's data and with the help of automated means such as e.g. collecting, registering, organizing, correcting, storing, adapting, changing, retrieving, searching for information. The Company also uses automated means to complete the order and provide the service. With through these automated means, the Company can make decisions more quickly, with greater precision, transparency and consistency. However, in these cases, regular relevant checks are carried out by competent employees of the Company.
6. The Company, in the context of protecting its legal interests, frequently carries out checks, through certified automated means, for reasons of preventing fraud against it or the leakage of personal data of Customers or other third parties.
7. The Company will keep the Customer's data for as long as a contractual relationship is maintained between them, both in paper form as the case may be, and in electronic form. In the event that, for any reason, this is interrupted, the Company will keep them for as long as is required until the statute of limitations for any related claims expires. However, in any case the Company will keep the data for a period of up to one (1) year from the end of the cooperation between them.
8. The Customer may exercise, as the case may be, the following rights: the right of access (to find out which of his data we process, why and their recipients), rectification (to correct any deficiencies or inaccuracies of the data), deletion (right to oblivion) ​​(deleting them from the Company's records, however, if their processing is no longer necessary), restriction of processing (in case of questioning the accuracy of the data, etc.), portability (that the Customer receives his data in structured and commonly used format). These rights are exercised at no cost to the Customer, by sending a relevant letter or e-mail to the Data Protection Officer, unless they are repeated frequently and due to volume, they have administrative costs for the Company, in which case the Customer will bear the relevant costs.
9. If the Customer exercises any of these rights, the Company will take all possible measures to satisfy the Customer's request within thirty (30) days of receiving the relevant request, after the Company informs either of its satisfaction, or of the objective reasons that prevent its satisfaction.
10. In addition, the Customer may at any time object to the processing of his personal data for the purposes of the service contract, by revoking his consent. However, this will eventually lead to the termination of the Customer's contract and the non-provision of services by the Company, because (according to what was mentioned above) no service operates without an express written agreement regarding the rights and obligations regarding the processing of personal data the customer's.
11. Data security is an absolute priority for the Company. To achieve this, all modern and appropriate technical (encryption, anonymization, etc.) and organizational measures are applied, the response of which the Company checks at regular intervals.
12. The Customer's data will be transmitted to the Company's departments that are responsible for the completion of the service provided and for its correct and uninterrupted operation. Examples include the technical support department, the legal department, the accounting department, etc.
13. The Customer's data may also be transmitted and made accessible by legal and/or natural persons with whom, from time to time, the Company maintains contracts for the proper provision of the services offered. Also, the data, in the context of the operation of the Customer's insurance contract, may be transmitted to various services, public authorities, etc. However, in this case, these legal and/or natural persons will process the Customer's personal data exclusively for the purpose of providing services to the Company and not for their own benefit, acting as processors. In each transmission, the Company always takes every measure so that the data that will be transmitted is always the minimum necessary and that the conditions for legal and legitimate processing will always be met.
14. It is expressly clarified that the Company does not use the Customer's personal data for commercial purposes nor does it share personal data with unauthorized persons.
15. For any issue regarding the processing of your data, you can contact us at tel. 2102916001 email: . Also, the Customer always reserves the right to address the competent authorities, where he can submit the relevant complaints. For Greece: Personal Data Protection Authority (Kifissias 1-3, Т.К. 115 23, Athens), or electronically (dpa.gr).
16. Technical and organizational security measures:
    For the Company, the protection of the Personal Data of the visitors and users of this website and the respect of the individual's privacy on the Internet is a self-evident commitment. All necessary organizational and technical measures are taken to ensure safety, the reliability and the validity of the data of visitors and users of this website. It ensures that your personal data is safe. In order to prevent unauthorized access or disclosure, appropriate physical, electronic and managerial procedures are in place to safeguard and secure your personal data collected.

Technical security mechanisms for the protection of personal data implemented by the Company:

1. Access to the system via a key pair (username / password): Each user has their own unique user/key combination to access the application. Only specific authorized persons of the Company have access to manage orders concerning personal data of Customers.
2. Key lifetime definition: It is possible to define in the application, the lifetime of a key, beyond which the key is not valid, and the user does not have access to the application.
3. Key complexity level: The access key complexity level is set.
4. Graded access to information and data: Each user has access only to the data related to his work.
5. Graded access to indexes and lists: Each user has access only to predefined indexes and lists.
6. Access exclusively following an explicit Order from the Client and preparation of a processing file: Each user receives from the Client a specific Order concerning access to personal data for which the user prepares, after the completion of the work, a personal data processing file form in which the actions are recorded carried out (logging (Logging) Logging (Logging) of all changes to personal data).
7. Define user groups: The ability to create groups of users with the same access rights is implemented.
8. Data export: Possibility to export personal data (in various formats) upon request of the natural person or the Customer to satisfy the corresponding requirement of the Regulation.
9. IP lock per user: The ability to lock access to the application only from a specific IP address or range of addresses is implemented
10. Ability to completely delete personal data without affecting records in the application database.
11. Implementation of technical security protocols for the servers used by the Company, specifically:

All the company's central electronic devices (server, switch, router, firewall, NAS) are located in a secure area, with limited and controlled access by the company's staff and visitors. Access to the space is made through a request to the company's address and stating the time and description of the work to be carried out. The site is visited by external partners only on scheduled days and times and with the full supervision of the company's sysadmin.

Domain Controller
The use of the domain controller in combination with the active directory service is used to create unique users per operator, but also user groups. It is also used to assign permissions per operator or per group at the folder and file level. Each operator's username and password is created after a request from the staff address to the company's sysadmin. Then the sysadmin creates the new user and sets the system requirement so that the new user creates a unique security code when first entering the system. The code in question must comply with company policies, which state that it must be at least eight characters with at least one capital character, one number and one special character. The system every 6 months asks the operator to renew his code with a new one and prohibits him from entering the same code as the previous ones. No one from the company has the ability to view the operators' codes but only has the ability to reset a new one in the process of losing it to the operator. Finally, the operator is informed in writing by the personnel department that under no circumstances is he authorized to share his system security code with anyone inside or outside the company.

DHCP
The use of DHCP covers the access of specific electronic devices to the company network, as it assigns a specific network address to each electronic device based on the unique address of the electronic device (MAC). The delegation refreshes the network addresses daily so that any attempt to introduce an unauthorized device into the network can be monitored. The available address book always consists of the total number of authorized electronic devices.

Firewall
The use of the protection wall provides the company with the ability to control traffic to and from the internal and external network. It also provides the possibility of routing specific traffic from the external network to a specific device in the internal network using an absolute port number and communication protocol. The firewall also records traffic to and from internal and external network addresses, specifically (date, time, workstation, external communication address, usage protocol, duration). Finally, the company is given the possibility based on the needs of the operator or group of operators to cut off access based on (address book, protocol, hours).

NAS
The network storage device is used by the company to store backups as well as store files. The device supports LDAP protocol for its connectivity with the company's domain controller, a feature that ensures authorized access to the contents of the NAS based on the usage policies of operators or groups of operators as defined in the policies of the domain controller.

Router
The company's connectivity to any external network is done through a certified router of the Internet service provider. Access to the router is not possible from company staff. This is entirely managed by the authorized department of the internet service provider. The router is serialized before the firewall so that its direct connectivity is controlled and routed by the firewall.

Call center
The company's Call Center supports the recording of calls based on the information of the caller. The recording is stored in a secure area within the company's network and accessible only by authorized personnel upon request approval.

Exchange Mail Server
The use of Exchange Mail Server provides the company with the possibility of centralized email management. Based on configuration operators have access to specific emails based on their role in the company. Email passwords are stored on electronic devices and not disclosed.

FTP
The company provides SFTP accessible space to its customers. At the start of the cooperation of a new customer, the company communicates the address, username and password to the customer. When the customer enters the system for the first time, he is asked to enter a new password which is kept secret by the customer. By entering the unique username and password, the customer has access to a space that is accessible only by the customer and by authorized personnel of the company. Access authorization from the company side is given upon command by the sysadmin for a limited time and specific task. The storage of the files on the part of the company's network is done in a restricted access area only by the sysadmin, who is also responsible for moving the files to an extended access area depending on the work/processing that the received files must receive. For the entry of the company for the purpose of storing customer files, a written confirmation from the customer is required with the following characteristics (file name, file password if any, purpose of sending the file and name of sender).

Antivirus
Antivirus in the company has a dual purpose. First, it protects against the introduction of malicious software that could potentially export sensitive personal data to unknown processors, and second, it provides a secure method of locking the ports of electronic devices to prevent the connection of unauthorized external storage media. With the above procedure, the company ensures the export of files from the facilities to any portable storage medium. The use of portable storage media is only possible through a list of authorized storage media. The use of these is through an approval process by the sysadmin. This application contains information on the use of the storage medium, the purpose, the content, the date of departure and arrival at the company. Upon return of the external storage medium the sysadmin is responsible for receiving, checking and clearing the device.

Internet access
Access to the internet will be done using a remote web browsing system. By using this feature, the company protects the sending and receiving of files to and from its network in an area of ​​unauthorized access. The files that must be sent or received via the Internet are placed in a space accessible only by the sysadmin and then after a process of checking the type of content and their security, they are transferred to the corresponding space based on the processing they must receive.

Backup 
The company holds backup copy with a frequency of one every day and a history of six (6) months with a step of one month. That is five (5) backup copies of previous months and three (3) weekly backups of the last month as well as five (5) daily backups of the last week. Backups are exported and kept on a network storage medium accessible to the sysadmin. Backups are kept encrypted.

Print Server
The network printers are accessed through a printer management system hosted on the company's main computer. By using centralized printer management the company can and has access to a log file which provides user information, print file name, date, time and printer of use.

ERP/CRM
The company's ERP system manages the customer base and their movements. The system used by the company is structured and configured in such a way as to ensure limited access based on the input of the user name and password as well as the role of the operator in question based on his assigned work duties. The username and password are assigned to the operator once by the company address. The password is not set based on the complexity of company policies. If an operator is removed, the user is deactivated. The system in question maintains a file based on which the user name, action, date and time can be identified. Password guessing is protected by automatically locking the user after a certain number of failed attempts. The company also, based on its policy, renews the entry codes in the system at regular intervals in order to ensure the integrity of the information. Finally, configuration allows the sysadmin to enable or disable actions such as extracting files on a per-user basis.

Physical Access Security
The entrance to the company's offices is covered by a controlled access system with a security code at the main entrance. Also, the area is covered by a closed camera surveillance system which covers the entrance areas, transit areas, access areas to the central computer units as well as the main office area of ​​the company. The monitoring system records the history of the cameras based on the capacity. The recording system has a controlled access management system which is covered by a username and password which is announced to the company's address.

Recording of telephone orders for the assignment of work: The Company records work orders given by telephone and stores them for a period of up to five (5) years from their receipt.

Third party technical service providers:

The Company may use third-party technical service providers who host, store, manage and maintain the website, its content and the data collected as well as other technical service providers (e.g. email services) to communicate with you on cases where it has received your express consent for such communication. The Company only uses third party service providers who agree to only use the personal information provided to them only for the purpose for which it was provided (eg technical services, website technical support) and who agree and warrant that all processing in which they engage will be legal and compliant with the provisions of applicable personal data legislation.
The Company does not sell, distribute or lease your personal information to third parties unless required by law to disclose such information. More specifically, the Company may disclose your personal data to third parties when this disclosure is necessary for the creation, exercise or defense of legal claims, either in the context of judicial proceedings or relevant summons of Competent Authorities or in the context of administrative or extrajudicial proceedings or for the purpose of preventing or stopping an attack on its computer systems or networks or protecting its rights or property.
The server and data center used by the website is located within the European Union and is therefore subject to compliance with the provisions of applicable personal data legislation. The data collected through this website is not transmitted to companies outside the European Union.

Period of processing of Personal Data

The storage and processing of the data of the customers of the services of the website is done exclusively and only as permitted by law or in accordance with your express consent only for as long as necessary to satisfy the processing (as defined above) or until you disagree with the use of your personal data by the Company or until you withdraw your consent.
In the event that it is required by law or in the event that the retention of personal data for a longer period of time is required for the legal claim or defense of the Company against legal claims, the Company will retain the personal data for a longer period of time.

Designation of Personal Data Protection Officer

The Privacy and Security Policy of the Company is in full harmony with the Regulation of the European Union 679/2016 on the Protection of Personal Data. For this purpose, the Company has appointed the Athens Lawyer Eleni Dede (AMDSA: 34461) as the Personal Data Protection Officer, who is designated as responsible for every issue related to the application of the above Regulation by the Company and with which the users and any interested parties party can communicate by e-mail at