Security, Compliance and Data Protection

Edenred complies with the California Consumer Privacy Act and GDPL

Learn more about Edenred’s corporate security practices

⬤    ⬤ ⬤

At least every 365 days a formal, documented IT Risk Assessment is conducted considering factors that could affect the confidentiality, availability, and integrity of Edenred information assets and systems as well as Edenred’s own and Edenred customers’ data. Both internal and external threats are considered.

Access to specific applications, systems, components, and technology infrastructure is only granted to personnel with a legitimate need. Privileges assigned are limited to the minimum required to perform assigned duties and in accordance with the Information Classification Policy. Edenred may further limit access (i.e., transaction dollar and frequency limits, pre-approval of critical function assignments, etc.). Access not explicitly authorized is forbidden.

Asset Management

Edenred develops, documents, and maintains an inventory of information system components that:

• Accurately reflects the current information system.
• Is consistent with the authorization boundary of the information system.
• Is at the level of granularity deemed necessary for tracking and reporting.
• Includes manufacturer, model/type, serial number, version number, location (i.e., physical location and logical position within the information system architecture), and ownership.
• Is available for review and audit by designated organizational officials.

⬤    ⬤ ⬤

Third Party Management

⬤    ⬤ ⬤

Business Continuity and Disaster Recovery

Network Device Management

Edenred IT Staff owns and is responsible for the network infrastructure, including all developmental activities as well as enhancements to the infrastructure. Designated employees of Edenred IT Staff are the only individuals authorized to connect or disconnect network devices to the network. Users do not extend or re-transmit network services in any way.  This means users do not install routers, switches, hubs, or wireless access points to the network without Edenred IT Management approval.

To properly diagnose network problems, avoid duplicate addresses, etc. Edenred IT Staff are responsible for and administer connection-related protocols for all devices on the network. In addition to registering all workstations, any devices that connect to the network such as laptops, printers, hubs, or instruments are registered. Conversely, Edenred IT Staff is aware when networked devices are removed from service so their registrations can be cancelled.

Software Development Life Cycle Procedure

• During the project initiation phase, Edenred identifies all the sensitive information e.g. Credit card information, ACH information, Debit card information.
• Edenred establishes processes to store the sensitive data encrypted.
• Edenred establish processes to securely transmit sensitive information.
• Edenred establishes processes to grant access to secure information.
• Edenred’s Information Security Manager and the Chief Information Officer review/approve all processes.

Code is compiled using .NET framework and set the warning level to the Highest.

Security Awareness and Training

The security and stability of the information systems are vital to daily operations. An awareness and training program for all staff is critical to achieving and maintaining an effective information security capability. Information security awareness, training, and education improves employee behavior and accountability, and reduces the risk of unauthorized activity.

All employees and contractors complete Information Security training upon hire and subsequently at least annually. The Information Security training required for all employees and contractors covers identification and reporting of suspicious activities relative to incident response.

All employees sign an agreement stating that they understand all Edenred Information Security Policies including the Edenred Acceptable Use Policy and that they shall abide by them. This training is be completed prior to any user being granted access to any information system. Users undergo security awareness training prior to be granted access in any capacity to PII, PHI and/or CHD.

All information security-training activities are adequately documented, and individual training records are retained for at least three (3) years.

Information Protection and Flow

Information systems storing, processing, or serving confidential data as defined by the Information Classification, Labeling and Handling Policy are secured with logical and physical access controls.  Physical access controls are used to restrict access to hardcopy internal and confidential information.

Logical access to electronic information are granted only with written approval by the employee’s are used to restrict physical access to information systems storing confidential information including restricting physical access to the office facility itself.

Hardcopy information classified as confidential are protected by physical access controls for the office facility. Confidential information are stored in locked cabinets when not in use especially outside of office hours. Locked offices do not provide sufficient protection as cleaning and/or facilities maintenance staff may have access locked offices. Confidential information is not copied or faxed from equipment not owned and/or operated by Edenred.