Data Security & Protection

1. Overview

Six Media Technology Limited is committed to maintaining the highest standards of data security. This policy outlines the technical and organizational measures we implement to protect client data, financial information, and personal data from unauthorized access, loss, or misuse.

2. Encryption & Data Protection

• In Transit: All data transmitted between clients and our systems is encrypted using TLS 1.2/1.3
• At Rest: Sensitive data is encrypted using AES-256 encryption
• Payment Data: Credit card information is processed through PCI-DSS Level 1 compliant payment processors and is never stored on our servers
• API Communications: All API endpoints use HTTPS with certificate pinning

3. PCI-DSS Compliance

We maintain compliance with the Payment Card Industry Data Security Standard (PCI-DSS):

• Payment card data is handled exclusively by certified PCI-DSS Level 1 service providers
• Card numbers are tokenized and never stored in our systems
• Regular PCI compliance assessments are conducted
• Strict access controls for any payment-related systems

4. Access Controls

• Authentication: Multi-factor authentication (MFA) required for all administrative access
• Role-Based Access: Employees only access data necessary for their role (principle of least privilege)
• Session Management: Automatic session expiry and re-authentication for sensitive operations
• Password Policy: Strong password requirements with regular rotation
• Audit Trails: Comprehensive logging of all system access and data modifications

5. Infrastructure Security

• Cloud Security: Hosted on enterprise-grade cloud infrastructure with SOC 2 Type II certification
• Firewalls: Multi-layered firewall protection with intrusion detection/prevention systems
• DDoS Protection: Enterprise DDoS mitigation services
• Vulnerability Management: Regular vulnerability scanning and penetration testing
• Patch Management: Timely application of security patches and updates

6. Monitoring & Detection

• 24/7 security monitoring and alerting
• Real-time threat detection and response
• Automated anomaly detection for unusual access patterns
• Regular review of security logs and audit trails

7. Data Breach Response

In the event of a data breach, we follow a structured incident response plan:

1. Detection & Containment: Immediate identification and isolation of the affected systems
2. Assessment: Evaluation of the scope, nature, and impact of the breach
3. Notification: Affected individuals and relevant regulatory authorities (including the Privacy Commissioner for Personal Data, Hong Kong) are notified within 72 hours
4. Remediation: Implementation of measures to prevent recurrence
5. Post-Incident Review: Comprehensive analysis and documentation of the incident

8. Employee Security

• Background checks for all employees handling sensitive data
• Mandatory security awareness training upon hire and annually
• Confidentiality agreements and non-disclosure obligations
• Clean desk policy and secure workstation practices
• Immediate access revocation upon employment termination

9. Third-Party Security

All third-party service providers undergo security assessment including:

• Due diligence review before engagement
• Data processing agreements with security requirements
• Regular compliance verification
• SOC 2 or equivalent certification requirements for critical vendors

10. Business Continuity

• Regular data backups with geographically distributed redundancy
• Disaster recovery plan with defined RPO and RTO objectives
• Annual business continuity testing and drills

11. Contact