Security

This document describes the technical and organisational security measures implemented by Martide Pte. Ltd. (“Martide” or the “Processor”) to protect Personal Data processed on behalf of its customers. It supplements the Data Processing Agreement (“DPA”) between the customer (“Controller”) and Martide, and contains the information required by Annex II of the EU Standard Contractual Clauses and Table 3 of the UK Addendum.

These measures are implemented in accordance with Article 32 of the General Data Protection Regulation (EU 2016/679) and are continuously reviewed and improved having regard to the state of the art, the costs of implementation, and the nature, scope, context and purposes of the Processing.

1. Confidentiality

1.1 Physical Access Control

Measures to prevent unauthorised persons from gaining physical access to data processing systems and facilities.

Technical measures:

  • Production infrastructure hosted with reputable cloud service providers (AWS and/or equivalent) that maintain SOC 2 Type II, ISO 27001 and equivalent certifications
  • Data centre facilities secured with multi-layered physical access controls, including biometric authentication, badge-based entry and 24/7 security monitoring
  • Environmental controls including fire detection and suppression, climate regulation and power redundancy with uninterruptible power supply (UPS) and backup generators

Organisational measures:

  • No Martide personnel have unsupervised physical access to data centre hardware; all physical access managed by the cloud infrastructure provider
  • Clean desk policy for offices where Personal Data may be viewed
  • Visitor access to Martide offices requires registration and escort

1.2 Logical Access Control

Measures to prevent unauthorised access to and use of data processing systems.

Technical measures:

  • Unique user credentials required for all system access; shared accounts are prohibited
  • Multi-factor authentication (MFA) enforced for all administrative and privileged access to production systems
  • Strong password policies enforced, including minimum length, complexity and expiry requirements
  • Automated lockout after repeated failed authentication attempts
  • Monitoring and alerting on anomalous login activity
  • Secure remote access via encrypted VPN connections

Organisational measures:

  • Role-based access control (RBAC) with the principle of least privilege applied across all systems
  • Access rights granted based on documented business need and approved by management
  • Regular access reviews conducted at least quarterly, with prompt revocation of access for personnel who change roles or leave the organisation
  • Documented onboarding and offboarding procedures including timely deprovisioning of credentials and access rights
  • Minimum number of system administrators with privileged access

1.3 Data Access Control

Measures to ensure that authorised users can access only the Personal Data to which they are entitled and that Personal Data cannot be read, copied, modified or removed without authorisation during processing, use and storage.

Technical measures:

  • Granular, role-based permissions within the Martide platform ensuring customers can only access their own data
  • Logical separation of customer data within shared infrastructure (multi-tenant isolation)
  • Database-level access restricted to authorised application services and designated administrators
  • Audit logging of access to Personal Data, including read, write and delete operations
  • Data loss prevention controls to detect and prevent unauthorised data exfiltration

Organisational measures:

  • Need-to-know access policies documented and communicated to all personnel
  • Customer data access by Martide support personnel only upon Controller request or for legitimate operational purposes, subject to logging and review
  • Confidentiality obligations binding on all employees, contractors and sub-processors with access to Personal Data

1.4 Separation Control

Measures to ensure that Personal Data collected for different purposes is processed separately.

Technical measures:

  • Logical separation of customer data through unique tenant identifiers at the application and database levels
  • Strict separation of production, staging and development environments
  • Test and development environments do not use production Personal Data; anonymised or synthetic data is used

Organisational measures:

  • Access authorisation processes account for multi-tenant contexts and enforce customer-level data boundaries
  • Policies and procedures ensuring data processed for different purposes (e.g., crewing services, analytics, support) is segregated and only used for the specified purpose

2. Pseudonymisation and Encryption (Art. 32(1)(a) GDPR)

Measures for the pseudonymisation and encryption of Personal Data.

Technical measures:

  • Encryption of Personal Data in transit using TLS 1.2 or higher for all communications between clients and the Martide platform
  • Encryption of Personal Data at rest using AES-256 or equivalent industry-standard encryption
  • Database connections encrypted using TLS
  • Secure key management with keys stored separately from encrypted data, using hardware security modules (HSMs) or equivalent managed key services
  • Passwords stored using strong, salted one-way hashing algorithms (bcrypt or equivalent); plaintext passwords are never stored or logged

Organisational measures:

  • Encryption policies documented and reviewed annually
  • Pseudonymisation applied where feasible to reduce the identifiability of Personal Data in non-production environments and analytical processes
  • Procedures for secure generation, distribution, storage, rotation and destruction of cryptographic keys

3. Integrity

3.1 Data Transfer Control

Measures to ensure that Personal Data cannot be read, copied, modified or removed without authorisation during electronic transfer or transport, and that it is possible to verify to which recipients a transfer of Personal Data is intended.

Technical measures:

  • All data transmitted over public networks is encrypted using TLS 1.2 or higher
  • Secure file transfer protocols (SFTP, HTTPS) used for all data exchanges with third parties, including manning agents and flag state authorities
  • API authentication using token-based mechanisms (OAuth 2.0 or equivalent) to verify the identity of systems exchanging data
  • Email encryption available for the transmission of sensitive Personal Data where required

Organisational measures:

  • Documented procedures governing the transfer of Personal Data to third parties, including manning agents, employers and Sub-processors
  • Data transfer impact assessments conducted for new transfer arrangements involving Personal Data
  • Transfer records maintained to verify the recipients and legal basis for each transfer

3.2 Data Input Control

Measures to ensure that it is possible to verify and establish whether and by whom Personal Data has been input into, modified in, or removed from data processing systems.

Technical measures:

  • Comprehensive audit logging across all application and database layers, recording the identity of the user, the action performed, the data affected and the timestamp
  • Audit logs stored securely and protected against tampering
  • Audit log retention for a minimum of twelve (12) months

Organisational measures:

  • Documented change management procedures for all changes to systems processing Personal Data
  • All changes to production systems require peer review and approval prior to deployment
  • Regular review of audit logs to detect unauthorised or anomalous activity

4. Availability, Resilience and Recoverability (Art. 32(1)(b)–(c) GDPR)

4.1 Availability and Resilience

Measures to ensure the ongoing availability and resilience of processing systems and services.

Technical measures:

  • Production systems deployed across multiple availability zones for high availability and fault tolerance
  • Auto-scaling infrastructure to handle demand fluctuations and mitigate denial-of-service risks
  • Firewalls, web application firewalls (WAF) and intrusion detection/prevention systems (IDS/IPS) deployed to protect against external threats
  • Distributed denial-of-service (DDoS) mitigation services
  • Regular vulnerability scanning of production systems (at least monthly)
  • Annual penetration testing conducted by independent third-party security assessors
  • Anti-malware and endpoint protection on all corporate devices

Organisational measures:

  • Infrastructure monitoring with automated alerting for system health, performance and security events, with 24/7 on-call incident response
  • Defined service level objectives for platform availability
  • Capacity planning reviewed at least quarterly

4.2 Recoverability

Measures for ensuring the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident.

Technical measures:

  • Automated daily backups of all databases and critical systems
  • Backups stored in a geographically separate location from primary production systems
  • Backup data encrypted at rest using AES-256 or equivalent
  • Regular backup restoration testing (at least quarterly) to verify data integrity and recoverability

Organisational measures:

  • Documented disaster recovery plan with defined Recovery Time Objective (RTO) and Recovery Point Objective (RPO)
  • Documented business continuity plan covering critical personnel, communication and escalation procedures
  • Disaster recovery plan tested at least annually

5. Incident Management and Personal Data Breach Procedures

Measures for the identification, assessment and notification of Personal Data Breaches.

Technical measures:

  • Security information and event management (SIEM) or equivalent centralised log analysis and alerting
  • Automated monitoring and alerting for indicators of compromise, unauthorised access and data exfiltration attempts
  • Forensic investigation capabilities to determine the scope and impact of security incidents

Organisational measures:

  • Documented incident response plan with clearly defined roles, responsibilities and escalation procedures
  • Personal Data Breach notification to the Controller without undue delay and in any event within seventy-two (72) hours of becoming aware of the breach, in accordance with the DPA
  • Breach notifications include: (a) a description of the nature of the breach; (b) the categories and approximate number of Data Subjects and records affected; (c) the likely consequences; and (d) the measures taken or proposed to mitigate the breach
  • Post-incident review conducted after each significant incident, with lessons learned documented and remediation actions tracked to completion
  • Regular incident response exercises and tabletop drills

6. Review, Assessment and Evaluation (Art. 32(1)(d) and Art. 25(1) GDPR)

6.1 Data Protection Management

Measures for ensuring regular testing, assessment and evaluation of the effectiveness of technical and organisational measures.

Organisational measures:

  • Designated Data Protection Officer (DPO) contactable at software.support@martide.com
  • Annual review of these technical and organisational measures, with updates implemented as necessary
  • Data Protection Impact Assessments (DPIAs) conducted for new or materially changed processing activities that are likely to result in a high risk to Data Subjects
  • Documented processes for responding to Data Subject access, rectification, erasure, restriction, portability and objection requests
  • Mandatory data protection and information security training for all personnel upon onboarding and annually thereafter
  • Regular management reporting on data protection compliance, security posture and risk assessment

6.2 Sub-processor Management

Measures for ensuring that Sub-processors process Personal Data in compliance with applicable Data Protection Laws.

Organisational measures:

  • Data Processing Agreements in place with all Sub-processors in accordance with Article 28 GDPR and clause 4 of the DPA
  • Due diligence assessments conducted on all Sub-processors prior to engagement, including evaluation of their technical and organisational security measures
  • Sub-processor compliance reviewed periodically, including review of certifications (SOC 2, ISO 27001 or equivalent) and audit reports
  • Sub-processor employees and personnel subject to confidentiality obligations
  • Maintained register of all Sub-processors, including the nature and location of Processing activities, available at https://www.martide.com/en/subprocessors

7. Data Minimisation and Retention

Measures to ensure that Personal Data is adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed, and that it is not retained longer than necessary.

Technical measures:

  • Platform designed to collect only the Personal Data necessary for the provision of the Services, including seafarer documentation required under the Maritime Labour Convention (MLC), STCW Convention and applicable flag state requirements
  • Automated data retention controls that flag or remove data in accordance with defined retention periods
  • Secure data deletion procedures (cryptographic erasure or overwriting) applied upon data disposal or upon Controller request

Organisational measures:

  • Data retention policy aligned with the DPA and applicable Data Protection Laws:
    • Application and contract data: retained for no more than six (6) years after contract termination, unless legal obligations require longer retention
    • Profile data (contact details, qualifications): retained for two (2) years of inactivity, after which it is anonymised or deleted
    • Seafarer sea-service records: retained in accordance with MLC and flag state requirements
  • Regular reviews of retained data to identify and dispose of data no longer required for the specified purposes

8. Data Quality

Measures to ensure the accuracy and currency of Personal Data.

Technical measures:

  • Platform features enabling Data Subjects and authorised users to review, update and correct their Personal Data directly
  • Validation controls at data entry points to reduce input errors
  • System notifications prompting users to review and update seafarer documentation (certificates, medical fitness, endorsements) prior to expiry

Organisational measures:

  • Documented processes for the Controller and Data Subjects to request correction of inaccurate or incomplete Personal Data
  • Procedures for verifying seafarer qualifications, certificates and documentation in accordance with STCW and MLC requirements

9. Data Portability and Erasure

Measures to support the Controller’s obligations in relation to Data Subject requests for data portability and erasure.

Technical measures:

  • Platform functionality enabling the Controller to export Personal Data in a structured, commonly used and machine-readable format
  • Platform functionality enabling the Controller to delete individual Data Subject records
  • Bulk data export and deletion tools available to the Controller via the platform

Organisational measures:

  • Documented procedures for responding to Controller requests for data export or deletion in accordance with the DPA
  • Upon termination or expiry of the Services, all Personal Data returned or deleted in accordance with clause 7 of the DPA
  • Deletion verification procedures to confirm that data has been securely removed from active systems and backups within the specified timeframes

10. Certifications and Security Assessments

  • Hosting infrastructure providers maintain SOC 2 Type II, ISO 27001 and equivalent certifications
  • Annual penetration testing conducted by independent third-party security assessors
  • Vulnerability scanning conducted at least monthly
  • Results of security assessments reviewed by management and remediation actions tracked to completion

Contact

For enquiries regarding these security measures or Martide’s data protection practices, please contact:

Data Protection Officer Martide Pte. Ltd. 1 HarbourFront Place, HarbourFront Tower One, #14-05/06, Singapore 098633 Email: software.support@martide.com

Last updated: 13th February 2026