MarvelPixel Data Loss Prevention (DLP) Strategy

1. Purpose

This strategy outlines the principles, tools, and responsibilities for preventing unauthorized access to, and the accidental or malicious loss, alteration, or destruction of data processed by MarvelPixel. The aim is to comply with GDPR, CCPA, and relevant data protection regulations while upholding best practices in data security and integrity.

2. Scope

This strategy applies to:

  • All personal and sensitive data processed via MarvelPixel’s platform.

  • All environments: development, staging, and production.

  • All personnel: employees, contractors, and service providers.

  • All data types: structured (e.g. analytics logs) and unstructured (e.g. code or user-generated content).

3. Core Principles

Data Minimization: Collect only what is necessary.

  • Least Privilege: Grant only the access required to perform duties.

  • Encryption by Default: Encrypt data in transit and at rest.

Zero Trust Architecture: Assume breach and validate every request.

4. Prevention Measures

4.1 Technical Controls

  • Data Classification
    Data is categorized (e.g., public, internal, confidential, sensitive) and handled accordingly.

  • Access Controls
    Role-based access control (RBAC) with multi-factor authentication (MFA) is enforced across all systems.

  • Endpoint Security
    All devices used to access MarvelPixel’s systems must:

    • Be encrypted

    • Run anti-malware software

    • Comply with company mobile device management (MDM) policies

  • Data Encryption

    • In Transit: TLS 1.2+ is required for all data exchanges.

    • At Rest: AES-256 encryption is applied to all stored data, including backups.

  • Code-Level Safeguards
    Sensitive fields (e.g., email, IP, device ID) are redacted or pseudonymized when not essential.

  • Data Loss Prevention (DLP) Tools
    Automated systems monitor for:

    • Unauthorized sharing or exfiltration

    • Sensitive data in logs or debug tools

    • High-risk user behavior

4.2 Administrative Controls

  • Security Awareness Training
    Employees receive quarterly training on data handling, phishing threats, and breach reporting.

  • Data Handling Policies
    Specific policies are enforced for data storage, sharing, and deletion (including disposal of physical hardware).

  • Vendor & Subprocessor Due Diligence
    All subprocessors must meet equivalent security and DLP standards. Contracts include data protection clauses.

4.3 Backup & Recovery

  • Automated Backups
    Data is backed up hourly (critical), daily (full), with 30-day retention.

  • Geographically Redundant Storage
    Backups are stored in separate regions to ensure resilience.

  • Disaster Recovery Plan
    Validated quarterly. Includes RTO < 2 hours and RPO < 1 hour for production environments.

5. Incident Response

In case of data loss or exposure:

  • Activate the Security Incident Response Policy

  • Classify the impact (Low/Medium/High)

  • Notify data protection authorities (e.g., Dutch DPA) within 72 hours if required under GDPR

Inform affected customers without undue delay, including recommended remediation

6. Compliance & Review
  • DLP systems are audited annually by third-party assessors.

  • This policy is reviewed every 12 months or after any major incident or regulatory update.

7. Enforcement

Non-compliance with this strategy may result in disciplinary action, including termination of access or employment, and may trigger contractual liability for vendors.

Camperstraat 42,

1091 AH Amsterdam

Copyright © 2025 Marveltest B.V

Pixel Operational

Camperstraat 42,

1091 AH Amsterdam

Copyright © 2025 Marveltest B.V

Pixel Operational

Camperstraat 42,

1091 AH Amsterdam

Copyright © 2025 Marveltest B.V

Pixel Operational