Article 1 - Subject and scope

1.1 The following Terms and Conditions represent an agreement between the company INTERSPACE DOOEL Skopje (Address: Bul. Jane Sandanski 109A, kat 3, Skopje, North Macedonia; UTN: MK4043014516919) in a role of a service provider (hereinafter “Operator”), and the subject that orders and uses the services (hereinafter “Subscriber”), also hereinafter individually referred to as “Party” or collectively referred  to as “Parties".

1.2. Subject of this agreement is the establishing and ascertaining of the subscriber relation between the Operator and the Subscriber for providing services for hosting of virtual private servers, and the rights and obligations for the parties arising out of it.

1.3 We reserve the right, at our sole discretion, to make changes to these Terms and Conditions by giving the Subscriber prior notification.

Article 2 - Services and term

2.2 The details of the Services are provided in the order form (hereinafter "Order Form"). The Order Form contains information about the type of service, the amount of service charges and other relevant information about the services. In accordance with this agreement, the Operator shall provide the services selected in the Order Form (hereinafter "Services").

2.3. This agreement is concluded for an unlimited time period unless otherwise agreed. 

2.4. This agreement may be terminated at any time, as specified in Article 6 and Article 7. The minimum duration of the agreement is one month.

Article 3 - Service charges and billing

3.1. Subscriber agrees to pay a monthly fee for the Services specified in the Order Form of this agreement, including value added tax.

3.2. The invoices for the monthly subscription specified in the Article 3.1 of this agreement shall be issued by the Operator and sent to the Subscriber in electronic form on the 1st day of the current month, and they shall become due within 12 days from the date of issue. The invoicing of the Services shall commence from the day when the Services are provisioned. The Operator will calculate and add the amount of VAT 18% which will be written separately, and it shall be paid by the Subscriber. 

3.3 In the event of payment delay by the Subscriber, the Operator is entitled to charge a penalty in a form of interest specified by the law, calculated from the day the due date is passed until the payment, and the calculated amount of the penalty will be added to the invoice for the following monthly subscription.

Article 4 - Limitation or termination of access

4.1. The Operator may, without consent from the Subscriber, temporary limit or terminate access to the Services, in the following cases:

• If that is necessary for the purposes of reconstruction, modernization, maintenance or in case of technical issues or deficiency in the network, up to completion of the works or removal of the problems.
• If there are technical problems with the Subscriber equipment or installations, up to removal of the same, оr if the Subscriber does not allow inspection of the functionality of its equipment or installations, up to completion of the inspection.
• If the Subscriber fails to pay the invoice for the monthly subscription by the date specified in the Invoice until the entire payment is made, except in case of an appeal regarding the amount of the Invoice, in that case the Subscriber shall pay the amount of the monthly subscription by the date stated in the Invoice.
• If the services are used or dedicated to be used for purposes opposite to the Law for Electronic Communications of North Macedonia, and the related regulations, or other law or regulations, as determined by the competent body, or they are used or dedicated to be used for a purpose opposite to the terms and conditions of this agreement.

4.2. In case of planned technical works, related to the intervention in the network and equipment, the Operator shall deliver information in a timely manner to the Subscriber, stating the reasons for Services unavailability and the expected time for restoration of their functionality.

Article 5 - Disconnection of the Subscriber

5.1. The Operator may limit or disconnect the access to its Services for the Subscriber only in case when the Subscriber failed to fulfill its obligations or did not act in accordance with the conditions stated in this agreement. In case of violation of the provisions of this agreement, the Operator should inform the Subscriber, in written manner, and determine a reasonable period for completion of the contractual obligations. The Operator should not inform the Subscriber in advance regarding the limit or disconnection, if by using the Service the Subscriber:

• Causes instantaneous and serious threats to the public order, safety, human health or the environment, or causes great material or operational damage.
• Causes immediate threat to the Operator’s network or equipment, or the ability to provide services to other Subscribers.

5.2. If technically possible, the Operator shall be entitled to limit access only to those Services for which the Subscriber did not act according to the conditions stated in this Agreement, except in cases of abuse established by the competent body, and continuous delay with payment or non-payment of the bills.

Article 6 - Termination of the agreement by the Operator

6.1. The Operator may terminate the agreement within a period determined with this agreement, especially:

• If the Subscriber fails to complete its obligations from the agreement.
• If the Services are used or are dedicated to be used for a purpose opposite to the conditions from this agreement.
• In case when by a court decision the Subscriber is deleted from the adequate register.
• In case of bankruptcy or liquidation, or insolvency of the Subscriber, if the right to use the service has not been transferred to another person, within a period determined by the Operator.
• In case of abuse of the services by the Subscriber, for purposes against the related laws and regulations defined by a competent body in North Macedonia.
• If the Operator cannot provide the Services, due to force majeure, longer than 6 months.
• In case of death of the Subscriber, if the right to use the service is not transferred to another person within six months.

Article 7 - Termination of the agreement by the Subscriber

7.1. The Subscriber may terminate this Agreement at any time upon previously submitted request for cancellation of the Services. 

7.2. The Agreement shall be considered terminated as of the last day of the month in which the written request was received. After the termination of this agreement, the Subscriber will be responsible to pay all the costs incurred by him, which are eventually billed with delay or billed, and not paid by the Subscriber.

Article 8 - The Operator's  rights

8.1. The Operator shall have the following rights:

• Charge fees determined in the order, from the Subscriber or his legal successor.
• Disconnect and deactivate the Services, due to delayed payment or non-payment of the bills.
• Change the technical characteristics of the network and service, in order to provide a better quality and possibility for using new services.
• Request data from the Subscriber, which is used for conclusion, supervision and termination of this agreement, and also data for debt collection.
• Keep, process and exchange Subscriber’s data, for the purpose of fulfilling the objectives of this agreement.

Article 9 - The Operator's obligations

9.1. The Operator shall have the following obligations:

• Provide activation and access to the Services within the period determined in the Order Form.
• Keep and use data of Subscribers and Services in accordance with the related laws and regulations.
• Inform the Subscriber, in written manner, in case of violation of the provisions from this agreement and determine a reasonable period for completing the contractual obligations.
• Provide maintenance of the network and the equipment, in a manner that enables continuous provision of the Services, and within the technical possibilities remove any interference of the network and the equipment, as soon as possible.
• Оbtain consent from the Subscriber for information necessary for direct marketing, and by using automatic calling systems and/or sending SMS/MS messages, without human intervention.
• Enable transfer of the right to use Services to another subject, upon request from the Subscriber.
• To provide technical support 24x7 to the Subscriber via telephone and email.

Article 10 - The Subscriber's rights

10.1. The Subscriber shall be entitled to:

• Receive the Services without interruptions, efficiently and regularly, in accordance with the possibilities of the Subscriber’s technical infrastructure.
• To ask the Operator to transfer the right to use the Services to another person. An operator may refuse the request if it finds that the other person can not meet the contractual requirements.

Article 11 - Subscriber's obligations

11.1. The Subscriber shall have the following obligations:

• To timely pay the invoiced amounts for used Services, up to the date stated in the bill.
• Use the Services for its own needs and according to their purpose, and not disturb other users, and not to use them for transmitting data or for purposes opposite to the laws and regulations of the Republic of North Macedonia, as well as the conditions contained in this agreement.
• Not undertake any activities which would hinder the integrity of the network or would cause any damages.
• Not disclose its personal encrypted data to third parties. In relation to damages which have occurred due to disclosure of personal encrypted data due to subscriber fault, the Subscriber shall be personally responsible.
• Not to allow the services to be used for sending scam, disturbing or false messages.
• Not to operatе applications that are used to mine crypto currencies.
• Not to scan foreign networks or foreign IP addresses.
• Not to fake source IP addresses.
• To use the services in such a way that does not compromise the integrity and availability of the networks, servers and data of third parties. 
• To not use the services for performing (d)DOS attacks or to run applications that are capable of performing these actions.
• To make backup copies of their data.

Article 12 - Disclaimer of warranty and limitation of liability

12.1. Except as otherwise expressly set forth herein, the services are provided "as is", and Operator’s liability for damages arising out of or in connection with the performance of the Agreement shall be limited to wilful acts or gross negligence, and to a maximum amount of the monthly service fee per damaging incident. Neither the Operator nor anyone else involved in creating, producing, delivering (including suspending or discontinuing services) or supporting the services shall be liable to the Subscriber, any representative, or any third party for any indirect, incidental, special, punitive or consequential damages arising out of the services or inability to use the Services, including, without limitation, lost revenue, lost profits, loss of technology, rights or services.

12.2. Тhe Operator shall not be hold responsible for unlawful usage or abuse of the Services, nor for the contents of the information transmitted, by the Subscriber or other parties. 

Article 13 - Additional provisions

13.1. The use of the Services may be interrupted by the force majeure. Force Majeure shall mean an event independent of the will of the contracting Parties whose performance could not be prevented or foreseen and due to which the fulfillment of the obligations under the Agreement became difficult or impossible, including but not limited to: natural events, social events (strike , riots, war), acts of public authority. The Operator will not bear any liability to the Subscriber due to termination of its services, caused by a Force Majeure Event.

13.2. Neither Party is the agent or legal representative of the other Party, and this Agreement does not create a partnership, joint venture or fiduciary relationship between the Operator and Subscriber. Neither Party shall have any authority to agree for or bind the other Party in any manner whatsoever. This Agreement confers no rights, remedies, or claims of any kind upon any third party, including, without limitation, Subscriber’s subscribers or end-users.

13.3. The communication between the Operator and the Subscriber (notification, invoice, complaint, other type of communication) takes place in writing. Delivery of the written communication is done by personal handover by the Operator/Subscriber or in the electronic form by email. In urgent cases, the Operator may first give only a verbal notice. Such verbal notice shall be followed by a written notification within 1 (one) day at the latest.

13.4. The Subscriber shall contact the Operator at the contact details specified on the web page https://interspace.com/en/contact. The Operator shall contact the Subscriber at the contact details that the Subscriber entered in the customer control panel My Interspace, which is accessed at the web address https://my.interspace.com. The Subscriber is responsible for the accuracy of the contact details given in My Interspace.

13.5. In case of bankruptcy and liquidation, the Operator is obliged to inform the client by written notice and provide a time frame of thirty (30) days for the customer to retrieve the data from the virtual servers.

Article 14 - Final provisions

14.1. Any disputes between the Parties shall be resolved amicably. If the dispute cannot be resolved in an amicable manner, the Primary Court Skopje II in the republic of North Macedonia shall be competent. This agreement shall be interpreted in accordance with the positive legal provisions of the Republic of North Macedonia.

14.2. By placing the order using the Order Form, the Subscriber affirms and acknowledges that they have read this agreement in entirety and agrees to be bound by the provisions thereof.

Contents

1. INTRODUCTION

2. MANAGEMENT OF GENERAL SECURITY RISKS

2.1 Basics of risk management
2.1.1. A threat
2.1.2 Vulnerability
2.1.2 Why is it important to manage risk?
2.2 Risk assessment
2.2.1 Quantitative risk assessment
2.2.2 Qualitative risk assessment
2.2.3 Identification of threats
2.2.4 Identifying vulnerabilities
2.2.4 Risk management

3. PROTECTION OF END USERS
3.1 Technical measures
3.1 Stakeholder notification measures during a security incident
3.1.1 Notification by the Operator to the Directorate for Personal Data Protection
3.1.2 Notification from the Operator to the subscriber

4. MAINTAINING NETWORK AVAILABILITY
4.1 Maintenance of high quality and availability of the passive network
4.2 Maintenance of high quality and availability of the active network
4.3 Maintaining availability with an advanced monitoring system
4.4 Maintaining availability with a 24/7 intervention service
4.5 Maintaining Availability Through Redundant Architecture

5. SECURITY AND INTEGRITY OF PERSONAL DATA
5.1 What information is collected
5.2 What the data is used for
5.3 Ensuring security and integrity of personal data
5.3.1 Physical measures
5.3.2 Procedural measures
5.3.3 Technical measures

6. CONTACT INFORMATION
6.1 Name and headquarters of the operator
6.2 Data for the personal data protection officer
6.3 Data for the person responsible for information security and for reporting security breaches

1. Introduction

INTERSPACE DOOEL Skopje (hereinafter referred to as "Operator") introduces this security policy in order to properly manage the risks and security of the network and services, as well as the integrity of the network and the continuity of services. In addition, since the Operator cooperates in part of its operations with companies based in the EU, through this security policy it aims to harmonize its operations with the regulations and guidelines of the European Union (hereinafter referred to as "EU"), especially in the section for a secure information society and strengthening the security and resilience of vital infrastructures for information and communication technologies.

Through this security policy, it is necessary to achieve the following goals:

1. To ensure the security and integrity of public electronic communication networks and services.
2. To specify the actions that should be taken in the event of a violation of the security of personal data.
3. To submit a notification to the Electronic Communications Agency in the event of a security breach or loss of integrity that had a significant impact on the functioning of the network or services.

In terms of network security and integrity (and service continuity), the aim is to ensure the following points:

1. Use of appropriate technical and organizational measures to protect the security of networks and services.
2. Use of appropriate steps to ensure network integrity.
3. To notify the authority with a significant influence on the operation of the networks about the security incidents.

In terms of security when processing personal data, the goal is to ensure the following points:

1. Using appropriate technical and organizational measures to protect the security of networks and services.
2. Using measures to ensure the security of personal data processing.
3. To notify the authority with a significant impact on the operation of the networks about violations of personal data, and if necessary to communicate with the affected users.

The security policy will be specified in several chapters, namely:

• MANAGING GENERAL SECURITY RISKS
• PROTECTION OF END USERS
• MAINTAINING NETWORK AVAILABILITY
• SECURITY AND INTEGRITY OF PERSONAL DATA

2. Management of general security risks

2.1 Basics of risk management

In the context of security in information and communication technologies ("ICT"), risk management is a process of knowing and reacting to factors that cause loss of privacy, integrity and availability of systems. Risk in ICT systems represents potential damage that may occur to a certain process or information that is part of that process, as a result of intentional or unintentional activity. Risk can be represented as a function of the probability of the occurrence of a certain threat to the realization of a certain potential vulnerability, and the consequence that may arise as a result of that event.

2.1.1. A threat

A threat is the potential for the emergence of a source of threat that can intentionally or unintentionally cause a specific vulnerability. A threat source can be: a) an activity or method aimed at intentionally exploiting a vulnerability, or b) a situation or method that may accidentally cause a vulnerability.

A threat can be presented simply as the potential to exploit a particular vulnerability. Threats in themselves are not an activity. Threats become hazards when combined with a source of threat. This distinction is important to make in risk assessment and management, as each source of threat may be associated with a different environment.

2.1.2 Vulnerability

A vulnerability is defined as a flaw or weakness in system security procedures, design and implementation, or in internal controls that can be intentionally or unintentionally disrupted, resulting in a security breach. A vulnerability can be a flaw or weakness in all aspects of ICT systems.

Vulnerabilities do not always refer to technical protections provided by technical systems. Significant vulnerabilities may also exist in standard operating procedures performed by administrators. For example, the password reset procedure or inappropriate reading of logs by technical support.

2.1.2 Why is it important to manage risk?

The primary objectives of risk management are:

• Network security and integrity.
• Ensuring continuity of services.
• Security when storing and processing personal data.
• Protection of the business success and mission of the Operator.

According to the above, risk management is a management-level function, not just a technical function. Understanding the need for risk management allows the Operator to protect and preserve the users of its ICT systems, which in the long run affects the Operator's survival in the market.

2.2 Risk assessment

The risk is assessed through a) identification of threats and vulnerabilities, and b) determination of the probability of occurrence and the consequences of its occurrence. The basic risk assessment process is explained below.

2.2.1 Quantitative risk assessment

Quantitative risk assessment involves assigning values to information, systems, business processes, repair costs, etc., due to which consequences and risks can be measured in direct and indirect costs. Quantitative risk can be mathematically expressed as annual probability of loss, and it represents the expected financial loss due to a certain risk that may occur in a period of one year. The mathematical formula is as follows:

Annual probability of loss = Probability of one occurrence * Annual occurrence rate

2.2.2 Qualitative risk assessment

Qualitative risk assessment assumes that there is a level of uncertainty in determining the probability of occurrence and the consequences of the risk, whereby the probability of risk and consequences are defined through qualitative data, rather than exclusively based on quantitative data.

In general, the qualitative risk assessment results in placing the risk in one of these three levels: high, medium, low. Placing the risk within one of these three levels makes it easy to communicate the risk assessment across the responsible structures of the Operator.

2.2.3 Identification of threats

In order to make an adequate assessment of the risk, it is necessary to identify the threats as well as the sources of the threats. The list below includes a specification of general threats and threat sources.

Name/Description:

• Accidental disclosure.
• Unauthorized or accidental release of classified, personal or sensitive information.
• Software change.
• Deliberate modification, addition or deletion of the operating system or programs running on it, by authorized or unauthorized persons, which leads to compromising the privacy, availability or integrity of data, programs, systems or resources under the control of the affected system or application. The source of such threats can be viruses, Trojan horses, malicious code, trapdoors and the like.
• Use of flow capacity (Bandwidth).
• Intentional or unintentional use of the communication flow capacity, for needs beyond those provided for in the contract, such as for the transmission of data through which third parties are harassed and lied, which causes an immediate and serious threat to public order, security, human health or the environment, and other types of communication use that is prohibited by positive legal regulations.

Power outage:

• In the event of a power outage, ICT systems may not be able to be used, and data may be unintentionally modified or destroyed.

Deliberate data alteration Deliberate modification, addition or deletion of data, by an authorized or unauthorized person, which compromises the privacy, availability or integrity of data generated, processed, controlled or stored in data processing systems.

System error:

• Accidental or unintentional error during installation, configuration or upgrade of hardware, software or communication equipment.

Telecommunications failure or outage:

• Any communication link, unit or component of the telecommunication system which, due to a malfunction, may lead to a failure or interruption of data transmission through the telecommunication channels.

Works of nature:

• All types of natural disasters (earthquake, storm, etc.) that can damage or affect the system/application. These disasters can lead to partial or total unavailability, thus affecting the availability of systems and services.

2.2.4 Identifying vulnerabilities

The following methods are used to identify vulnerabilities:

• Vulnerability scanners. Refers to software that examines an operating system, network application, or code for some known flaws and vulnerabilities by comparing the system against a database of bug and vulnerability records.
• Penetration tests. It refers to a deliberate attempt by a person in charge of security analyzes of the Operator, to carry out activities to cause a threat to ICT systems.
• Audit of operational and management control processes. In-depth analysis and audit of operational and management control processes, through comparison of current practice and procedures with procedures that are advanced or best practice in the business.

In addition, a list of vulnerabilities is made that are always examined during each risk assessment, thus allowing a minimum level of consistency in the assessment. Also, the vulnerabilities that are revealed in a previous assessment of ICT systems are included in future assessment processes. This way of acting makes it possible to know better the ways of risk management that were effective.

When generating the list of possible vulnerabilities, the Operator consults the archives of known vendors for records of vulnerabilities, namely:

• Common Vulnerabilities and Exposures (CVE - http://cve.mitre.org).
• National Vulnerability Database (NVD - http://nvd.nist.gov).

2.2.4 Risk management

Two basic risk management strategies are used: mitigation and avoidance. They are explained below:

• Mitigation. It covers activities and processes to reduce the probability and possible consequences associated with a certain flaw or failure of ICT systems. A common risk mitigation activity for a technical flaw is to install a patch provided by the equipment vendor.
• Avoiding. It refers to the activity of eliminating the vulnerable part of the system or even the entire system. For example, if a risk assessment determines that the user's web portal used to display traffic usage has a flaw where one subscriber can see usage for another subscriber, then code repair is attempted. 

3. Protection of end users

The operator uses procedures described in chapter 2 for risk management, in order to prevent incidents that can lead to interruption and abuse of the line that users use for electronic communication.

In addition, the Operator applies the following measures regarding the protection of end users:

3.1 Technical measures

The following measures are applied to protect end users:

• The user line for delivery of electronic communication service is delivered to the subscriber as a separate broadcast domain, that is, it is isolated using VLAN technology. This prevents access at the level of the same Ethernet broadcast domain by other users within the Operator's network. In order to ensure that VLAN technology will provide isolation, the Operator uses the practice of mandatory tagging of packets when they pass through the ports with the correct VLAN tag, not allowing untagged packets or incorrectly tagged packets to be transmitted within the network.
• The operator performs regular scans of the user's line to determine the vulnerability that allows the server of the domain name system (if the subscriber has one) to be misused to make global DDOS attacks.

3.1 Stakeholder notification measures during a security incident

A security incident is a breach of security that has a significant impact on the operation of an electronic communications network or service. In the event of a security incident that had a significant impact on the functioning of the networks or services, the Operator sends a notification about the same to the interested parties and taking and activities that the operators should take over in the event of a violation of the security of personal data.

These notices cover the following parties:

3.1.1 Notification by the Operator to the Directorate for Personal Data Protection

The operator sends a notification to the Directorate for Personal Data Protection immediately, but no later than 24 hours from the moment of security breach or loss of integrity that had a significant impact on the functioning of networks or services. The notification is delivered electronically to the following email [email protected]. The attachment in the e-mail is delivered with an electronic signature by the responsible person of the Operator. 

3.1.2 Notification from the Operator to the subscriber

If the violation of the security of personal data may negatively affect the personal data or privacy of the subscriber or another natural person, the Operator additionally informs the respective subscriber (legal or natural person).

4. Maintaining network availability

In order to better serve users, the Operator is fully committed to ensure stability and consistent quality of services. Within this commitment, the Operator makes every effort to ensure constant availability of the Services. The operator uses the measures and practices described below directly and/or indirectly affect the provision of high availability of services. Using such practices in the passive segment of the network leads to provision of a high percentage of availability and a reduced probability of service interruption.

4.1 Maintenance of high quality and availability of the passive network

Each fiber optic connection is made through a fusion splice and verified by OTDR tests. Mechanical splices are not used because they have a short lifespan and increase the chances of failure. Persons responsible for maintaining the passive network make regular field inspections of the network to ensure that it is in a functional state.

Each subscriber is connected with a point-to-point architecture, where xPON technology and optical splitters are not used. Avoiding optical splitters reduces the likelihood of failure, as there are fewer "links in the chain" that can cause failure.

4.2 Maintenance of high quality and availability of the active network

The operator uses exclusively Ethernet technology for the delivery of services. Lines are verified with the internationally standardized RFC2544 Ethernet test, reducing the chances of overlooking a poorly constructed link when putting the line into service.

4.3 Maintaining availability with an advanced monitoring system

The operator uses a 24/7 constantly active monitoring system, for the interconnection links, for the core of the network as well as for every interface that leads to a subscriber. The monitoring system makes deep analyzes of the links down to the lowest level of verification, and immediately informs the services that are currently responsible for technical support

In terms of checks for links to the global Internet, the following automated tests are performed every minute:

• Port status and RX optical level of the SFP of the interconnection port with the global provider.
• Ping and traceroute from our network to global providers, ping and traceroute from external network from Europe to our network.
• In case of detection of a warning or failure of one of the interconnection providers, the monitoring system immediately sends an alarm to the responsible persons who immediately approach them to investigate and solve the problem.

In terms of link checks for the Operator's network core ("Core"), the following automated tests are performed every minute:

• Port status and RX optical level of the SFP connection port to each uplink port of the L2/L3 device part of the Core.
• Temperature status of each L2/L3 device part of the Core.
• Hardware health status of each L2/L3 device part of the Core.
• CPU and RAM utilization status of each L2/L3 device part of the Kernel.
• DNS server status, if the device has such a function.
• In case of detection of a warning or failure of a part of the Core, the monitoring system immediately sends an alarm to the responsible persons who immediately approach them for examination and solution of the problem.

In terms of line checks for each subscriber, the following automated tests are performed every minute:

1. Port status and RX optical level of the SFP port representing the connection to the subscriber's user terminal equipment.

In case of detection of a warning or line failure, including a reduced level of light that may occur due to bending of an optical cable, the monitoring system immediately sends an alarm to the responsible persons who immediately approach them to investigate and solve the problem.

4.4 Maintaining availability with a 24/7 intervention service

The operator provides 24/7 technical support service. This service uses the 24/7 constantly active monitoring system described in chapter 4.3, for insight and reaction regarding interruptions and failures of services warning signs that can lead to interruptions and failures. If necessary, the technical support service engages field exposure persons to repair a fault in the passive or active segment of the network, who are available 24/7.

4.4 Maintaining Availability Through Redundant Architecture

Our network in Macedonia is based on multiple points of presence, which are protected by geographically independent and protected (redundant) links to the core. They are strategically placed to be as close as possible to subscribers in order to reduce the likelihood.

5. Security and integrity of personal data

The operator is committed to the protection of personal data. The necessary information for personal identification is explained below, as well as the way of ensuring its security and integrity. By the term personally identifiable information we mean information that can be used to identify a person.

5.1 What information is collected

We collect and process the following personally identifiable data:

1. In the case of legal entities, we collect the following information: Name of legal entity, address, telephone number, email address, unique tax number and unique identification number. In the case of natural persons, we collect the following information: First/Surname, address, telephone number and email address. This information is collected when filling an order for any of the services.
2. Details of financial transactions that have occurred due to the settlement of obligations related to services.
3. A record of the communication that occurs when you contact us by email, mail or phone.
4. Information about the configuration, type and quantity of telecommunication services used by users.

5.2 What the data is used for:

We take the privacy of our users seriously, fully respecting the subscriber's right to privacy. Personally identifiable information will be collected, processed, stored for the following purposes:

• To process orders and contracts with users.
• To enable users to access a web portal through which traffic usage can be monitored.
• To provide notice regarding the services.
• To submit an invoice regarding the services.
• To analyze how you use the services, such as to analyze the average level of utilization of streaming capacity, in order to propose a solution in case of a problem.
• To investigate user complaints.
• To set the approximate location of the subscriber in the monitoring system, in order to have a faster reaction when repairing a defect.
• To submit the information to the appropriate state institutions in case of legal dispute, crime detection and other activities that are contrary to the Law on Electronic Communications or other law or regulation.

5.3 Ensuring security and integrity of personal data

We have in place reasonable physical, technical and organizational measures designed to provide an environment where personal information is secured against accidental loss or unauthorized access. Security measures are in place to ensure protection against the loss, misuse or modification of information under our control. It is good to note that the technology, no matter how advanced, becomes a vulnerable matter over time, which is why it cannot be 100% guaranteed that unauthorized third parties will never be able to break through the security measures and such a break use for inappropriate purposes.

The operator uses the following measures to ensure the security and integrity of personal data.

5.3.1 Physical measures

Physical measures refer to protection measures in terms of theft, intrusion or other unauthorized access to the Operator's facilities, network and other technology. Physical measures are given below:The Operator's facilities where personal data are stored or accessed are restricted to authorized persons only.

• The Operator's facilities are secured by persons in charge of security.
• The Operator's facilities where personal data are stored or accessed are under constant video surveillance.

5.3.2 Procedural measures

Procedural measures are specified in the list below:

• The operator follows procedures to ensure that only authorized persons have access to ICT systems where personal data is collected, stored and processed. Authorization of an account linked to a specific administrator, for access to the ICT systems where personal data is collected, stored and processed, is done only by the manager of the Operator. When these authorized persons access the system for storing and processing personal data, in addition to using a personal login password, the system requires them to use two-step verification that requires an additional code that requires an additional code sent to the phone designated as the account holder for access.
• Persons who are authorized to access ICT systems where personal data is collected, stored and processed, sign an agreement with the Operator for the use of users' personal data only for their purpose described in chapter 5.2.

5.3.3 Technical measures

The technical measures are specified in the list below:

• Confidential user information must be transmitted securely. When communicating this data through email systems, a framework has been established for the mandatory use of encrypted communication using the Transport Layer Security (TLS) method, which is an industry-recognized standard based on Secure Sockets Layer (SSL) technology for email communication encryption.
• Personal information for users who are legal entities, namely: name of legal entity, address, telephone number, email address, unique tax number and unique identification number; are stored in an encrypted form where the encryption and decryption is performed using the Advanced Encryption Standard (AES) method with 256 bits, additionally they are communicated in a secure way through encrypted communication using the TLS method.
• Personal information for users who are natural persons, including first name/surname, phone number and email address; are stored in an encrypted form where the encryption/decryption is performed using the Advanced Encryption Standard (AES) method with 256 bits. In electronic communication of the same, secure communication with the TLS method is used.
• When these authorized persons access the system for storing and processing personal data, in addition to using a personal login password, the system requires them to use two-step verification that requires an additional code sent to the phone designated as the account holder for access.

6. Contact information

6.1 Name and headquarters of the operator

INTERSPACE D.O.O.E.L. SKOPJE
Blvd. Jane Sandanski 109A, floor 3, 1000 Skopje

6.2 Data for the personal data protection officer

Contact phone: 02/3299-199, 070/235-038
Contact email address: [email protected]
Document number: 0204-128 from 15-Dec-2016

6.3 Data for the person responsible for information security and for reporting security breaches

Contact phone: 02/3299-199, 070/235-038
Contact email address: [email protected]
Document number: 0204-128 from 15-Dec-2016

Article 1 - Subject and scope

1.1 The following Terms and Conditions represent an agreement between the company INTERSPACE DOOEL Skopje (Address: Bul. Jane Sandanski 109A, kat 3, Skopje, North Macedonia; UTN: MK4043014516919) in a role of a service provider (hereinafter “Operator”), and the subject that orders and uses the services (hereinafter “Subscriber”), also hereinafter individually referred to as “Party” or collectively referred  to as “Parties".

1.2. Subject of this agreement is the establishing and ascertaining of the subscriber relation between the Operator and the Subscriber for providing services for hosting of Cloud VPN system, and the rights and obligations for the parties arising out of it.

1.3 We reserve the right, at our sole discretion, to make changes to these Terms and Conditions by giving the Subscriber prior notification.

Article 2 - Services and term

2.2 The details of the Services are provided in the order form (hereinafter "Order Form"). The Order Form contains information about the type of service, the amount of service charges and other relevant information about the services. In accordance with this agreement, the Operator shall provide the services selected in the Order Form (hereinafter "Services").

2.3. This agreement is concluded for an unlimited time period unless otherwise agreed. 

2.4. This agreement may be terminated at any time, as specified in Article 6 and Article 7. The minimum duration of the agreement is one month.

Article 3 - Service charges and billing

3.1. Subscriber agrees to pay a monthly fee for the Services specified in the Order Form of this agreement, including value added tax.

3.2. The invoices for the monthly subscription specified in the Article 3.1 of this agreement shall be issued by the Operator and sent to the Subscriber in electronic form on the 1st day of the current month, and they shall become due within 12 days from the date of issue. The invoicing of the Services shall commence from the day when the Services are provisioned. The Operator will calculate and add the amount of VAT 18% which will be written separately, and it shall be paid by the Subscriber. 

3.3 In the event of payment delay by the Subscriber, the Operator is entitled to charge a penalty in a form of interest specified by the law, calculated from the day the due date is passed until the payment, and the calculated amount of the penalty will be added to the invoice for the following monthly subscription.

Article 4 - Limitation or termination of access

4.1. The Operator may, without consent from the Subscriber, temporary limit or terminate access to the Services, in the following cases:

• If that is necessary for the purposes of reconstruction, modernization, maintenance or in case of technical issues or deficiency in the network, up to completion of the works or removal of the problems.
• If there are technical problems with the Subscriber equipment or installations, up to removal of the same, оr if the Subscriber does not allow inspection of the functionality of its equipment or installations, up to completion of the inspection.
• If the Subscriber fails to pay the invoice for the monthly subscription by the date specified in the Invoice until the entire payment is made, except in case of an appeal regarding the amount of the Invoice, in that case the Subscriber shall pay the amount of the monthly subscription by the date stated in the Invoice.
• If the services are used or dedicated to be used for purposes opposite to the Law for Electronic Communications of North Macedonia, and the related regulations, or other law or regulations, as determined by the competent body, or they are used or dedicated to be used for a purpose opposite to the terms and conditions of this agreement.

4.2. In case of planned technical works, related to the intervention in the network and equipment, the Operator shall deliver information in a timely manner to the Subscriber, stating the reasons for Services unavailability and the expected time for restoration of their functionality.

Article 5 - Disconnection of the Subscriber

5.1. The Operator may limit or disconnect the access to its Services for the Subscriber only in case when the Subscriber failed to fulfill its obligations or did not act in accordance with the conditions stated in this agreement. In case of violation of the provisions of this agreement, the Operator should inform the Subscriber, in written manner, and determine a reasonable period for completion of the contractual obligations. The Operator should not inform the Subscriber in advance regarding the limit or disconnection, if by using the Service the Subscriber:

• Causes instantaneous and serious threats to the public order, safety, human health or the environment, or causes great material or operational damage.
• Causes immediate threat to the Operator’s network or equipment, or the ability to provide services to other Subscribers.

5.2. If technically possible, the Operator shall be entitled to limit access only to those Services for which the Subscriber did not act according to the conditions stated in this Agreement, except in cases of abuse established by the competent body, and continuous delay with payment or non-payment of the bills.

Article 6 - Termination of the agreement by the Operator

6.1. The Operator may terminate the agreement within a period determined with this agreement, especially:

• If the Subscriber fails to complete its obligations from the agreement.
• If the Services are used or are dedicated to be used for a purpose opposite to the conditions from this agreement.
• In case when by a court decision the Subscriber is deleted from the adequate register.
• In case of bankruptcy or liquidation, or insolvency of the Subscriber, if the right to use the service has not been transferred to another person, within a period determined by the Operator.
• In case of abuse of the services by the Subscriber, for purposes against the related laws and regulations defined by a competent body in North Macedonia.
• If the Operator cannot provide the Services, due to force majeure, longer than 6 months.
• In case of death of the Subscriber, if the right to use the service is not transferred to another person within six months.

Article 7 - Termination of the agreement by the Subscriber

7.1. The Subscriber may terminate this Agreement at any time upon previously submitted request for cancellation of the Services. 

7.2. The Agreement shall be considered terminated as of the last day of the month in which the written request was received. After the termination of this agreement, the Subscriber will be responsible to pay all the costs incurred by him, which are eventually billed with delay or billed, and not paid by the Subscriber.

Article 8 - The Operator's  rights

8.1. The Operator shall have the following rights:

• Charge fees determined in the order, from the Subscriber or his legal successor.
• Disconnect and deactivate the Services, due to delayed payment or non-payment of the bills.
• Change the technical characteristics of the network and service, in order to provide a better quality and possibility for using new services.
• Request data from the Subscriber, which is used for conclusion, supervision and termination of this agreement, and also data for debt collection.
• Keep, process and exchange Subscriber’s data, for the purpose of fulfilling the objectives of this agreement.

Article 9 - The Operator's obligations

9.1. The Operator shall have the following obligations:

• Provide activation and access to the Services within the period determined in the Order Form.
• Keep and use data of Subscribers and Services in accordance with the related laws and regulations.
• Inform the Subscriber, in written manner, in case of violation of the provisions from this agreement and determine a reasonable period for completing the contractual obligations.
• Provide maintenance of the network and the equipment, in a manner that enables continuous provision of the Services, and within the technical possibilities remove any interference of the network and the equipment, as soon as possible.
• Оbtain consent from the Subscriber for information necessary for direct marketing, and by using automatic calling systems and/or sending SMS/MS messages, without human intervention.
• Enable transfer of the right to use Services to another subject, upon request from the Subscriber.
• To provide technical support 24x7 to the Subscriber via telephone and email.

Article 10 - The Subscriber's rights

10.1. The Subscriber shall be entitled to:

• Receive the Services without interruptions, efficiently and regularly, in accordance with the possibilities of the Subscriber’s technical infrastructure.
• To ask the Operator to transfer the right to use the Services to another person. An operator may refuse the request if it finds that the other person can not meet the contractual requirements.

Article 11 - Subscriber's obligations

11.1. The Subscriber shall have the following obligations:

• To timely pay the invoiced amounts for used Services, up to the date stated in the bill.
• Use the Services for its own needs and according to their purpose, and not disturb other users, and not to use them for transmitting data or for purposes opposite to the laws and regulations of the Republic of North Macedonia, as well as the conditions contained in this agreement.
• Not undertake any activities which would hinder the integrity of the network or would cause any damages.
• Not disclose its personal encrypted data to third parties. In relation to damages which have occurred due to disclosure of personal encrypted data due to subscriber fault, the Subscriber shall be personally responsible.
• Not to allow the services to be used for sending scam, disturbing or false messages.
• Not to operatе applications that are used to mine crypto currencies.
• Not to scan foreign networks or foreign IP addresses.
• Not to fake source IP addresses.
• To use the services in such a way that does not compromise the integrity and availability of the networks, servers and data of third parties. 
• To not use the services for performing (d)DOS attacks or to run applications that are capable of performing these actions.
• To make backup copies of their data.

Article 12 - Disclaimer of warranty and limitation of liability

12.1. Except as otherwise expressly set forth herein, the services are provided "as is", and Operator’s liability for damages arising out of or in connection with the performance of the Agreement shall be limited to wilful acts or gross negligence, and to a maximum amount of the monthly service fee per damaging incident. Neither the Operator nor anyone else involved in creating, producing, delivering (including suspending or discontinuing services) or supporting the services shall be liable to the Subscriber, any representative, or any third party for any indirect, incidental, special, punitive or consequential damages arising out of the services or inability to use the Services, including, without limitation, lost revenue, lost profits, loss of technology, rights or services.

12.2. Тhe Operator shall not be hold responsible for unlawful usage or abuse of the Services, nor for the contents of the information transmitted, by the Subscriber or other parties. 

Article 13 - Additional provisions

13.1. The use of the Services may be interrupted by the force majeure. Force Majeure shall mean an event independent of the will of the contracting Parties whose performance could not be prevented or foreseen and due to which the fulfillment of the obligations under the Agreement became difficult or impossible, including but not limited to: natural events, social events (strike , riots, war), acts of public authority. The Operator will not bear any liability to the Subscriber due to termination of its services, caused by a Force Majeure Event.

13.2. Neither Party is the agent or legal representative of the other Party, and this Agreement does not create a partnership, joint venture or fiduciary relationship between the Operator and Subscriber. Neither Party shall have any authority to agree for or bind the other Party in any manner whatsoever. This Agreement confers no rights, remedies, or claims of any kind upon any third party, including, without limitation, Subscriber’s subscribers or end-users.

13.3. The communication between the Operator and the Subscriber (notification, invoice, complaint, other type of communication) takes place in writing. Delivery of the written communication is done by personal handover by the Operator/Subscriber or in the electronic form by email. In urgent cases, the Operator may first give only a verbal notice. Such verbal notice shall be followed by a written notification within 1 (one) day at the latest.

13.4. The Subscriber shall contact the Operator at the contact details specified on the web page https://interspace.com/en/contact. The Operator shall contact the Subscriber at the contact details that the Subscriber entered in the customer control panel My Interspace, which is accessed at the web address https://my.interspace.com. The Subscriber is responsible for the accuracy of the contact details given in My Interspace.

Article 14 - Final provisions

14.1. Any disputes between the Parties shall be resolved amicably. If the dispute cannot be resolved in an amicable manner, the Primary Court Skopje II in the republic of North Macedonia shall be competent. This agreement shall be interpreted in accordance with the positive legal provisions of the Republic of North Macedonia.

14.2. By placing the order using the Order Form, the Subscriber affirms and acknowledges that they have read this agreement in entirety and agrees to be bound by the provisions thereof.

Contents

1. INTRODUCTION

2. MANAGEMENT OF GENERAL SECURITY RISKS

2.1 Basics of risk management
2.1.1. A threat
2.1.2 Vulnerability
2.1.2 Why is it important to manage risk?
2.2 Risk assessment
2.2.1 Quantitative risk assessment
2.2.2 Qualitative risk assessment
2.2.3 Identification of threats
2.2.4 Identifying vulnerabilities
2.2.4 Risk management

3. PROTECTION OF END USERS
3.1 Technical measures
3.1 Stakeholder notification measures during a security incident
3.1.1 Notification by the Operator to the Directorate for Personal Data Protection
3.1.2 Notification from the Operator to the subscriber

4. MAINTAINING NETWORK AVAILABILITY
4.1 Maintenance of high quality and availability of the passive network
4.2 Maintenance of high quality and availability of the active network
4.3 Maintaining availability with an advanced monitoring system
4.4 Maintaining availability with a 24/7 intervention service
4.5 Maintaining Availability Through Redundant Architecture

5. SECURITY AND INTEGRITY OF PERSONAL DATA
5.1 What information is collected
5.2 What the data is used for
5.3 Ensuring security and integrity of personal data
5.3.1 Physical measures
5.3.2 Procedural measures
5.3.3 Technical measures

6. CONTACT INFORMATION
6.1 Name and headquarters of the operator
6.2 Data for the personal data protection officer
6.3 Data for the person responsible for information security and for reporting security breaches

1. Introduction

INTERSPACE DOOEL Skopje (hereinafter referred to as "Operator") introduces this security policy in order to properly manage the risks and security of the network and services, as well as the integrity of the network and the continuity of services. In addition, since the Operator cooperates in part of its operations with companies based in the EU, through this security policy it aims to harmonize its operations with the regulations and guidelines of the European Union (hereinafter referred to as "EU"), especially in the section for a secure information society and strengthening the security and resilience of vital infrastructures for information and communication technologies.

Through this security policy, it is necessary to achieve the following goals:

1. To ensure the security and integrity of public electronic communication networks and services.
2. To specify the actions that should be taken in the event of a violation of the security of personal data.
3. To submit a notification to the Electronic Communications Agency in the event of a security breach or loss of integrity that had a significant impact on the functioning of the network or services.

In terms of network security and integrity (and service continuity), the aim is to ensure the following points:

1. Use of appropriate technical and organizational measures to protect the security of networks and services.
2. Use of appropriate steps to ensure network integrity.
3. To notify the authority with a significant influence on the operation of the networks about the security incidents.

In terms of security when processing personal data, the goal is to ensure the following points:

1. Using appropriate technical and organizational measures to protect the security of networks and services.
2. Using measures to ensure the security of personal data processing.
3. To notify the authority with a significant impact on the operation of the networks about violations of personal data, and if necessary to communicate with the affected users.

The security policy will be specified in several chapters, namely:

• MANAGING GENERAL SECURITY RISKS
• PROTECTION OF END USERS
• MAINTAINING NETWORK AVAILABILITY
• SECURITY AND INTEGRITY OF PERSONAL DATA

2. Management of general security risks

2.1 Basics of risk management

In the context of security in information and communication technologies ("ICT"), risk management is a process of knowing and reacting to factors that cause loss of privacy, integrity and availability of systems. Risk in ICT systems represents potential damage that may occur to a certain process or information that is part of that process, as a result of intentional or unintentional activity. Risk can be represented as a function of the probability of the occurrence of a certain threat to the realization of a certain potential vulnerability, and the consequence that may arise as a result of that event.

2.1.1. A threat

A threat is the potential for the emergence of a source of threat that can intentionally or unintentionally cause a specific vulnerability. A threat source can be: a) an activity or method aimed at intentionally exploiting a vulnerability, or b) a situation or method that may accidentally cause a vulnerability.

A threat can be presented simply as the potential to exploit a particular vulnerability. Threats in themselves are not an activity. Threats become hazards when combined with a source of threat. This distinction is important to make in risk assessment and management, as each source of threat may be associated with a different environment.

2.1.2 Vulnerability

A vulnerability is defined as a flaw or weakness in system security procedures, design and implementation, or in internal controls that can be intentionally or unintentionally disrupted, resulting in a security breach. A vulnerability can be a flaw or weakness in all aspects of ICT systems.

Vulnerabilities do not always refer to technical protections provided by technical systems. Significant vulnerabilities may also exist in standard operating procedures performed by administrators. For example, the password reset procedure or inappropriate reading of logs by technical support.

2.1.2 Why is it important to manage risk?

The primary objectives of risk management are:

• Network security and integrity.
• Ensuring continuity of services.
• Security when storing and processing personal data.
• Protection of the business success and mission of the Operator.

According to the above, risk management is a management-level function, not just a technical function. Understanding the need for risk management allows the Operator to protect and preserve the users of its ICT systems, which in the long run affects the Operator's survival in the market.

2.2 Risk assessment

The risk is assessed through a) identification of threats and vulnerabilities, and b) determination of the probability of occurrence and the consequences of its occurrence. The basic risk assessment process is explained below.

2.2.1 Quantitative risk assessment

Quantitative risk assessment involves assigning values to information, systems, business processes, repair costs, etc., due to which consequences and risks can be measured in direct and indirect costs. Quantitative risk can be mathematically expressed as annual probability of loss, and it represents the expected financial loss due to a certain risk that may occur in a period of one year. The mathematical formula is as follows:

Annual probability of loss = Probability of one occurrence * Annual occurrence rate

2.2.2 Qualitative risk assessment

Qualitative risk assessment assumes that there is a level of uncertainty in determining the probability of occurrence and the consequences of the risk, whereby the probability of risk and consequences are defined through qualitative data, rather than exclusively based on quantitative data.

In general, the qualitative risk assessment results in placing the risk in one of these three levels: high, medium, low. Placing the risk within one of these three levels makes it easy to communicate the risk assessment across the responsible structures of the Operator.

2.2.3 Identification of threats

In order to make an adequate assessment of the risk, it is necessary to identify the threats as well as the sources of the threats. The list below includes a specification of general threats and threat sources.

Name/Description:

• Accidental disclosure.
• Unauthorized or accidental release of classified, personal or sensitive information.
• Software change.
• Deliberate modification, addition or deletion of the operating system or programs running on it, by authorized or unauthorized persons, which leads to compromising the privacy, availability or integrity of data, programs, systems or resources under the control of the affected system or application. The source of such threats can be viruses, Trojan horses, malicious code, trapdoors and the like.
• Use of flow capacity (Bandwidth).
• Intentional or unintentional use of the communication flow capacity, for needs beyond those provided for in the contract, such as for the transmission of data through which third parties are harassed and lied, which causes an immediate and serious threat to public order, security, human health or the environment, and other types of communication use that is prohibited by positive legal regulations.

Power outage:

• In the event of a power outage, ICT systems may not be able to be used, and data may be unintentionally modified or destroyed.

Deliberate data alteration Deliberate modification, addition or deletion of data, by an authorized or unauthorized person, which compromises the privacy, availability or integrity of data generated, processed, controlled or stored in data processing systems.

System error:

• Accidental or unintentional error during installation, configuration or upgrade of hardware, software or communication equipment.

Telecommunications failure or outage:

• Any communication link, unit or component of the telecommunication system which, due to a malfunction, may lead to a failure or interruption of data transmission through the telecommunication channels.

Works of nature:

• All types of natural disasters (earthquake, storm, etc.) that can damage or affect the system/application. These disasters can lead to partial or total unavailability, thus affecting the availability of systems and services.

2.2.4 Identifying vulnerabilities

The following methods are used to identify vulnerabilities:

• Vulnerability scanners. Refers to software that examines an operating system, network application, or code for some known flaws and vulnerabilities by comparing the system against a database of bug and vulnerability records.
• Penetration tests. It refers to a deliberate attempt by a person in charge of security analyzes of the Operator, to carry out activities to cause a threat to ICT systems.
• Audit of operational and management control processes. In-depth analysis and audit of operational and management control processes, through comparison of current practice and procedures with procedures that are advanced or best practice in the business.

In addition, a list of vulnerabilities is made that are always examined during each risk assessment, thus allowing a minimum level of consistency in the assessment. Also, the vulnerabilities that are revealed in a previous assessment of ICT systems are included in future assessment processes. This way of acting makes it possible to know better the ways of risk management that were effective.

When generating the list of possible vulnerabilities, the Operator consults the archives of known vendors for records of vulnerabilities, namely:

• Common Vulnerabilities and Exposures (CVE - http://cve.mitre.org).
• National Vulnerability Database (NVD - http://nvd.nist.gov).

2.2.4 Risk management

Two basic risk management strategies are used: mitigation and avoidance. They are explained below:

• Mitigation. It covers activities and processes to reduce the probability and possible consequences associated with a certain flaw or failure of ICT systems. A common risk mitigation activity for a technical flaw is to install a patch provided by the equipment vendor.
• Avoiding. It refers to the activity of eliminating the vulnerable part of the system or even the entire system. For example, if a risk assessment determines that the user's web portal used to display traffic usage has a flaw where one subscriber can see usage for another subscriber, then code repair is attempted. 

3. Protection of end users

The operator uses procedures described in chapter 2 for risk management, in order to prevent incidents that can lead to interruption and abuse of the line that users use for electronic communication.

In addition, the Operator applies the following measures regarding the protection of end users:

3.1 Technical measures

The following measures are applied to protect end users:

• The user line for delivery of electronic communication service is delivered to the subscriber as a separate broadcast domain, that is, it is isolated using VLAN technology. This prevents access at the level of the same Ethernet broadcast domain by other users within the Operator's network. In order to ensure that VLAN technology will provide isolation, the Operator uses the practice of mandatory tagging of packets when they pass through the ports with the correct VLAN tag, not allowing untagged packets or incorrectly tagged packets to be transmitted within the network.
• The operator performs regular scans of the user's line to determine the vulnerability that allows the server of the domain name system (if the subscriber has one) to be misused to make global DDOS attacks.

3.1 Stakeholder notification measures during a security incident

A security incident is a breach of security that has a significant impact on the operation of an electronic communications network or service. In the event of a security incident that had a significant impact on the functioning of the networks or services, the Operator sends a notification about the same to the interested parties and taking and activities that the operators should take over in the event of a violation of the security of personal data.

These notices cover the following parties:

3.1.1 Notification by the Operator to the Directorate for Personal Data Protection

The operator sends a notification to the Directorate for Personal Data Protection immediately, but no later than 24 hours from the moment of security breach or loss of integrity that had a significant impact on the functioning of networks or services. The notification is delivered electronically to the following email [email protected]. The attachment in the e-mail is delivered with an electronic signature by the responsible person of the Operator. 

3.1.2 Notification from the Operator to the subscriber

If the violation of the security of personal data may negatively affect the personal data or privacy of the subscriber or another natural person, the Operator additionally informs the respective subscriber (legal or natural person).

4. Maintaining network availability

In order to better serve users, the Operator is fully committed to ensure stability and consistent quality of services. Within this commitment, the Operator makes every effort to ensure constant availability of the Services. The operator uses the measures and practices described below directly and/or indirectly affect the provision of high availability of services. Using such practices in the passive segment of the network leads to provision of a high percentage of availability and a reduced probability of service interruption.

4.1 Maintenance of high quality and availability of the passive network

Each fiber optic connection is made through a fusion splice and verified by OTDR tests. Mechanical splices are not used because they have a short lifespan and increase the chances of failure. Persons responsible for maintaining the passive network make regular field inspections of the network to ensure that it is in a functional state.

Each subscriber is connected with a point-to-point architecture, where xPON technology and optical splitters are not used. Avoiding optical splitters reduces the likelihood of failure, as there are fewer "links in the chain" that can cause failure.

4.2 Maintenance of high quality and availability of the active network

The operator uses exclusively Ethernet technology for the delivery of services. Lines are verified with the internationally standardized RFC2544 Ethernet test, reducing the chances of overlooking a poorly constructed link when putting the line into service.

4.3 Maintaining availability with an advanced monitoring system

The operator uses a 24/7 constantly active monitoring system, for the interconnection links, for the core of the network as well as for every interface that leads to a subscriber. The monitoring system makes deep analyzes of the links down to the lowest level of verification, and immediately informs the services that are currently responsible for technical support

In terms of checks for links to the global Internet, the following automated tests are performed every minute:

• Port status and RX optical level of the SFP of the interconnection port with the global provider.
• Ping and traceroute from our network to global providers, ping and traceroute from external network from Europe to our network.
• In case of detection of a warning or failure of one of the interconnection providers, the monitoring system immediately sends an alarm to the responsible persons who immediately approach them to investigate and solve the problem.

In terms of link checks for the Operator's network core ("Core"), the following automated tests are performed every minute:

• Port status and RX optical level of the SFP connection port to each uplink port of the L2/L3 device part of the Core.
• Temperature status of each L2/L3 device part of the Core.
• Hardware health status of each L2/L3 device part of the Core.
• CPU and RAM utilization status of each L2/L3 device part of the Kernel.
• DNS server status, if the device has such a function.
• In case of detection of a warning or failure of a part of the Core, the monitoring system immediately sends an alarm to the responsible persons who immediately approach them for examination and solution of the problem.

In terms of line checks for each subscriber, the following automated tests are performed every minute:

1. Port status and RX optical level of the SFP port representing the connection to the subscriber's user terminal equipment.

In case of detection of a warning or line failure, including a reduced level of light that may occur due to bending of an optical cable, the monitoring system immediately sends an alarm to the responsible persons who immediately approach them to investigate and solve the problem.

4.4 Maintaining availability with a 24/7 intervention service

The operator provides 24/7 technical support service. This service uses the 24/7 constantly active monitoring system described in chapter 4.3, for insight and reaction regarding interruptions and failures of services warning signs that can lead to interruptions and failures. If necessary, the technical support service engages field exposure persons to repair a fault in the passive or active segment of the network, who are available 24/7.

4.4 Maintaining Availability Through Redundant Architecture

Our network in Macedonia is based on multiple points of presence, which are protected by geographically independent and protected (redundant) links to the core. They are strategically placed to be as close as possible to subscribers in order to reduce the likelihood.

5. Security and integrity of personal data

The operator is committed to the protection of personal data. The necessary information for personal identification is explained below, as well as the way of ensuring its security and integrity. By the term personally identifiable information we mean information that can be used to identify a person.

5.1 What information is collected

We collect and process the following personally identifiable data:

1. In the case of legal entities, we collect the following information: Name of legal entity, address, telephone number, email address, unique tax number and unique identification number. In the case of natural persons, we collect the following information: First/Surname, address, telephone number and email address. This information is collected when filling an order for any of the services.
2. Details of financial transactions that have occurred due to the settlement of obligations related to services.
3. A record of the communication that occurs when you contact us by email, mail or phone.
4. Information about the configuration, type and quantity of telecommunication services used by users.

5.2 What the data is used for:

We take the privacy of our users seriously, fully respecting the subscriber's right to privacy. Personally identifiable information will be collected, processed, stored for the following purposes:

• To process orders and contracts with users.
• To enable users to access a web portal through which traffic usage can be monitored.
• To provide notice regarding the services.
• To submit an invoice regarding the services.
• To analyze how you use the services, such as to analyze the average level of utilization of streaming capacity, in order to propose a solution in case of a problem.
• To investigate user complaints.
• To set the approximate location of the subscriber in the monitoring system, in order to have a faster reaction when repairing a defect.
• To submit the information to the appropriate state institutions in case of legal dispute, crime detection and other activities that are contrary to the Law on Electronic Communications or other law or regulation.

5.3 Ensuring security and integrity of personal data

We have in place reasonable physical, technical and organizational measures designed to provide an environment where personal information is secured against accidental loss or unauthorized access. Security measures are in place to ensure protection against the loss, misuse or modification of information under our control. It is good to note that the technology, no matter how advanced, becomes a vulnerable matter over time, which is why it cannot be 100% guaranteed that unauthorized third parties will never be able to break through the security measures and such a break use for inappropriate purposes.

The operator uses the following measures to ensure the security and integrity of personal data.

5.3.1 Physical measures

Physical measures refer to protection measures in terms of theft, intrusion or other unauthorized access to the Operator's facilities, network and other technology. Physical measures are given below:The Operator's facilities where personal data are stored or accessed are restricted to authorized persons only.

• The Operator's facilities are secured by persons in charge of security.
• The Operator's facilities where personal data are stored or accessed are under constant video surveillance.

5.3.2 Procedural measures

Procedural measures are specified in the list below:

• The operator follows procedures to ensure that only authorized persons have access to ICT systems where personal data is collected, stored and processed. Authorization of an account linked to a specific administrator, for access to the ICT systems where personal data is collected, stored and processed, is done only by the manager of the Operator. When these authorized persons access the system for storing and processing personal data, in addition to using a personal login password, the system requires them to use two-step verification that requires an additional code that requires an additional code sent to the phone designated as the account holder for access.
• Persons who are authorized to access ICT systems where personal data is collected, stored and processed, sign an agreement with the Operator for the use of users' personal data only for their purpose described in chapter 5.2.

5.3.3 Technical measures

The technical measures are specified in the list below:

• Confidential user information must be transmitted securely. When communicating this data through email systems, a framework has been established for the mandatory use of encrypted communication using the Transport Layer Security (TLS) method, which is an industry-recognized standard based on Secure Sockets Layer (SSL) technology for email communication encryption.
• Personal information for users who are legal entities, namely: name of legal entity, address, telephone number, email address, unique tax number and unique identification number; are stored in an encrypted form where the encryption and decryption is performed using the Advanced Encryption Standard (AES) method with 256 bits, additionally they are communicated in a secure way through encrypted communication using the TLS method.
• Personal information for users who are natural persons, including first name/surname, phone number and email address; are stored in an encrypted form where the encryption/decryption is performed using the Advanced Encryption Standard (AES) method with 256 bits. In electronic communication of the same, secure communication with the TLS method is used.
• When these authorized persons access the system for storing and processing personal data, in addition to using a personal login password, the system requires them to use two-step verification that requires an additional code sent to the phone designated as the account holder for access.

6. Contact information

6.1 Name and headquarters of the operator

INTERSPACE D.O.O.E.L. SKOPJE
Blvd. Jane Sandanski 109A, floor 3, 1000 Skopje

6.2 Data for the personal data protection officer

Contact phone: 02/3299-199, 070/235-038
Contact email address: [email protected]
Document number: 0204-128 from 15-Dec-2016

6.3 Data for the person responsible for information security and for reporting security breaches

Contact phone: 02/3299-199, 070/235-038
Contact email address: [email protected]
Document number: 0204-128 from 15-Dec-2016

Article 1 - Subject and scope

1.1 The following Terms and Conditions represent an agreement between the company INTERSPACE DOOEL Skopje (Address: Bul. Jane Sandanski 109A, kat 3, Skopje, North Macedonia; UTN: MK4043014516919) in a role of a service provider (hereinafter “Operator”), and the subject that orders and uses the services (hereinafter “Subscriber”), also hereinafter individually referred to as “Party” or collectively referred  to as “Parties".

1.2. Subject of this agreement is the establishing and ascertaining of the subscriber relation between the Operator and the Subscriber for providing services for hosting of Cloud NAT Gateway system, and the rights and obligations for the parties arising out of it.

1.3 We reserve the right, at our sole discretion, to make changes to these Terms and Conditions by giving the Subscriber prior notification.

Article 2 - Services and term

2.2 The details of the Services are provided in the order form (hereinafter "Order Form"). The Order Form contains information about the type of service, the amount of service charges and other relevant information about the services. In accordance with this agreement, the Operator shall provide the services selected in the Order Form (hereinafter "Services").

2.3. This agreement is concluded for an unlimited time period unless otherwise agreed. 

2.4. This agreement may be terminated at any time, as specified in Article 6 and Article 7. The minimum duration of the agreement is one month.

Article 3 - Service charges and billing

3.1. Subscriber agrees to pay a monthly fee for the Services specified in the Order Form of this agreement, including value added tax.

3.2. The invoices for the monthly subscription specified in the Article 3.1 of this agreement shall be issued by the Operator and sent to the Subscriber in electronic form on the 1st day of the current month, and they shall become due within 12 days from the date of issue. The invoicing of the Services shall commence from the day when the Services are provisioned. The Operator will calculate and add the amount of VAT 18% which will be written separately, and it shall be paid by the Subscriber. 

3.3 In the event of payment delay by the Subscriber, the Operator is entitled to charge a penalty in a form of interest specified by the law, calculated from the day the due date is passed until the payment, and the calculated amount of the penalty will be added to the invoice for the following monthly subscription.

Article 4 - Limitation or termination of access

4.1. The Operator may, without consent from the Subscriber, temporary limit or terminate access to the Services, in the following cases:

• If that is necessary for the purposes of reconstruction, modernization, maintenance or in case of technical issues or deficiency in the network, up to completion of the works or removal of the problems.
• If there are technical problems with the Subscriber equipment or installations, up to removal of the same, оr if the Subscriber does not allow inspection of the functionality of its equipment or installations, up to completion of the inspection.
• If the Subscriber fails to pay the invoice for the monthly subscription by the date specified in the Invoice until the entire payment is made, except in case of an appeal regarding the amount of the Invoice, in that case the Subscriber shall pay the amount of the monthly subscription by the date stated in the Invoice.
• If the services are used or dedicated to be used for purposes opposite to the Law for Electronic Communications of North Macedonia, and the related regulations, or other law or regulations, as determined by the competent body, or they are used or dedicated to be used for a purpose opposite to the terms and conditions of this agreement.

4.2. In case of planned technical works, related to the intervention in the network and equipment, the Operator shall deliver information in a timely manner to the Subscriber, stating the reasons for Services unavailability and the expected time for restoration of their functionality.

Article 5 - Disconnection of the Subscriber

5.1. The Operator may limit or disconnect the access to its Services for the Subscriber only in case when the Subscriber failed to fulfill its obligations or did not act in accordance with the conditions stated in this agreement. In case of violation of the provisions of this agreement, the Operator should inform the Subscriber, in written manner, and determine a reasonable period for completion of the contractual obligations. The Operator should not inform the Subscriber in advance regarding the limit or disconnection, if by using the Service the Subscriber:

• Causes instantaneous and serious threats to the public order, safety, human health or the environment, or causes great material or operational damage.
• Causes immediate threat to the Operator’s network or equipment, or the ability to provide services to other Subscribers.

5.2. If technically possible, the Operator shall be entitled to limit access only to those Services for which the Subscriber did not act according to the conditions stated in this Agreement, except in cases of abuse established by the competent body, and continuous delay with payment or non-payment of the bills.

Article 6 - Termination of the agreement by the Operator

6.1. The Operator may terminate the agreement within a period determined with this agreement, especially:

• If the Subscriber fails to complete its obligations from the agreement.
• If the Services are used or are dedicated to be used for a purpose opposite to the conditions from this agreement.
• In case when by a court decision the Subscriber is deleted from the adequate register.
• In case of bankruptcy or liquidation, or insolvency of the Subscriber, if the right to use the service has not been transferred to another person, within a period determined by the Operator.
• In case of abuse of the services by the Subscriber, for purposes against the related laws and regulations defined by a competent body in North Macedonia.
• If the Operator cannot provide the Services, due to force majeure, longer than 6 months.
• In case of death of the Subscriber, if the right to use the service is not transferred to another person within six months.

Article 7 - Termination of the agreement by the Subscriber

7.1. The Subscriber may terminate this Agreement at any time upon previously submitted request for cancellation of the Services. 

7.2. The Agreement shall be considered terminated as of the last day of the month in which the written request was received. After the termination of this agreement, the Subscriber will be responsible to pay all the costs incurred by him, which are eventually billed with delay or billed, and not paid by the Subscriber.

Article 8 - The Operator's  rights

8.1. The Operator shall have the following rights:

• Charge fees determined in the order, from the Subscriber or his legal successor.
• Disconnect and deactivate the Services, due to delayed payment or non-payment of the bills.
• Change the technical characteristics of the network and service, in order to provide a better quality and possibility for using new services.
• Request data from the Subscriber, which is used for conclusion, supervision and termination of this agreement, and also data for debt collection.
• Keep, process and exchange Subscriber’s data, for the purpose of fulfilling the objectives of this agreement.

Article 9 - The Operator's obligations

9.1. The Operator shall have the following obligations:

• Provide activation and access to the Services within the period determined in the Order Form.
• Keep and use data of Subscribers and Services in accordance with the related laws and regulations.
• Inform the Subscriber, in written manner, in case of violation of the provisions from this agreement and determine a reasonable period for completing the contractual obligations.
• Provide maintenance of the network and the equipment, in a manner that enables continuous provision of the Services, and within the technical possibilities remove any interference of the network and the equipment, as soon as possible.
• Оbtain consent from the Subscriber for information necessary for direct marketing, and by using automatic calling systems and/or sending SMS/MS messages, without human intervention.
• Enable transfer of the right to use Services to another subject, upon request from the Subscriber.
• To provide technical support 24x7 to the Subscriber via telephone and email.

Article 10 - The Subscriber's rights

10.1. The Subscriber shall be entitled to:

• Receive the Services without interruptions, efficiently and regularly, in accordance with the possibilities of the Subscriber’s technical infrastructure.
• To ask the Operator to transfer the right to use the Services to another person. An operator may refuse the request if it finds that the other person can not meet the contractual requirements.

Article 11 - Subscriber's obligations

11.1. The Subscriber shall have the following obligations:

• To timely pay the invoiced amounts for used Services, up to the date stated in the bill.
• Use the Services for its own needs and according to their purpose, and not disturb other users, and not to use them for transmitting data or for purposes opposite to the laws and regulations of the Republic of North Macedonia, as well as the conditions contained in this agreement.
• Not undertake any activities which would hinder the integrity of the network or would cause any damages.
• Not disclose its personal encrypted data to third parties. In relation to damages which have occurred due to disclosure of personal encrypted data due to subscriber fault, the Subscriber shall be personally responsible.
• Not to allow the services to be used for sending scam, disturbing or false messages.
• Not to operatе applications that are used to mine crypto currencies.
• Not to scan foreign networks or foreign IP addresses.
• Not to fake source IP addresses.
• To use the services in such a way that does not compromise the integrity and availability of the networks, servers and data of third parties. 
• To not use the services for performing (d)DOS attacks or to run applications that are capable of performing these actions.
• To make backup copies of their data.

Article 12 - Disclaimer of warranty and limitation of liability

12.1. Except as otherwise expressly set forth herein, the services are provided "as is", and Operator’s liability for damages arising out of or in connection with the performance of the Agreement shall be limited to wilful acts or gross negligence, and to a maximum amount of the monthly service fee per damaging incident. Neither the Operator nor anyone else involved in creating, producing, delivering (including suspending or discontinuing services) or supporting the services shall be liable to the Subscriber, any representative, or any third party for any indirect, incidental, special, punitive or consequential damages arising out of the services or inability to use the Services, including, without limitation, lost revenue, lost profits, loss of technology, rights or services.

12.2. Тhe Operator shall not be hold responsible for unlawful usage or abuse of the Services, nor for the contents of the information transmitted, by the Subscriber or other parties. 

Article 13 - Additional provisions

13.1. The use of the Services may be interrupted by the force majeure. Force Majeure shall mean an event independent of the will of the contracting Parties whose performance could not be prevented or foreseen and due to which the fulfillment of the obligations under the Agreement became difficult or impossible, including but not limited to: natural events, social events (strike , riots, war), acts of public authority. The Operator will not bear any liability to the Subscriber due to termination of its services, caused by a Force Majeure Event.

13.2. Neither Party is the agent or legal representative of the other Party, and this Agreement does not create a partnership, joint venture or fiduciary relationship between the Operator and Subscriber. Neither Party shall have any authority to agree for or bind the other Party in any manner whatsoever. This Agreement confers no rights, remedies, or claims of any kind upon any third party, including, without limitation, Subscriber’s subscribers or end-users.

13.3. The communication between the Operator and the Subscriber (notification, invoice, complaint, other type of communication) takes place in writing. Delivery of the written communication is done by personal handover by the Operator/Subscriber or in the electronic form by email. In urgent cases, the Operator may first give only a verbal notice. Such verbal notice shall be followed by a written notification within 1 (one) day at the latest.

13.4. The Subscriber shall contact the Operator at the contact details specified on the web page https://interspace.com/en/contact. The Operator shall contact the Subscriber at the contact details that the Subscriber entered in the customer control panel My Interspace, which is accessed at the web address https://my.interspace.com. The Subscriber is responsible for the accuracy of the contact details given in My Interspace.

Article 14 - Final provisions

14.1. Any disputes between the Parties shall be resolved amicably. If the dispute cannot be resolved in an amicable manner, the Primary Court Skopje II in the republic of North Macedonia shall be competent. This agreement shall be interpreted in accordance with the positive legal provisions of the Republic of North Macedonia.

14.2. By placing the order using the Order Form, the Subscriber affirms and acknowledges that they have read this agreement in entirety and agrees to be bound by the provisions thereof.

Contents

1. INTRODUCTION

2. MANAGEMENT OF GENERAL SECURITY RISKS

2.1 Basics of risk management
2.1.1. A threat
2.1.2 Vulnerability
2.1.2 Why is it important to manage risk?
2.2 Risk assessment
2.2.1 Quantitative risk assessment
2.2.2 Qualitative risk assessment
2.2.3 Identification of threats
2.2.4 Identifying vulnerabilities
2.2.4 Risk management

3. PROTECTION OF END USERS
3.1 Technical measures
3.1 Stakeholder notification measures during a security incident
3.1.1 Notification by the Operator to the Directorate for Personal Data Protection
3.1.2 Notification from the Operator to the subscriber

4. MAINTAINING NETWORK AVAILABILITY
4.1 Maintenance of high quality and availability of the passive network
4.2 Maintenance of high quality and availability of the active network
4.3 Maintaining availability with an advanced monitoring system
4.4 Maintaining availability with a 24/7 intervention service
4.5 Maintaining Availability Through Redundant Architecture

5. SECURITY AND INTEGRITY OF PERSONAL DATA
5.1 What information is collected
5.2 What the data is used for
5.3 Ensuring security and integrity of personal data
5.3.1 Physical measures
5.3.2 Procedural measures
5.3.3 Technical measures

6. CONTACT INFORMATION
6.1 Name and headquarters of the operator
6.2 Data for the personal data protection officer
6.3 Data for the person responsible for information security and for reporting security breaches

1. Introduction

INTERSPACE DOOEL Skopje (hereinafter referred to as "Operator") introduces this security policy in order to properly manage the risks and security of the network and services, as well as the integrity of the network and the continuity of services. In addition, since the Operator cooperates in part of its operations with companies based in the EU, through this security policy it aims to harmonize its operations with the regulations and guidelines of the European Union (hereinafter referred to as "EU"), especially in the section for a secure information society and strengthening the security and resilience of vital infrastructures for information and communication technologies.

Through this security policy, it is necessary to achieve the following goals:

1. To ensure the security and integrity of public electronic communication networks and services.
2. To specify the actions that should be taken in the event of a violation of the security of personal data.
3. To submit a notification to the Electronic Communications Agency in the event of a security breach or loss of integrity that had a significant impact on the functioning of the network or services.

In terms of network security and integrity (and service continuity), the aim is to ensure the following points:

1. Use of appropriate technical and organizational measures to protect the security of networks and services.
2. Use of appropriate steps to ensure network integrity.
3. To notify the authority with a significant influence on the operation of the networks about the security incidents.

In terms of security when processing personal data, the goal is to ensure the following points:

1. Using appropriate technical and organizational measures to protect the security of networks and services.
2. Using measures to ensure the security of personal data processing.
3. To notify the authority with a significant impact on the operation of the networks about violations of personal data, and if necessary to communicate with the affected users.

The security policy will be specified in several chapters, namely:

• MANAGING GENERAL SECURITY RISKS
• PROTECTION OF END USERS
• MAINTAINING NETWORK AVAILABILITY
• SECURITY AND INTEGRITY OF PERSONAL DATA

2. Management of general security risks

2.1 Basics of risk management

In the context of security in information and communication technologies ("ICT"), risk management is a process of knowing and reacting to factors that cause loss of privacy, integrity and availability of systems. Risk in ICT systems represents potential damage that may occur to a certain process or information that is part of that process, as a result of intentional or unintentional activity. Risk can be represented as a function of the probability of the occurrence of a certain threat to the realization of a certain potential vulnerability, and the consequence that may arise as a result of that event.

2.1.1. A threat

A threat is the potential for the emergence of a source of threat that can intentionally or unintentionally cause a specific vulnerability. A threat source can be: a) an activity or method aimed at intentionally exploiting a vulnerability, or b) a situation or method that may accidentally cause a vulnerability.

A threat can be presented simply as the potential to exploit a particular vulnerability. Threats in themselves are not an activity. Threats become hazards when combined with a source of threat. This distinction is important to make in risk assessment and management, as each source of threat may be associated with a different environment.

2.1.2 Vulnerability

A vulnerability is defined as a flaw or weakness in system security procedures, design and implementation, or in internal controls that can be intentionally or unintentionally disrupted, resulting in a security breach. A vulnerability can be a flaw or weakness in all aspects of ICT systems.

Vulnerabilities do not always refer to technical protections provided by technical systems. Significant vulnerabilities may also exist in standard operating procedures performed by administrators. For example, the password reset procedure or inappropriate reading of logs by technical support.

2.1.2 Why is it important to manage risk?

The primary objectives of risk management are:

• Network security and integrity.
• Ensuring continuity of services.
• Security when storing and processing personal data.
• Protection of the business success and mission of the Operator.

According to the above, risk management is a management-level function, not just a technical function. Understanding the need for risk management allows the Operator to protect and preserve the users of its ICT systems, which in the long run affects the Operator's survival in the market.

2.2 Risk assessment

The risk is assessed through a) identification of threats and vulnerabilities, and b) determination of the probability of occurrence and the consequences of its occurrence. The basic risk assessment process is explained below.

2.2.1 Quantitative risk assessment

Quantitative risk assessment involves assigning values to information, systems, business processes, repair costs, etc., due to which consequences and risks can be measured in direct and indirect costs. Quantitative risk can be mathematically expressed as annual probability of loss, and it represents the expected financial loss due to a certain risk that may occur in a period of one year. The mathematical formula is as follows:

Annual probability of loss = Probability of one occurrence * Annual occurrence rate

2.2.2 Qualitative risk assessment

Qualitative risk assessment assumes that there is a level of uncertainty in determining the probability of occurrence and the consequences of the risk, whereby the probability of risk and consequences are defined through qualitative data, rather than exclusively based on quantitative data.

In general, the qualitative risk assessment results in placing the risk in one of these three levels: high, medium, low. Placing the risk within one of these three levels makes it easy to communicate the risk assessment across the responsible structures of the Operator.

2.2.3 Identification of threats

In order to make an adequate assessment of the risk, it is necessary to identify the threats as well as the sources of the threats. The list below includes a specification of general threats and threat sources.

Name/Description:

• Accidental disclosure.
• Unauthorized or accidental release of classified, personal or sensitive information.
• Software change.
• Deliberate modification, addition or deletion of the operating system or programs running on it, by authorized or unauthorized persons, which leads to compromising the privacy, availability or integrity of data, programs, systems or resources under the control of the affected system or application. The source of such threats can be viruses, Trojan horses, malicious code, trapdoors and the like.
• Use of flow capacity (Bandwidth).
• Intentional or unintentional use of the communication flow capacity, for needs beyond those provided for in the contract, such as for the transmission of data through which third parties are harassed and lied, which causes an immediate and serious threat to public order, security, human health or the environment, and other types of communication use that is prohibited by positive legal regulations.

Power outage:

• In the event of a power outage, ICT systems may not be able to be used, and data may be unintentionally modified or destroyed.

Deliberate data alteration Deliberate modification, addition or deletion of data, by an authorized or unauthorized person, which compromises the privacy, availability or integrity of data generated, processed, controlled or stored in data processing systems.

System error:

• Accidental or unintentional error during installation, configuration or upgrade of hardware, software or communication equipment.

Telecommunications failure or outage:

• Any communication link, unit or component of the telecommunication system which, due to a malfunction, may lead to a failure or interruption of data transmission through the telecommunication channels.

Works of nature:

• All types of natural disasters (earthquake, storm, etc.) that can damage or affect the system/application. These disasters can lead to partial or total unavailability, thus affecting the availability of systems and services.

2.2.4 Identifying vulnerabilities

The following methods are used to identify vulnerabilities:

• Vulnerability scanners. Refers to software that examines an operating system, network application, or code for some known flaws and vulnerabilities by comparing the system against a database of bug and vulnerability records.
• Penetration tests. It refers to a deliberate attempt by a person in charge of security analyzes of the Operator, to carry out activities to cause a threat to ICT systems.
• Audit of operational and management control processes. In-depth analysis and audit of operational and management control processes, through comparison of current practice and procedures with procedures that are advanced or best practice in the business.

In addition, a list of vulnerabilities is made that are always examined during each risk assessment, thus allowing a minimum level of consistency in the assessment. Also, the vulnerabilities that are revealed in a previous assessment of ICT systems are included in future assessment processes. This way of acting makes it possible to know better the ways of risk management that were effective.

When generating the list of possible vulnerabilities, the Operator consults the archives of known vendors for records of vulnerabilities, namely:

• Common Vulnerabilities and Exposures (CVE - http://cve.mitre.org).
• National Vulnerability Database (NVD - http://nvd.nist.gov).

2.2.4 Risk management

Two basic risk management strategies are used: mitigation and avoidance. They are explained below:

• Mitigation. It covers activities and processes to reduce the probability and possible consequences associated with a certain flaw or failure of ICT systems. A common risk mitigation activity for a technical flaw is to install a patch provided by the equipment vendor.
• Avoiding. It refers to the activity of eliminating the vulnerable part of the system or even the entire system. For example, if a risk assessment determines that the user's web portal used to display traffic usage has a flaw where one subscriber can see usage for another subscriber, then code repair is attempted. 

3. Protection of end users

The operator uses procedures described in chapter 2 for risk management, in order to prevent incidents that can lead to interruption and abuse of the line that users use for electronic communication.

In addition, the Operator applies the following measures regarding the protection of end users:

3.1 Technical measures

The following measures are applied to protect end users:

• The user line for delivery of electronic communication service is delivered to the subscriber as a separate broadcast domain, that is, it is isolated using VLAN technology. This prevents access at the level of the same Ethernet broadcast domain by other users within the Operator's network. In order to ensure that VLAN technology will provide isolation, the Operator uses the practice of mandatory tagging of packets when they pass through the ports with the correct VLAN tag, not allowing untagged packets or incorrectly tagged packets to be transmitted within the network.
• The operator performs regular scans of the user's line to determine the vulnerability that allows the server of the domain name system (if the subscriber has one) to be misused to make global DDOS attacks.

3.1 Stakeholder notification measures during a security incident

A security incident is a breach of security that has a significant impact on the operation of an electronic communications network or service. In the event of a security incident that had a significant impact on the functioning of the networks or services, the Operator sends a notification about the same to the interested parties and taking and activities that the operators should take over in the event of a violation of the security of personal data.

These notices cover the following parties:

3.1.1 Notification by the Operator to the Directorate for Personal Data Protection

The operator sends a notification to the Directorate for Personal Data Protection immediately, but no later than 24 hours from the moment of security breach or loss of integrity that had a significant impact on the functioning of networks or services. The notification is delivered electronically to the following email [email protected]. The attachment in the e-mail is delivered with an electronic signature by the responsible person of the Operator. 

3.1.2 Notification from the Operator to the subscriber

If the violation of the security of personal data may negatively affect the personal data or privacy of the subscriber or another natural person, the Operator additionally informs the respective subscriber (legal or natural person).

4. Maintaining network availability

In order to better serve users, the Operator is fully committed to ensure stability and consistent quality of services. Within this commitment, the Operator makes every effort to ensure constant availability of the Services. The operator uses the measures and practices described below directly and/or indirectly affect the provision of high availability of services. Using such practices in the passive segment of the network leads to provision of a high percentage of availability and a reduced probability of service interruption.

4.1 Maintenance of high quality and availability of the passive network

Each fiber optic connection is made through a fusion splice and verified by OTDR tests. Mechanical splices are not used because they have a short lifespan and increase the chances of failure. Persons responsible for maintaining the passive network make regular field inspections of the network to ensure that it is in a functional state.

Each subscriber is connected with a point-to-point architecture, where xPON technology and optical splitters are not used. Avoiding optical splitters reduces the likelihood of failure, as there are fewer "links in the chain" that can cause failure.

4.2 Maintenance of high quality and availability of the active network

The operator uses exclusively Ethernet technology for the delivery of services. Lines are verified with the internationally standardized RFC2544 Ethernet test, reducing the chances of overlooking a poorly constructed link when putting the line into service.

4.3 Maintaining availability with an advanced monitoring system

The operator uses a 24/7 constantly active monitoring system, for the interconnection links, for the core of the network as well as for every interface that leads to a subscriber. The monitoring system makes deep analyzes of the links down to the lowest level of verification, and immediately informs the services that are currently responsible for technical support

In terms of checks for links to the global Internet, the following automated tests are performed every minute:

• Port status and RX optical level of the SFP of the interconnection port with the global provider.
• Ping and traceroute from our network to global providers, ping and traceroute from external network from Europe to our network.
• In case of detection of a warning or failure of one of the interconnection providers, the monitoring system immediately sends an alarm to the responsible persons who immediately approach them to investigate and solve the problem.

In terms of link checks for the Operator's network core ("Core"), the following automated tests are performed every minute:

• Port status and RX optical level of the SFP connection port to each uplink port of the L2/L3 device part of the Core.
• Temperature status of each L2/L3 device part of the Core.
• Hardware health status of each L2/L3 device part of the Core.
• CPU and RAM utilization status of each L2/L3 device part of the Kernel.
• DNS server status, if the device has such a function.
• In case of detection of a warning or failure of a part of the Core, the monitoring system immediately sends an alarm to the responsible persons who immediately approach them for examination and solution of the problem.

In terms of line checks for each subscriber, the following automated tests are performed every minute:

1. Port status and RX optical level of the SFP port representing the connection to the subscriber's user terminal equipment.

In case of detection of a warning or line failure, including a reduced level of light that may occur due to bending of an optical cable, the monitoring system immediately sends an alarm to the responsible persons who immediately approach them to investigate and solve the problem.

4.4 Maintaining availability with a 24/7 intervention service

The operator provides 24/7 technical support service. This service uses the 24/7 constantly active monitoring system described in chapter 4.3, for insight and reaction regarding interruptions and failures of services warning signs that can lead to interruptions and failures. If necessary, the technical support service engages field exposure persons to repair a fault in the passive or active segment of the network, who are available 24/7.

4.4 Maintaining Availability Through Redundant Architecture

Our network in Macedonia is based on multiple points of presence, which are protected by geographically independent and protected (redundant) links to the core. They are strategically placed to be as close as possible to subscribers in order to reduce the likelihood.

5. Security and integrity of personal data

The operator is committed to the protection of personal data. The necessary information for personal identification is explained below, as well as the way of ensuring its security and integrity. By the term personally identifiable information we mean information that can be used to identify a person.

5.1 What information is collected

We collect and process the following personally identifiable data:

1. In the case of legal entities, we collect the following information: Name of legal entity, address, telephone number, email address, unique tax number and unique identification number. In the case of natural persons, we collect the following information: First/Surname, address, telephone number and email address. This information is collected when filling an order for any of the services.
2. Details of financial transactions that have occurred due to the settlement of obligations related to services.
3. A record of the communication that occurs when you contact us by email, mail or phone.
4. Information about the configuration, type and quantity of telecommunication services used by users.

5.2 What the data is used for:

We take the privacy of our users seriously, fully respecting the subscriber's right to privacy. Personally identifiable information will be collected, processed, stored for the following purposes:

• To process orders and contracts with users.
• To enable users to access a web portal through which traffic usage can be monitored.
• To provide notice regarding the services.
• To submit an invoice regarding the services.
• To analyze how you use the services, such as to analyze the average level of utilization of streaming capacity, in order to propose a solution in case of a problem.
• To investigate user complaints.
• To set the approximate location of the subscriber in the monitoring system, in order to have a faster reaction when repairing a defect.
• To submit the information to the appropriate state institutions in case of legal dispute, crime detection and other activities that are contrary to the Law on Electronic Communications or other law or regulation.

5.3 Ensuring security and integrity of personal data

We have in place reasonable physical, technical and organizational measures designed to provide an environment where personal information is secured against accidental loss or unauthorized access. Security measures are in place to ensure protection against the loss, misuse or modification of information under our control. It is good to note that the technology, no matter how advanced, becomes a vulnerable matter over time, which is why it cannot be 100% guaranteed that unauthorized third parties will never be able to break through the security measures and such a break use for inappropriate purposes.

The operator uses the following measures to ensure the security and integrity of personal data.

5.3.1 Physical measures

Physical measures refer to protection measures in terms of theft, intrusion or other unauthorized access to the Operator's facilities, network and other technology. Physical measures are given below:The Operator's facilities where personal data are stored or accessed are restricted to authorized persons only.

• The Operator's facilities are secured by persons in charge of security.
• The Operator's facilities where personal data are stored or accessed are under constant video surveillance.

5.3.2 Procedural measures

Procedural measures are specified in the list below:

• The operator follows procedures to ensure that only authorized persons have access to ICT systems where personal data is collected, stored and processed. Authorization of an account linked to a specific administrator, for access to the ICT systems where personal data is collected, stored and processed, is done only by the manager of the Operator. When these authorized persons access the system for storing and processing personal data, in addition to using a personal login password, the system requires them to use two-step verification that requires an additional code that requires an additional code sent to the phone designated as the account holder for access.
• Persons who are authorized to access ICT systems where personal data is collected, stored and processed, sign an agreement with the Operator for the use of users' personal data only for their purpose described in chapter 5.2.

5.3.3 Technical measures

The technical measures are specified in the list below:

• Confidential user information must be transmitted securely. When communicating this data through email systems, a framework has been established for the mandatory use of encrypted communication using the Transport Layer Security (TLS) method, which is an industry-recognized standard based on Secure Sockets Layer (SSL) technology for email communication encryption.
• Personal information for users who are legal entities, namely: name of legal entity, address, telephone number, email address, unique tax number and unique identification number; are stored in an encrypted form where the encryption and decryption is performed using the Advanced Encryption Standard (AES) method with 256 bits, additionally they are communicated in a secure way through encrypted communication using the TLS method.
• Personal information for users who are natural persons, including first name/surname, phone number and email address; are stored in an encrypted form where the encryption/decryption is performed using the Advanced Encryption Standard (AES) method with 256 bits. In electronic communication of the same, secure communication with the TLS method is used.
• When these authorized persons access the system for storing and processing personal data, in addition to using a personal login password, the system requires them to use two-step verification that requires an additional code sent to the phone designated as the account holder for access.

6. Contact information

6.1 Name and headquarters of the operator

INTERSPACE D.O.O.E.L. SKOPJE
Blvd. Jane Sandanski 109A, floor 3, 1000 Skopje

6.2 Data for the personal data protection officer

Contact phone: 02/3299-199, 070/235-038
Contact email address: [email protected]
Document number: 0204-128 from 15-Dec-2016

6.3 Data for the person responsible for information security and for reporting security breaches

Contact phone: 02/3299-199, 070/235-038
Contact email address: [email protected]
Document number: 0204-128 from 15-Dec-2016

Article 1 - Subject and scope

1.1 The following Terms and Conditions represent an agreement between the company INTERSPACE DOOEL Skopje (Address: Bul. Jane Sandanski 109A, kat 3, Skopje, North Macedonia; UTN: MK4043014516919) in a role of a service provider (hereinafter “Operator”), and the subject that orders and uses the services (hereinafter “Subscriber”), also hereinafter individually referred to as “Party” or collectively referred  to as “Parties".

1.2. Subject of this agreement is the establishing and ascertaining of the subscriber relation between the Operator and the Subscriber for providing services for hosting of dedicated servers, and the rights and obligations for the parties arising out of it.

1.3 We reserve the right, at our sole discretion, to make changes to these Terms and Conditions by giving the Subscriber prior notification.

Article 2 - Services and term

2.2 The details of the Services are provided in the order form (hereinafter "Order Form"). The Order Form contains information about the type of service, the amount of service charges and other relevant information about the services. In accordance with this agreement, the Operator shall provide the services selected in the Order Form (hereinafter "Services").

2.3. This agreement is concluded for an unlimited time period unless otherwise agreed. 

2.4. This agreement may be terminated at any time, as specified in Article 6 and Article 7. The minimum duration of the agreement is one month.

Article 3 - Service charges and billing

3.1. Subscriber agrees to pay a monthly fee for the Services specified in the Order Form of this agreement, including value added tax.

3.2. The invoices for the monthly subscription specified in the Article 3.1 of this agreement shall be issued by the Operator and sent to the Subscriber in electronic form on the 1st day of the current month, and they shall become due within 12 days from the date of issue. The invoicing of the Services shall commence from the day when the Services are provisioned. The Operator will calculate and add the amount of VAT 18% which will be written separately, and it shall be paid by the Subscriber. 

3.3 In the event of payment delay by the Subscriber, the Operator is entitled to charge a penalty in a form of interest specified by the law, calculated from the day the due date is passed until the payment, and the calculated amount of the penalty will be added to the invoice for the following monthly subscription.

Article 4 - Limitation or termination of access

4.1. The Operator may, without consent from the Subscriber, temporary limit or terminate access to the Services, in the following cases:

• If that is necessary for the purposes of reconstruction, modernization, maintenance or in case of technical issues or deficiency in the network, up to completion of the works or removal of the problems.
• If there are technical problems with the Subscriber equipment or installations, up to removal of the same, оr if the Subscriber does not allow inspection of the functionality of its equipment or installations, up to completion of the inspection.
• If the Subscriber fails to pay the invoice for the monthly subscription by the date specified in the Invoice until the entire payment is made, except in case of an appeal regarding the amount of the Invoice, in that case the Subscriber shall pay the amount of the monthly subscription by the date stated in the Invoice.
• If the services are used or dedicated to be used for purposes opposite to the Law for Electronic Communications of North Macedonia, and the related regulations, or other law or regulations, as determined by the competent body, or they are used or dedicated to be used for a purpose opposite to the terms and conditions of this agreement.

4.2. In case of planned technical works, related to the intervention in the network and equipment, the Operator shall deliver information in a timely manner to the Subscriber, stating the reasons for Services unavailability and the expected time for restoration of their functionality.

Article 5 - Disconnection of the Subscriber

5.1. The Operator may limit or disconnect the access to its Services for the Subscriber only in case when the Subscriber failed to fulfill its obligations or did not act in accordance with the conditions stated in this agreement. In case of violation of the provisions of this agreement, the Operator should inform the Subscriber, in written manner, and determine a reasonable period for completion of the contractual obligations. The Operator should not inform the Subscriber in advance regarding the limit or disconnection, if by using the Service the Subscriber:

• Causes instantaneous and serious threats to the public order, safety, human health or the environment, or causes great material or operational damage.
• Causes immediate threat to the Operator’s network or equipment, or the ability to provide services to other Subscribers.

5.2. If technically possible, the Operator shall be entitled to limit access only to those Services for which the Subscriber did not act according to the conditions stated in this Agreement, except in cases of abuse established by the competent body, and continuous delay with payment or non-payment of the bills.

Article 6 - Termination of the agreement by the Operator

6.1. The Operator may terminate the agreement within a period determined with this agreement, especially:

• If the Subscriber fails to complete its obligations from the agreement.
• If the Services are used or are dedicated to be used for a purpose opposite to the conditions from this agreement.
• In case when by a court decision the Subscriber is deleted from the adequate register.
• In case of bankruptcy or liquidation, or insolvency of the Subscriber, if the right to use the service has not been transferred to another person, within a period determined by the Operator.
• In case of abuse of the services by the Subscriber, for purposes against the related laws and regulations defined by a competent body in North Macedonia.
• If the Operator cannot provide the Services, due to force majeure, longer than 6 months.
• In case of death of the Subscriber, if the right to use the service is not transferred to another person within six months.

Article 7 - Termination of the agreement by the Subscriber

7.1. The Subscriber may terminate this Agreement at any time upon previously submitted request for cancellation of the Services. 

7.2. The Agreement shall be considered terminated as of the last day of the month in which the written request was received. After the termination of this agreement, the Subscriber will be responsible to pay all the costs incurred by him, which are eventually billed with delay or billed, and not paid by the Subscriber.

Article 8 - The Operator's  rights

8.1. The Operator shall have the following rights:

• Charge fees determined in the order, from the Subscriber or his legal successor.
• Disconnect and deactivate the Services, due to delayed payment or non-payment of the bills.
• Change the technical characteristics of the network and service, in order to provide a better quality and possibility for using new services.
• Request data from the Subscriber, which is used for conclusion, supervision and termination of this agreement, and also data for debt collection.
• Keep, process and exchange Subscriber’s data, for the purpose of fulfilling the objectives of this agreement.

Article 9 - The Operator's obligations

9.1. The Operator shall have the following obligations:

• Provide activation and access to the Services within the period determined in the Order Form.
• Keep and use data of Subscribers and Services in accordance with the related laws and regulations.
• Inform the Subscriber, in written manner, in case of violation of the provisions from this agreement and determine a reasonable period for completing the contractual obligations.
• Provide maintenance of the network and the equipment, in a manner that enables continuous provision of the Services, and within the technical possibilities remove any interference of the network and the equipment, as soon as possible.
• Оbtain consent from the Subscriber for information necessary for direct marketing, and by using automatic calling systems and/or sending SMS/MS messages, without human intervention.
• Enable transfer of the right to use Services to another subject, upon request from the Subscriber.
• To provide technical support 24x7 to the Subscriber via telephone and email.

Article 10 - The Subscriber's rights

10.1. The Subscriber shall be entitled to:

• Receive the Services without interruptions, efficiently and regularly, in accordance with the possibilities of the Subscriber’s technical infrastructure.
• To ask the Operator to transfer the right to use the Services to another person. An operator may refuse the request if it finds that the other person can not meet the contractual requirements.

Article 11 - Subscriber's obligations

11.1. The Subscriber shall have the following obligations:

• To timely pay the invoiced amounts for used Services, up to the date stated in the bill.
• Use the Services for its own needs and according to their purpose, and not disturb other users, and not to use them for transmitting data or for purposes opposite to the laws and regulations of the Republic of North Macedonia, as well as the conditions contained in this agreement.
• Not undertake any activities which would hinder the integrity of the network or would cause any damages.
• Not disclose its personal encrypted data to third parties. In relation to damages which have occurred due to disclosure of personal encrypted data due to subscriber fault, the Subscriber shall be personally responsible.
• Not to allow the services to be used for sending scam, disturbing or false messages.
• Not to operatе applications that are used to mine crypto currencies.
• Not to scan foreign networks or foreign IP addresses.
• Not to fake source IP addresses.
• To use the services in such a way that does not compromise the integrity and availability of the networks, servers and data of third parties. 
• To not use the services for performing (d)DOS attacks or to run applications that are capable of performing these actions.
• To make backup copies of their data.

Article 12 - Disclaimer of warranty and limitation of liability

12.1. Except as otherwise expressly set forth herein, the services are provided "as is", and Operator’s liability for damages arising out of or in connection with the performance of the Agreement shall be limited to wilful acts or gross negligence, and to a maximum amount of the monthly service fee per damaging incident. Neither the Operator nor anyone else involved in creating, producing, delivering (including suspending or discontinuing services) or supporting the services shall be liable to the Subscriber, any representative, or any third party for any indirect, incidental, special, punitive or consequential damages arising out of the services or inability to use the Services, including, without limitation, lost revenue, lost profits, loss of technology, rights or services.

12.2. Тhe Operator shall not be hold responsible for unlawful usage or abuse of the Services, nor for the contents of the information transmitted, by the Subscriber or other parties. 

Article 13 - Additional provisions

13.1. The use of the Services may be interrupted by the force majeure. Force Majeure shall mean an event independent of the will of the contracting Parties whose performance could not be prevented or foreseen and due to which the fulfillment of the obligations under the Agreement became difficult or impossible, including but not limited to: natural events, social events (strike , riots, war), acts of public authority. The Operator will not bear any liability to the Subscriber due to termination of its services, caused by a Force Majeure Event.

13.2. Neither Party is the agent or legal representative of the other Party, and this Agreement does not create a partnership, joint venture or fiduciary relationship between the Operator and Subscriber. Neither Party shall have any authority to agree for or bind the other Party in any manner whatsoever. This Agreement confers no rights, remedies, or claims of any kind upon any third party, including, without limitation, Subscriber’s subscribers or end-users.

13.3. The communication between the Operator and the Subscriber (notification, invoice, complaint, other type of communication) takes place in writing. Delivery of the written communication is done by personal handover by the Operator/Subscriber or in the electronic form by email. In urgent cases, the Operator may first give only a verbal notice. Such verbal notice shall be followed by a written notification within 1 (one) day at the latest.

13.4. The Subscriber shall contact the Operator at the contact details specified on the web page https://interspace.com/en/contact. The Operator shall contact the Subscriber at the contact details that the Subscriber entered in the customer control panel My Interspace, which is accessed at the web address https://my.interspace.com. The Subscriber is responsible for the accuracy of the contact details given in My Interspace.

Article 14 - Final provisions

14.1. Any disputes between the Parties shall be resolved amicably. If the dispute cannot be resolved in an amicable manner, the Primary Court Skopje II in the republic of North Macedonia shall be competent. This agreement shall be interpreted in accordance with the positive legal provisions of the Republic of North Macedonia.

14.2. By placing the order using the Order Form, the Subscriber affirms and acknowledges that they have read this agreement in entirety and agrees to be bound by the provisions thereof.

Contents

1. INTRODUCTION

2. MANAGEMENT OF GENERAL SECURITY RISKS

2.1 Basics of risk management
2.1.1. A threat
2.1.2 Vulnerability
2.1.2 Why is it important to manage risk?
2.2 Risk assessment
2.2.1 Quantitative risk assessment
2.2.2 Qualitative risk assessment
2.2.3 Identification of threats
2.2.4 Identifying vulnerabilities
2.2.4 Risk management

3. PROTECTION OF END USERS
3.1 Technical measures
3.1 Stakeholder notification measures during a security incident
3.1.1 Notification by the Operator to the Directorate for Personal Data Protection
3.1.2 Notification from the Operator to the subscriber

4. MAINTAINING NETWORK AVAILABILITY
4.1 Maintenance of high quality and availability of the passive network
4.2 Maintenance of high quality and availability of the active network
4.3 Maintaining availability with an advanced monitoring system
4.4 Maintaining availability with a 24/7 intervention service
4.5 Maintaining Availability Through Redundant Architecture

5. SECURITY AND INTEGRITY OF PERSONAL DATA
5.1 What information is collected
5.2 What the data is used for
5.3 Ensuring security and integrity of personal data
5.3.1 Physical measures
5.3.2 Procedural measures
5.3.3 Technical measures

6. CONTACT INFORMATION
6.1 Name and headquarters of the operator
6.2 Data for the personal data protection officer
6.3 Data for the person responsible for information security and for reporting security breaches

1. Introduction

INTERSPACE DOOEL Skopje (hereinafter referred to as "Operator") introduces this security policy in order to properly manage the risks and security of the network and services, as well as the integrity of the network and the continuity of services. In addition, since the Operator cooperates in part of its operations with companies based in the EU, through this security policy it aims to harmonize its operations with the regulations and guidelines of the European Union (hereinafter referred to as "EU"), especially in the section for a secure information society and strengthening the security and resilience of vital infrastructures for information and communication technologies.

Through this security policy, it is necessary to achieve the following goals:

1. To ensure the security and integrity of public electronic communication networks and services.
2. To specify the actions that should be taken in the event of a violation of the security of personal data.
3. To submit a notification to the Electronic Communications Agency in the event of a security breach or loss of integrity that had a significant impact on the functioning of the network or services.

In terms of network security and integrity (and service continuity), the aim is to ensure the following points:

1. Use of appropriate technical and organizational measures to protect the security of networks and services.
2. Use of appropriate steps to ensure network integrity.
3. To notify the authority with a significant influence on the operation of the networks about the security incidents.

In terms of security when processing personal data, the goal is to ensure the following points:

1. Using appropriate technical and organizational measures to protect the security of networks and services.
2. Using measures to ensure the security of personal data processing.
3. To notify the authority with a significant impact on the operation of the networks about violations of personal data, and if necessary to communicate with the affected users.

The security policy will be specified in several chapters, namely:

• MANAGING GENERAL SECURITY RISKS
• PROTECTION OF END USERS
• MAINTAINING NETWORK AVAILABILITY
• SECURITY AND INTEGRITY OF PERSONAL DATA

2. Management of general security risks

2.1 Basics of risk management

In the context of security in information and communication technologies ("ICT"), risk management is a process of knowing and reacting to factors that cause loss of privacy, integrity and availability of systems. Risk in ICT systems represents potential damage that may occur to a certain process or information that is part of that process, as a result of intentional or unintentional activity. Risk can be represented as a function of the probability of the occurrence of a certain threat to the realization of a certain potential vulnerability, and the consequence that may arise as a result of that event.

2.1.1. A threat

A threat is the potential for the emergence of a source of threat that can intentionally or unintentionally cause a specific vulnerability. A threat source can be: a) an activity or method aimed at intentionally exploiting a vulnerability, or b) a situation or method that may accidentally cause a vulnerability.

A threat can be presented simply as the potential to exploit a particular vulnerability. Threats in themselves are not an activity. Threats become hazards when combined with a source of threat. This distinction is important to make in risk assessment and management, as each source of threat may be associated with a different environment.

2.1.2 Vulnerability

A vulnerability is defined as a flaw or weakness in system security procedures, design and implementation, or in internal controls that can be intentionally or unintentionally disrupted, resulting in a security breach. A vulnerability can be a flaw or weakness in all aspects of ICT systems.

Vulnerabilities do not always refer to technical protections provided by technical systems. Significant vulnerabilities may also exist in standard operating procedures performed by administrators. For example, the password reset procedure or inappropriate reading of logs by technical support.

2.1.2 Why is it important to manage risk?

The primary objectives of risk management are:

• Network security and integrity.
• Ensuring continuity of services.
• Security when storing and processing personal data.
• Protection of the business success and mission of the Operator.

According to the above, risk management is a management-level function, not just a technical function. Understanding the need for risk management allows the Operator to protect and preserve the users of its ICT systems, which in the long run affects the Operator's survival in the market.

2.2 Risk assessment

The risk is assessed through a) identification of threats and vulnerabilities, and b) determination of the probability of occurrence and the consequences of its occurrence. The basic risk assessment process is explained below.

2.2.1 Quantitative risk assessment

Quantitative risk assessment involves assigning values to information, systems, business processes, repair costs, etc., due to which consequences and risks can be measured in direct and indirect costs. Quantitative risk can be mathematically expressed as annual probability of loss, and it represents the expected financial loss due to a certain risk that may occur in a period of one year. The mathematical formula is as follows:

Annual probability of loss = Probability of one occurrence * Annual occurrence rate

2.2.2 Qualitative risk assessment

Qualitative risk assessment assumes that there is a level of uncertainty in determining the probability of occurrence and the consequences of the risk, whereby the probability of risk and consequences are defined through qualitative data, rather than exclusively based on quantitative data.

In general, the qualitative risk assessment results in placing the risk in one of these three levels: high, medium, low. Placing the risk within one of these three levels makes it easy to communicate the risk assessment across the responsible structures of the Operator.

2.2.3 Identification of threats

In order to make an adequate assessment of the risk, it is necessary to identify the threats as well as the sources of the threats. The list below includes a specification of general threats and threat sources.

Name/Description:

• Accidental disclosure.
• Unauthorized or accidental release of classified, personal or sensitive information.
• Software change.
• Deliberate modification, addition or deletion of the operating system or programs running on it, by authorized or unauthorized persons, which leads to compromising the privacy, availability or integrity of data, programs, systems or resources under the control of the affected system or application. The source of such threats can be viruses, Trojan horses, malicious code, trapdoors and the like.
• Use of flow capacity (Bandwidth).
• Intentional or unintentional use of the communication flow capacity, for needs beyond those provided for in the contract, such as for the transmission of data through which third parties are harassed and lied, which causes an immediate and serious threat to public order, security, human health or the environment, and other types of communication use that is prohibited by positive legal regulations.

Power outage:

• In the event of a power outage, ICT systems may not be able to be used, and data may be unintentionally modified or destroyed.

Deliberate data alteration Deliberate modification, addition or deletion of data, by an authorized or unauthorized person, which compromises the privacy, availability or integrity of data generated, processed, controlled or stored in data processing systems.

System error:

• Accidental or unintentional error during installation, configuration or upgrade of hardware, software or communication equipment.

Telecommunications failure or outage:

• Any communication link, unit or component of the telecommunication system which, due to a malfunction, may lead to a failure or interruption of data transmission through the telecommunication channels.

Works of nature:

• All types of natural disasters (earthquake, storm, etc.) that can damage or affect the system/application. These disasters can lead to partial or total unavailability, thus affecting the availability of systems and services.

2.2.4 Identifying vulnerabilities

The following methods are used to identify vulnerabilities:

• Vulnerability scanners. Refers to software that examines an operating system, network application, or code for some known flaws and vulnerabilities by comparing the system against a database of bug and vulnerability records.
• Penetration tests. It refers to a deliberate attempt by a person in charge of security analyzes of the Operator, to carry out activities to cause a threat to ICT systems.
• Audit of operational and management control processes. In-depth analysis and audit of operational and management control processes, through comparison of current practice and procedures with procedures that are advanced or best practice in the business.

In addition, a list of vulnerabilities is made that are always examined during each risk assessment, thus allowing a minimum level of consistency in the assessment. Also, the vulnerabilities that are revealed in a previous assessment of ICT systems are included in future assessment processes. This way of acting makes it possible to know better the ways of risk management that were effective.

When generating the list of possible vulnerabilities, the Operator consults the archives of known vendors for records of vulnerabilities, namely:

• Common Vulnerabilities and Exposures (CVE - http://cve.mitre.org).
• National Vulnerability Database (NVD - http://nvd.nist.gov).

2.2.4 Risk management

Two basic risk management strategies are used: mitigation and avoidance. They are explained below:

• Mitigation. It covers activities and processes to reduce the probability and possible consequences associated with a certain flaw or failure of ICT systems. A common risk mitigation activity for a technical flaw is to install a patch provided by the equipment vendor.
• Avoiding. It refers to the activity of eliminating the vulnerable part of the system or even the entire system. For example, if a risk assessment determines that the user's web portal used to display traffic usage has a flaw where one subscriber can see usage for another subscriber, then code repair is attempted. 

3. Protection of end users

The operator uses procedures described in chapter 2 for risk management, in order to prevent incidents that can lead to interruption and abuse of the line that users use for electronic communication.

In addition, the Operator applies the following measures regarding the protection of end users:

3.1 Technical measures

The following measures are applied to protect end users:

• The user line for delivery of electronic communication service is delivered to the subscriber as a separate broadcast domain, that is, it is isolated using VLAN technology. This prevents access at the level of the same Ethernet broadcast domain by other users within the Operator's network. In order to ensure that VLAN technology will provide isolation, the Operator uses the practice of mandatory tagging of packets when they pass through the ports with the correct VLAN tag, not allowing untagged packets or incorrectly tagged packets to be transmitted within the network.
• The operator performs regular scans of the user's line to determine the vulnerability that allows the server of the domain name system (if the subscriber has one) to be misused to make global DDOS attacks.

3.1 Stakeholder notification measures during a security incident

A security incident is a breach of security that has a significant impact on the operation of an electronic communications network or service. In the event of a security incident that had a significant impact on the functioning of the networks or services, the Operator sends a notification about the same to the interested parties and taking and activities that the operators should take over in the event of a violation of the security of personal data.

These notices cover the following parties:

3.1.1 Notification by the Operator to the Directorate for Personal Data Protection

The operator sends a notification to the Directorate for Personal Data Protection immediately, but no later than 24 hours from the moment of security breach or loss of integrity that had a significant impact on the functioning of networks or services. The notification is delivered electronically to the following email [email protected]. The attachment in the e-mail is delivered with an electronic signature by the responsible person of the Operator. 

3.1.2 Notification from the Operator to the subscriber

If the violation of the security of personal data may negatively affect the personal data or privacy of the subscriber or another natural person, the Operator additionally informs the respective subscriber (legal or natural person).

4. Maintaining network availability

In order to better serve users, the Operator is fully committed to ensure stability and consistent quality of services. Within this commitment, the Operator makes every effort to ensure constant availability of the Services. The operator uses the measures and practices described below directly and/or indirectly affect the provision of high availability of services. Using such practices in the passive segment of the network leads to provision of a high percentage of availability and a reduced probability of service interruption.

4.1 Maintenance of high quality and availability of the passive network

Each fiber optic connection is made through a fusion splice and verified by OTDR tests. Mechanical splices are not used because they have a short lifespan and increase the chances of failure. Persons responsible for maintaining the passive network make regular field inspections of the network to ensure that it is in a functional state.

Each subscriber is connected with a point-to-point architecture, where xPON technology and optical splitters are not used. Avoiding optical splitters reduces the likelihood of failure, as there are fewer "links in the chain" that can cause failure.

4.2 Maintenance of high quality and availability of the active network

The operator uses exclusively Ethernet technology for the delivery of services. Lines are verified with the internationally standardized RFC2544 Ethernet test, reducing the chances of overlooking a poorly constructed link when putting the line into service.

4.3 Maintaining availability with an advanced monitoring system

The operator uses a 24/7 constantly active monitoring system, for the interconnection links, for the core of the network as well as for every interface that leads to a subscriber. The monitoring system makes deep analyzes of the links down to the lowest level of verification, and immediately informs the services that are currently responsible for technical support

In terms of checks for links to the global Internet, the following automated tests are performed every minute:

• Port status and RX optical level of the SFP of the interconnection port with the global provider.
• Ping and traceroute from our network to global providers, ping and traceroute from external network from Europe to our network.
• In case of detection of a warning or failure of one of the interconnection providers, the monitoring system immediately sends an alarm to the responsible persons who immediately approach them to investigate and solve the problem.

In terms of link checks for the Operator's network core ("Core"), the following automated tests are performed every minute:

• Port status and RX optical level of the SFP connection port to each uplink port of the L2/L3 device part of the Core.
• Temperature status of each L2/L3 device part of the Core.
• Hardware health status of each L2/L3 device part of the Core.
• CPU and RAM utilization status of each L2/L3 device part of the Kernel.
• DNS server status, if the device has such a function.
• In case of detection of a warning or failure of a part of the Core, the monitoring system immediately sends an alarm to the responsible persons who immediately approach them for examination and solution of the problem.

In terms of line checks for each subscriber, the following automated tests are performed every minute:

1. Port status and RX optical level of the SFP port representing the connection to the subscriber's user terminal equipment.

In case of detection of a warning or line failure, including a reduced level of light that may occur due to bending of an optical cable, the monitoring system immediately sends an alarm to the responsible persons who immediately approach them to investigate and solve the problem.

4.4 Maintaining availability with a 24/7 intervention service

The operator provides 24/7 technical support service. This service uses the 24/7 constantly active monitoring system described in chapter 4.3, for insight and reaction regarding interruptions and failures of services warning signs that can lead to interruptions and failures. If necessary, the technical support service engages field exposure persons to repair a fault in the passive or active segment of the network, who are available 24/7.

4.4 Maintaining Availability Through Redundant Architecture

Our network in Macedonia is based on multiple points of presence, which are protected by geographically independent and protected (redundant) links to the core. They are strategically placed to be as close as possible to subscribers in order to reduce the likelihood.

5. Security and integrity of personal data

The operator is committed to the protection of personal data. The necessary information for personal identification is explained below, as well as the way of ensuring its security and integrity. By the term personally identifiable information we mean information that can be used to identify a person.

5.1 What information is collected

We collect and process the following personally identifiable data:

1. In the case of legal entities, we collect the following information: Name of legal entity, address, telephone number, email address, unique tax number and unique identification number. In the case of natural persons, we collect the following information: First/Surname, address, telephone number and email address. This information is collected when filling an order for any of the services.
2. Details of financial transactions that have occurred due to the settlement of obligations related to services.
3. A record of the communication that occurs when you contact us by email, mail or phone.
4. Information about the configuration, type and quantity of telecommunication services used by users.

5.2 What the data is used for:

We take the privacy of our users seriously, fully respecting the subscriber's right to privacy. Personally identifiable information will be collected, processed, stored for the following purposes:

• To process orders and contracts with users.
• To enable users to access a web portal through which traffic usage can be monitored.
• To provide notice regarding the services.
• To submit an invoice regarding the services.
• To analyze how you use the services, such as to analyze the average level of utilization of streaming capacity, in order to propose a solution in case of a problem.
• To investigate user complaints.
• To set the approximate location of the subscriber in the monitoring system, in order to have a faster reaction when repairing a defect.
• To submit the information to the appropriate state institutions in case of legal dispute, crime detection and other activities that are contrary to the Law on Electronic Communications or other law or regulation.

5.3 Ensuring security and integrity of personal data

We have in place reasonable physical, technical and organizational measures designed to provide an environment where personal information is secured against accidental loss or unauthorized access. Security measures are in place to ensure protection against the loss, misuse or modification of information under our control. It is good to note that the technology, no matter how advanced, becomes a vulnerable matter over time, which is why it cannot be 100% guaranteed that unauthorized third parties will never be able to break through the security measures and such a break use for inappropriate purposes.

The operator uses the following measures to ensure the security and integrity of personal data.

5.3.1 Physical measures

Physical measures refer to protection measures in terms of theft, intrusion or other unauthorized access to the Operator's facilities, network and other technology. Physical measures are given below:The Operator's facilities where personal data are stored or accessed are restricted to authorized persons only.

• The Operator's facilities are secured by persons in charge of security.
• The Operator's facilities where personal data are stored or accessed are under constant video surveillance.

5.3.2 Procedural measures

Procedural measures are specified in the list below:

• The operator follows procedures to ensure that only authorized persons have access to ICT systems where personal data is collected, stored and processed. Authorization of an account linked to a specific administrator, for access to the ICT systems where personal data is collected, stored and processed, is done only by the manager of the Operator. When these authorized persons access the system for storing and processing personal data, in addition to using a personal login password, the system requires them to use two-step verification that requires an additional code that requires an additional code sent to the phone designated as the account holder for access.
• Persons who are authorized to access ICT systems where personal data is collected, stored and processed, sign an agreement with the Operator for the use of users' personal data only for their purpose described in chapter 5.2.

5.3.3 Technical measures

The technical measures are specified in the list below:

• Confidential user information must be transmitted securely. When communicating this data through email systems, a framework has been established for the mandatory use of encrypted communication using the Transport Layer Security (TLS) method, which is an industry-recognized standard based on Secure Sockets Layer (SSL) technology for email communication encryption.
• Personal information for users who are legal entities, namely: name of legal entity, address, telephone number, email address, unique tax number and unique identification number; are stored in an encrypted form where the encryption and decryption is performed using the Advanced Encryption Standard (AES) method with 256 bits, additionally they are communicated in a secure way through encrypted communication using the TLS method.
• Personal information for users who are natural persons, including first name/surname, phone number and email address; are stored in an encrypted form where the encryption/decryption is performed using the Advanced Encryption Standard (AES) method with 256 bits. In electronic communication of the same, secure communication with the TLS method is used.
• When these authorized persons access the system for storing and processing personal data, in addition to using a personal login password, the system requires them to use two-step verification that requires an additional code sent to the phone designated as the account holder for access.

6. Contact information

6.1 Name and headquarters of the operator

INTERSPACE D.O.O.E.L. SKOPJE
Blvd. Jane Sandanski 109A, floor 3, 1000 Skopje

6.2 Data for the personal data protection officer

Contact phone: 02/3299-199, 070/235-038
Contact email address: [email protected]
Document number: 0204-128 from 15-Dec-2016

6.3 Data for the person responsible for information security and for reporting security breaches

Contact phone: 02/3299-199, 070/235-038
Contact email address: [email protected]
Document number: 0204-128 from 15-Dec-2016

Article 1 - Subject and scope

1.1 The following Terms and Conditions represent an agreement between the company INTERSPACE DOOEL Skopje (Address: Bul. Jane Sandanski 109A, kat 3, Skopje, North Macedonia; UTN: MK4043014516919) in a role of a service provider (hereinafter “Operator”), and the subject that orders and uses the services (hereinafter “Subscriber”), also hereinafter individually referred to as “Party” or collectively referred  to as “Parties".

1.2. Subject of this agreement is the establishing and ascertaining of the subscriber relation between the Operator and the Subscriber for providing services for web hosting, and the rights and obligations for the parties arising out of it.

1.3 We reserve the right, at our sole discretion, to make changes to these Terms and Conditions by giving the Subscriber prior notification.

Article 2 - Services and term

2.2 The details of the Services are provided in the order form (hereinafter "Order Form"). The Order Form contains information about the type of service, the amount of service charges and other relevant information about the services. In accordance with this agreement, the Operator shall provide the services selected in the Order Form (hereinafter "Services").

2.3. This agreement is concluded for an unlimited time period unless otherwise agreed. 

2.4. This agreement may be terminated at any time, as specified in Article 6 and Article 7. The minimum duration of the agreement is one month.

Article 3 - Service charges and billing

3.1. Subscriber agrees to pay a monthly fee for the Services specified in the Order Form of this agreement, including value added tax.

3.2. The invoices for the monthly subscription specified in the Article 3.1 of this agreement shall be issued by the Operator and sent to the Subscriber in electronic form on the 1st day of the current month, and they shall become due within 12 days from the date of issue. The invoicing of the Services shall commence from the day when the Services are provisioned. The Operator will calculate and add the amount of VAT 18% which will be written separately, and it shall be paid by the Subscriber. 

3.3 In the event of payment delay by the Subscriber, the Operator is entitled to charge a penalty in a form of interest specified by the law, calculated from the day the due date is passed until the payment, and the calculated amount of the penalty will be added to the invoice for the following monthly subscription.

Article 4 - Limitation or termination of access

4.1. The Operator may, without consent from the Subscriber, temporary limit or terminate access to the Services, in the following cases:

• If that is necessary for the purposes of reconstruction, modernization, maintenance or in case of technical issues or deficiency in the network, up to completion of the works or removal of the problems.
• If there are technical problems with the Subscriber equipment or installations, up to removal of the same, оr if the Subscriber does not allow inspection of the functionality of its equipment or installations, up to completion of the inspection.
• If the Subscriber fails to pay the invoice for the monthly subscription by the date specified in the Invoice until the entire payment is made, except in case of an appeal regarding the amount of the Invoice, in that case the Subscriber shall pay the amount of the monthly subscription by the date stated in the Invoice.
• If the services are used or dedicated to be used for purposes opposite to the Law for Electronic Communications of North Macedonia, and the related regulations, or other law or regulations, as determined by the competent body, or they are used or dedicated to be used for a purpose opposite to the terms and conditions of this agreement.

4.2. In case of planned technical works, related to the intervention in the network and equipment, the Operator shall deliver information in a timely manner to the Subscriber, stating the reasons for Services unavailability and the expected time for restoration of their functionality.

Article 5 - Disconnection of the Subscriber

5.1. The Operator may limit or disconnect the access to its Services for the Subscriber only in case when the Subscriber failed to fulfill its obligations or did not act in accordance with the conditions stated in this agreement. In case of violation of the provisions of this agreement, the Operator should inform the Subscriber, in written manner, and determine a reasonable period for completion of the contractual obligations. The Operator should not inform the Subscriber in advance regarding the limit or disconnection, if by using the Service the Subscriber:

• Causes instantaneous and serious threats to the public order, safety, human health or the environment, or causes great material or operational damage.
• Causes immediate threat to the Operator’s network or equipment, or the ability to provide services to other Subscribers.

5.2. If technically possible, the Operator shall be entitled to limit access only to those Services for which the Subscriber did not act according to the conditions stated in this Agreement, except in cases of abuse established by the competent body, and continuous delay with payment or non-payment of the bills.

Article 6 - Termination of the agreement by the Operator

6.1. The Operator may terminate the agreement within a period determined with this agreement, especially:

• If the Subscriber fails to complete its obligations from the agreement.
• If the Services are used or are dedicated to be used for a purpose opposite to the conditions from this agreement.
• In case when by a court decision the Subscriber is deleted from the adequate register.
• In case of bankruptcy or liquidation, or insolvency of the Subscriber, if the right to use the service has not been transferred to another person, within a period determined by the Operator.
• In case of abuse of the services by the Subscriber, for purposes against the related laws and regulations defined by a competent body in North Macedonia.
• If the Operator cannot provide the Services, due to force majeure, longer than 6 months.
• In case of death of the Subscriber, if the right to use the service is not transferred to another person within six months.

Article 7 - Termination of the agreement by the Subscriber

7.1. The Subscriber may terminate this Agreement at any time upon previously submitted request for cancellation of the Services. 

7.2. The Agreement shall be considered terminated as of the last day of the month in which the written request was received. After the termination of this agreement, the Subscriber will be responsible to pay all the costs incurred by him, which are eventually billed with delay or billed, and not paid by the Subscriber.

Article 8 - The Operator's  rights

8.1. The Operator shall have the following rights:

• Charge fees determined in the order, from the Subscriber or his legal successor.
• Disconnect and deactivate the Services, due to delayed payment or non-payment of the bills.
• Change the technical characteristics of the network and service, in order to provide a better quality and possibility for using new services.
• Request data from the Subscriber, which is used for conclusion, supervision and termination of this agreement, and also data for debt collection.
• Keep, process and exchange Subscriber’s data, for the purpose of fulfilling the objectives of this agreement.

Article 9 - The Operator's obligations

9.1. The Operator shall have the following obligations:

• Provide activation and access to the Services within the period determined in the Order Form.
• Keep and use data of Subscribers and Services in accordance with the related laws and regulations.
• Inform the Subscriber, in written manner, in case of violation of the provisions from this agreement and determine a reasonable period for completing the contractual obligations.
• Provide maintenance of the network and the equipment, in a manner that enables continuous provision of the Services, and within the technical possibilities remove any interference of the network and the equipment, as soon as possible.
• Оbtain consent from the Subscriber for information necessary for direct marketing, and by using automatic calling systems and/or sending SMS/MS messages, without human intervention.
• Enable transfer of the right to use Services to another subject, upon request from the Subscriber.
• To provide technical support 24x7 to the Subscriber via telephone and email.

Article 10 - The Subscriber's rights

10.1. The Subscriber shall be entitled to:

• Receive the Services without interruptions, efficiently and regularly, in accordance with the possibilities of the Subscriber’s technical infrastructure.
• To ask the Operator to transfer the right to use the Services to another person. An operator may refuse the request if it finds that the other person can not meet the contractual requirements.

Article 11 - Subscriber's obligations

11.1. The Subscriber shall have the following obligations:

• To timely pay the invoiced amounts for used Services, up to the date stated in the bill.
• Use the Services for its own needs and according to their purpose, and not disturb other users, and not to use them for transmitting data or for purposes opposite to the laws and regulations of the Republic of North Macedonia, as well as the conditions contained in this agreement.
• Not undertake any activities which would hinder the integrity of the network or would cause any damages.
• Not disclose its personal encrypted data to third parties. In relation to damages which have occurred due to disclosure of personal encrypted data due to subscriber fault, the Subscriber shall be personally responsible.
• Not to allow the services to be used for sending scam, disturbing or false messages.
• Not to operatе applications that are used to mine crypto currencies.
• Not to scan foreign networks or foreign IP addresses.
• Not to fake source IP addresses.
• To use the services in such a way that does not compromise the integrity and availability of the networks, servers and data of third parties. 
• To not use the services for performing (d)DOS attacks or to run applications that are capable of performing these actions.
• To make backup copies of their data.

Article 12 - Disclaimer of warranty and limitation of liability

12.1. Except as otherwise expressly set forth herein, the services are provided "as is", and Operator’s liability for damages arising out of or in connection with the performance of the Agreement shall be limited to wilful acts or gross negligence, and to a maximum amount of the monthly service fee per damaging incident. Neither the Operator nor anyone else involved in creating, producing, delivering (including suspending or discontinuing services) or supporting the services shall be liable to the Subscriber, any representative, or any third party for any indirect, incidental, special, punitive or consequential damages arising out of the services or inability to use the Services, including, without limitation, lost revenue, lost profits, loss of technology, rights or services.

12.2. Тhe Operator shall not be hold responsible for unlawful usage or abuse of the Services, nor for the contents of the information transmitted, by the Subscriber or other parties. 

Article 13 - Additional provisions

13.1. The use of the Services may be interrupted by the force majeure. Force Majeure shall mean an event independent of the will of the contracting Parties whose performance could not be prevented or foreseen and due to which the fulfillment of the obligations under the Agreement became difficult or impossible, including but not limited to: natural events, social events (strike , riots, war), acts of public authority. The Operator will not bear any liability to the Subscriber due to termination of its services, caused by a Force Majeure Event.

13.2. Neither Party is the agent or legal representative of the other Party, and this Agreement does not create a partnership, joint venture or fiduciary relationship between the Operator and Subscriber. Neither Party shall have any authority to agree for or bind the other Party in any manner whatsoever. This Agreement confers no rights, remedies, or claims of any kind upon any third party, including, without limitation, Subscriber’s subscribers or end-users.

13.3. The communication between the Operator and the Subscriber (notification, invoice, complaint, other type of communication) takes place in writing. Delivery of the written communication is done by personal handover by the Operator/Subscriber or in the electronic form by email. In urgent cases, the Operator may first give only a verbal notice. Such verbal notice shall be followed by a written notification within 1 (one) day at the latest.

13.4. The Subscriber shall contact the Operator at the contact details specified on the web page https://interspace.com/en/contact. The Operator shall contact the Subscriber at the contact details that the Subscriber entered in the customer control panel My Interspace, which is accessed at the web address https://my.interspace.com. The Subscriber is responsible for the accuracy of the contact details given in My Interspace.

Article 14 - Final provisions

14.1. Any disputes between the Parties shall be resolved amicably. If the dispute cannot be resolved in an amicable manner, the Primary Court Skopje II in the republic of North Macedonia shall be competent. This agreement shall be interpreted in accordance with the positive legal provisions of the Republic of North Macedonia.

14.2. By placing the order using the Order Form, the Subscriber affirms and acknowledges that they have read this agreement in entirety and agrees to be bound by the provisions thereof.

Contents

1. INTRODUCTION

2. MANAGEMENT OF GENERAL SECURITY RISKS

2.1 Basics of risk management
2.1.1. A threat
2.1.2 Vulnerability
2.1.2 Why is it important to manage risk?
2.2 Risk assessment
2.2.1 Quantitative risk assessment
2.2.2 Qualitative risk assessment
2.2.3 Identification of threats
2.2.4 Identifying vulnerabilities
2.2.4 Risk management

3. PROTECTION OF END USERS
3.1 Technical measures
3.1 Stakeholder notification measures during a security incident
3.1.1 Notification by the Operator to the Directorate for Personal Data Protection
3.1.2 Notification from the Operator to the subscriber

4. MAINTAINING NETWORK AVAILABILITY
4.1 Maintenance of high quality and availability of the passive network
4.2 Maintenance of high quality and availability of the active network
4.3 Maintaining availability with an advanced monitoring system
4.4 Maintaining availability with a 24/7 intervention service
4.5 Maintaining Availability Through Redundant Architecture

5. SECURITY AND INTEGRITY OF PERSONAL DATA
5.1 What information is collected
5.2 What the data is used for
5.3 Ensuring security and integrity of personal data
5.3.1 Physical measures
5.3.2 Procedural measures
5.3.3 Technical measures

6. CONTACT INFORMATION
6.1 Name and headquarters of the operator
6.2 Data for the personal data protection officer
6.3 Data for the person responsible for information security and for reporting security breaches

1. Introduction

INTERSPACE DOOEL Skopje (hereinafter referred to as "Operator") introduces this security policy in order to properly manage the risks and security of the network and services, as well as the integrity of the network and the continuity of services. In addition, since the Operator cooperates in part of its operations with companies based in the EU, through this security policy it aims to harmonize its operations with the regulations and guidelines of the European Union (hereinafter referred to as "EU"), especially in the section for a secure information society and strengthening the security and resilience of vital infrastructures for information and communication technologies.

Through this security policy, it is necessary to achieve the following goals:

1. To ensure the security and integrity of public electronic communication networks and services.
2. To specify the actions that should be taken in the event of a violation of the security of personal data.
3. To submit a notification to the Electronic Communications Agency in the event of a security breach or loss of integrity that had a significant impact on the functioning of the network or services.

In terms of network security and integrity (and service continuity), the aim is to ensure the following points:

1. Use of appropriate technical and organizational measures to protect the security of networks and services.
2. Use of appropriate steps to ensure network integrity.
3. To notify the authority with a significant influence on the operation of the networks about the security incidents.

In terms of security when processing personal data, the goal is to ensure the following points:

1. Using appropriate technical and organizational measures to protect the security of networks and services.
2. Using measures to ensure the security of personal data processing.
3. To notify the authority with a significant impact on the operation of the networks about violations of personal data, and if necessary to communicate with the affected users.

The security policy will be specified in several chapters, namely:

• MANAGING GENERAL SECURITY RISKS
• PROTECTION OF END USERS
• MAINTAINING NETWORK AVAILABILITY
• SECURITY AND INTEGRITY OF PERSONAL DATA

2. Management of general security risks

2.1 Basics of risk management

In the context of security in information and communication technologies ("ICT"), risk management is a process of knowing and reacting to factors that cause loss of privacy, integrity and availability of systems. Risk in ICT systems represents potential damage that may occur to a certain process or information that is part of that process, as a result of intentional or unintentional activity. Risk can be represented as a function of the probability of the occurrence of a certain threat to the realization of a certain potential vulnerability, and the consequence that may arise as a result of that event.

2.1.1. A threat

A threat is the potential for the emergence of a source of threat that can intentionally or unintentionally cause a specific vulnerability. A threat source can be: a) an activity or method aimed at intentionally exploiting a vulnerability, or b) a situation or method that may accidentally cause a vulnerability.

A threat can be presented simply as the potential to exploit a particular vulnerability. Threats in themselves are not an activity. Threats become hazards when combined with a source of threat. This distinction is important to make in risk assessment and management, as each source of threat may be associated with a different environment.

2.1.2 Vulnerability

A vulnerability is defined as a flaw or weakness in system security procedures, design and implementation, or in internal controls that can be intentionally or unintentionally disrupted, resulting in a security breach. A vulnerability can be a flaw or weakness in all aspects of ICT systems.

Vulnerabilities do not always refer to technical protections provided by technical systems. Significant vulnerabilities may also exist in standard operating procedures performed by administrators. For example, the password reset procedure or inappropriate reading of logs by technical support.

2.1.2 Why is it important to manage risk?

The primary objectives of risk management are:

• Network security and integrity.
• Ensuring continuity of services.
• Security when storing and processing personal data.
• Protection of the business success and mission of the Operator.

According to the above, risk management is a management-level function, not just a technical function. Understanding the need for risk management allows the Operator to protect and preserve the users of its ICT systems, which in the long run affects the Operator's survival in the market.

2.2 Risk assessment

The risk is assessed through a) identification of threats and vulnerabilities, and b) determination of the probability of occurrence and the consequences of its occurrence. The basic risk assessment process is explained below.

2.2.1 Quantitative risk assessment

Quantitative risk assessment involves assigning values to information, systems, business processes, repair costs, etc., due to which consequences and risks can be measured in direct and indirect costs. Quantitative risk can be mathematically expressed as annual probability of loss, and it represents the expected financial loss due to a certain risk that may occur in a period of one year. The mathematical formula is as follows:

Annual probability of loss = Probability of one occurrence * Annual occurrence rate

2.2.2 Qualitative risk assessment

Qualitative risk assessment assumes that there is a level of uncertainty in determining the probability of occurrence and the consequences of the risk, whereby the probability of risk and consequences are defined through qualitative data, rather than exclusively based on quantitative data.

In general, the qualitative risk assessment results in placing the risk in one of these three levels: high, medium, low. Placing the risk within one of these three levels makes it easy to communicate the risk assessment across the responsible structures of the Operator.

2.2.3 Identification of threats

In order to make an adequate assessment of the risk, it is necessary to identify the threats as well as the sources of the threats. The list below includes a specification of general threats and threat sources.

Name/Description:

• Accidental disclosure.
• Unauthorized or accidental release of classified, personal or sensitive information.
• Software change.
• Deliberate modification, addition or deletion of the operating system or programs running on it, by authorized or unauthorized persons, which leads to compromising the privacy, availability or integrity of data, programs, systems or resources under the control of the affected system or application. The source of such threats can be viruses, Trojan horses, malicious code, trapdoors and the like.
• Use of flow capacity (Bandwidth).
• Intentional or unintentional use of the communication flow capacity, for needs beyond those provided for in the contract, such as for the transmission of data through which third parties are harassed and lied, which causes an immediate and serious threat to public order, security, human health or the environment, and other types of communication use that is prohibited by positive legal regulations.

Power outage:

• In the event of a power outage, ICT systems may not be able to be used, and data may be unintentionally modified or destroyed.

Deliberate data alteration Deliberate modification, addition or deletion of data, by an authorized or unauthorized person, which compromises the privacy, availability or integrity of data generated, processed, controlled or stored in data processing systems.

System error:

• Accidental or unintentional error during installation, configuration or upgrade of hardware, software or communication equipment.

Telecommunications failure or outage:

• Any communication link, unit or component of the telecommunication system which, due to a malfunction, may lead to a failure or interruption of data transmission through the telecommunication channels.

Works of nature:

• All types of natural disasters (earthquake, storm, etc.) that can damage or affect the system/application. These disasters can lead to partial or total unavailability, thus affecting the availability of systems and services.

2.2.4 Identifying vulnerabilities

The following methods are used to identify vulnerabilities:

• Vulnerability scanners. Refers to software that examines an operating system, network application, or code for some known flaws and vulnerabilities by comparing the system against a database of bug and vulnerability records.
• Penetration tests. It refers to a deliberate attempt by a person in charge of security analyzes of the Operator, to carry out activities to cause a threat to ICT systems.
• Audit of operational and management control processes. In-depth analysis and audit of operational and management control processes, through comparison of current practice and procedures with procedures that are advanced or best practice in the business.

In addition, a list of vulnerabilities is made that are always examined during each risk assessment, thus allowing a minimum level of consistency in the assessment. Also, the vulnerabilities that are revealed in a previous assessment of ICT systems are included in future assessment processes. This way of acting makes it possible to know better the ways of risk management that were effective.

When generating the list of possible vulnerabilities, the Operator consults the archives of known vendors for records of vulnerabilities, namely:

• Common Vulnerabilities and Exposures (CVE - http://cve.mitre.org).
• National Vulnerability Database (NVD - http://nvd.nist.gov).

2.2.4 Risk management

Two basic risk management strategies are used: mitigation and avoidance. They are explained below:

• Mitigation. It covers activities and processes to reduce the probability and possible consequences associated with a certain flaw or failure of ICT systems. A common risk mitigation activity for a technical flaw is to install a patch provided by the equipment vendor.
• Avoiding. It refers to the activity of eliminating the vulnerable part of the system or even the entire system. For example, if a risk assessment determines that the user's web portal used to display traffic usage has a flaw where one subscriber can see usage for another subscriber, then code repair is attempted. 

3. Protection of end users

The operator uses procedures described in chapter 2 for risk management, in order to prevent incidents that can lead to interruption and abuse of the line that users use for electronic communication.

In addition, the Operator applies the following measures regarding the protection of end users:

3.1 Technical measures

The following measures are applied to protect end users:

• The user line for delivery of electronic communication service is delivered to the subscriber as a separate broadcast domain, that is, it is isolated using VLAN technology. This prevents access at the level of the same Ethernet broadcast domain by other users within the Operator's network. In order to ensure that VLAN technology will provide isolation, the Operator uses the practice of mandatory tagging of packets when they pass through the ports with the correct VLAN tag, not allowing untagged packets or incorrectly tagged packets to be transmitted within the network.
• The operator performs regular scans of the user's line to determine the vulnerability that allows the server of the domain name system (if the subscriber has one) to be misused to make global DDOS attacks.

3.1 Stakeholder notification measures during a security incident

A security incident is a breach of security that has a significant impact on the operation of an electronic communications network or service. In the event of a security incident that had a significant impact on the functioning of the networks or services, the Operator sends a notification about the same to the interested parties and taking and activities that the operators should take over in the event of a violation of the security of personal data.

These notices cover the following parties:

3.1.1 Notification by the Operator to the Directorate for Personal Data Protection

The operator sends a notification to the Directorate for Personal Data Protection immediately, but no later than 24 hours from the moment of security breach or loss of integrity that had a significant impact on the functioning of networks or services. The notification is delivered electronically to the following email [email protected]. The attachment in the e-mail is delivered with an electronic signature by the responsible person of the Operator. 

3.1.2 Notification from the Operator to the subscriber

If the violation of the security of personal data may negatively affect the personal data or privacy of the subscriber or another natural person, the Operator additionally informs the respective subscriber (legal or natural person).

4. Maintaining network availability

In order to better serve users, the Operator is fully committed to ensure stability and consistent quality of services. Within this commitment, the Operator makes every effort to ensure constant availability of the Services. The operator uses the measures and practices described below directly and/or indirectly affect the provision of high availability of services. Using such practices in the passive segment of the network leads to provision of a high percentage of availability and a reduced probability of service interruption.

4.1 Maintenance of high quality and availability of the passive network

Each fiber optic connection is made through a fusion splice and verified by OTDR tests. Mechanical splices are not used because they have a short lifespan and increase the chances of failure. Persons responsible for maintaining the passive network make regular field inspections of the network to ensure that it is in a functional state.

Each subscriber is connected with a point-to-point architecture, where xPON technology and optical splitters are not used. Avoiding optical splitters reduces the likelihood of failure, as there are fewer "links in the chain" that can cause failure.

4.2 Maintenance of high quality and availability of the active network

The operator uses exclusively Ethernet technology for the delivery of services. Lines are verified with the internationally standardized RFC2544 Ethernet test, reducing the chances of overlooking a poorly constructed link when putting the line into service.

4.3 Maintaining availability with an advanced monitoring system

The operator uses a 24/7 constantly active monitoring system, for the interconnection links, for the core of the network as well as for every interface that leads to a subscriber. The monitoring system makes deep analyzes of the links down to the lowest level of verification, and immediately informs the services that are currently responsible for technical support

In terms of checks for links to the global Internet, the following automated tests are performed every minute:

• Port status and RX optical level of the SFP of the interconnection port with the global provider.
• Ping and traceroute from our network to global providers, ping and traceroute from external network from Europe to our network.
• In case of detection of a warning or failure of one of the interconnection providers, the monitoring system immediately sends an alarm to the responsible persons who immediately approach them to investigate and solve the problem.

In terms of link checks for the Operator's network core ("Core"), the following automated tests are performed every minute:

• Port status and RX optical level of the SFP connection port to each uplink port of the L2/L3 device part of the Core.
• Temperature status of each L2/L3 device part of the Core.
• Hardware health status of each L2/L3 device part of the Core.
• CPU and RAM utilization status of each L2/L3 device part of the Kernel.
• DNS server status, if the device has such a function.
• In case of detection of a warning or failure of a part of the Core, the monitoring system immediately sends an alarm to the responsible persons who immediately approach them for examination and solution of the problem.

In terms of line checks for each subscriber, the following automated tests are performed every minute:

1. Port status and RX optical level of the SFP port representing the connection to the subscriber's user terminal equipment.

In case of detection of a warning or line failure, including a reduced level of light that may occur due to bending of an optical cable, the monitoring system immediately sends an alarm to the responsible persons who immediately approach them to investigate and solve the problem.

4.4 Maintaining availability with a 24/7 intervention service

The operator provides 24/7 technical support service. This service uses the 24/7 constantly active monitoring system described in chapter 4.3, for insight and reaction regarding interruptions and failures of services warning signs that can lead to interruptions and failures. If necessary, the technical support service engages field exposure persons to repair a fault in the passive or active segment of the network, who are available 24/7.

4.4 Maintaining Availability Through Redundant Architecture

Our network in Macedonia is based on multiple points of presence, which are protected by geographically independent and protected (redundant) links to the core. They are strategically placed to be as close as possible to subscribers in order to reduce the likelihood.

5. Security and integrity of personal data

The operator is committed to the protection of personal data. The necessary information for personal identification is explained below, as well as the way of ensuring its security and integrity. By the term personally identifiable information we mean information that can be used to identify a person.

5.1 What information is collected

We collect and process the following personally identifiable data:

1. In the case of legal entities, we collect the following information: Name of legal entity, address, telephone number, email address, unique tax number and unique identification number. In the case of natural persons, we collect the following information: First/Surname, address, telephone number and email address. This information is collected when filling an order for any of the services.
2. Details of financial transactions that have occurred due to the settlement of obligations related to services.
3. A record of the communication that occurs when you contact us by email, mail or phone.
4. Information about the configuration, type and quantity of telecommunication services used by users.

5.2 What the data is used for:

We take the privacy of our users seriously, fully respecting the subscriber's right to privacy. Personally identifiable information will be collected, processed, stored for the following purposes:

• To process orders and contracts with users.
• To enable users to access a web portal through which traffic usage can be monitored.
• To provide notice regarding the services.
• To submit an invoice regarding the services.
• To analyze how you use the services, such as to analyze the average level of utilization of streaming capacity, in order to propose a solution in case of a problem.
• To investigate user complaints.
• To set the approximate location of the subscriber in the monitoring system, in order to have a faster reaction when repairing a defect.
• To submit the information to the appropriate state institutions in case of legal dispute, crime detection and other activities that are contrary to the Law on Electronic Communications or other law or regulation.

5.3 Ensuring security and integrity of personal data

We have in place reasonable physical, technical and organizational measures designed to provide an environment where personal information is secured against accidental loss or unauthorized access. Security measures are in place to ensure protection against the loss, misuse or modification of information under our control. It is good to note that the technology, no matter how advanced, becomes a vulnerable matter over time, which is why it cannot be 100% guaranteed that unauthorized third parties will never be able to break through the security measures and such a break use for inappropriate purposes.

The operator uses the following measures to ensure the security and integrity of personal data.

5.3.1 Physical measures

Physical measures refer to protection measures in terms of theft, intrusion or other unauthorized access to the Operator's facilities, network and other technology. Physical measures are given below:The Operator's facilities where personal data are stored or accessed are restricted to authorized persons only.

• The Operator's facilities are secured by persons in charge of security.
• The Operator's facilities where personal data are stored or accessed are under constant video surveillance.

5.3.2 Procedural measures

Procedural measures are specified in the list below:

• The operator follows procedures to ensure that only authorized persons have access to ICT systems where personal data is collected, stored and processed. Authorization of an account linked to a specific administrator, for access to the ICT systems where personal data is collected, stored and processed, is done only by the manager of the Operator. When these authorized persons access the system for storing and processing personal data, in addition to using a personal login password, the system requires them to use two-step verification that requires an additional code that requires an additional code sent to the phone designated as the account holder for access.
• Persons who are authorized to access ICT systems where personal data is collected, stored and processed, sign an agreement with the Operator for the use of users' personal data only for their purpose described in chapter 5.2.

5.3.3 Technical measures

The technical measures are specified in the list below:

• Confidential user information must be transmitted securely. When communicating this data through email systems, a framework has been established for the mandatory use of encrypted communication using the Transport Layer Security (TLS) method, which is an industry-recognized standard based on Secure Sockets Layer (SSL) technology for email communication encryption.
• Personal information for users who are legal entities, namely: name of legal entity, address, telephone number, email address, unique tax number and unique identification number; are stored in an encrypted form where the encryption and decryption is performed using the Advanced Encryption Standard (AES) method with 256 bits, additionally they are communicated in a secure way through encrypted communication using the TLS method.
• Personal information for users who are natural persons, including first name/surname, phone number and email address; are stored in an encrypted form where the encryption/decryption is performed using the Advanced Encryption Standard (AES) method with 256 bits. In electronic communication of the same, secure communication with the TLS method is used.
• When these authorized persons access the system for storing and processing personal data, in addition to using a personal login password, the system requires them to use two-step verification that requires an additional code sent to the phone designated as the account holder for access.

6. Contact information

6.1 Name and headquarters of the operator

INTERSPACE D.O.O.E.L. SKOPJE
Blvd. Jane Sandanski 109A, floor 3, 1000 Skopje

6.2 Data for the personal data protection officer

Contact phone: 02/3299-199, 070/235-038
Contact email address: [email protected]
Document number: 0204-128 from 15-Dec-2016

6.3 Data for the person responsible for information security and for reporting security breaches

Contact phone: 02/3299-199, 070/235-038
Contact email address: [email protected]
Document number: 0204-128 from 15-Dec-2016

For the rest of the services, the legal documents are not published on the website, because they are prepared for each order separately and are adapted depending on the country of origin of the client, the location where the service is delivered and other parameters.

These legal documents are delivered by email when ordering the services.

The following rules apply to the electronic messages sent by email addresses under the domain "interspace.com" (hereinafter together referred to as "Email"), by a mail server that is authorized to send emails on behalf of the domain "interspace.com" and the company Interspace (hereinafter collectively referred to as "Organization").

To verify that the Email indeed comes from the mail server authorized to send messages from "interspace.com", please inspect whether the DKIM signature is valid and that the email is signed by "interspace.com".

The Email and any files transmitted with it are confidential and intended solely for the use of the individual(s) or entity to whom they are addressed. If you have received the Email in error, please notify the email system manager on the email address [email protected]. The Email message contains confidential information and is intended only for the individual(s) named.

If you are not the named addressee, you should not disseminate, distribute or copy the Email. Please notify the sender immediately by email if you have received the Email by mistake and delete the Email from your system. If you are not the intended recipient, you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of the email is strictly prohibited.

Computer viruses can be unintentionally transmitted via the Email. The recipient should check the Email and any attachments for the presence of viruses. Email transmission cannot be guaranteed to be secure or error-free, as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender, therefore, does not accept liability for any errors or omissions in the contents of thе Email message which arise as a result of email transmission. The organization accepts no liability for any damage caused by any virus transmitted by this email.

The Organization accepts no liability for the content of the Email, or for the consequences of any actions taken on the basis of the information provided, unless that information is subsequently confirmed in writing.