SECURITY POLICY
Technical and Organisational Measures
The descriptions below provide an overview of the technical and organisational security measures implemented by us and our data centres. It should be noted that, in some circumstances, in order to protect the integrity of the security measures and in the context of data security, detailed descriptions may not be available, however additional information regarding technical and organisational measures can be requested from us.
It is acknowledged and agreed that this Security Policy and the technical and organisational measures described herein will be updated and amended from time to time, at Our sole discretion. Notwithstanding the foregoing, the technical and organisational measures will not fall short of those measures described in this Security Policy in any material, detrimental way.
1. ENTRANCE CONTROL
Technical or organisational measures regarding access control, especially regarding legitimation of authorised persons:
The aim of the entrance control is to prevent unauthorised people from physically accessing such data processing equipment which processes or uses Personal Data.
Due to their respective security requirements, business premises and facilities are subdivided into different security zones with different access authorisations. They are monitored by security personnel. Access for employees is only possible with an encoded ID with a photo on it. All other persons have access only after having registered before (e.g. at the main entrance).
Access to special security areas for remote maintenance is additionally protected by a separate access area. The constructional and substantive security standards comply with the security requirements for data centres.
2. SYSTEM ACCESS CONTROL
Technical and organisational measures regarding user ID and authentication:
The aim of the system access control is to prevent unauthorised use of data processing systems, are used for the processing of Your Data.
Remote access to the data processing systems is only possible through Our secure VPN tunnel with provisioned identity access management (IAM) where the access key is defined by the set of user roles and access privilege which is generated via automated hash key from restricted IP range on a Virtual Private Cloud (VPC). User who has a provisioned IAM identity can use the provided private key to login via VPN through a secure shell (SSH) channel on a restricted IP address to the virtual private cloud and access the data processors. IAM key is automatically rotated on a predetermined time frame where once rotated, user who had access to the key prior to the rotation won’t be able to access the system anymore. All access attempts, successful and unsuccessful are logged and monitored.
To add extra measure, MFA (Multi Factor Authentication) for direct access to our server instances is employed. This type of MFA requires us to assign a MFA device (hardware or virtual) to the user. A virtual device is a software application running on a phone or other mobile device that emulates a physical device. Either way, the device generates a six-digit numeric code based upon a time-synchronized one-time password algorithm.
Additional technical protections are in place using firewalls and proxy servers and state of the art encryption technology that is applied where appropriate to meet the protective purpose based on risk.
3. DATA ACCESS CONTROL
Technical and organisational measures regarding the on-demand structure of the authorisation concept, data access rights and monitoring and recording of the same:
Measures regarding data access control are targeted on the basis that only such data can be accessed for which an access authorisation exists and that data cannot be read, copied, changed or deleted in an unauthorised manner during the processing and after the saving of such data.
Access to data necessary for the performance of the particular task is ensured within the systems and applications by a corresponding role and authorisation concept. In accordance to the “least privilege” and "need- to- know" principles, each role has only those rights which are necessary for the fulfilment of the task to be performed by the individual person.
To maintain data access control, state of the art encryption technology is applied to Personal Data itself where deemed appropriate to protect sensitive data based on risk.
4. TRANSMISSION CONTROL
Technical and organisational measures regarding the transport, transfer, transmission, storage and subsequent review of Personal Data on data media (manually or electronically):
Transmission control is implemented so that Personal Data cannot be read, copied, changed or deleted without authorisation, during transfer or while stored on data media, and so that it can be monitored and determined as to which recipients a transfer of Personal Data is intended.
The measures necessary to ensure data security during transport, transfer and transmission of Personal Data as well as any other company or Your Data are as follows:
On the transport layer via https protocol, transmission is secured via secure socket layer (SSL) on SHA256 encryption.
On the transport layer via sftp protocol, transmission is secured via secure shell protocol (SSH) where the server has already authenticated the client, and that the identity of the client user is available to the protocol.
This standard includes a description of the protection required during the processing of data, from the creation of such data to deletion, including the protection of such data in accordance with the data classification level.
For the purpose of transfer control, encryption technology is used (e.g. remote access to the company virtual private cloud network via firewall thru VPN tunnel and full disk encryption). The suitability of an encryption technology is measured against the protective purpose.
The transfer of Personal Data to a third party (e.g. customers, sub-contractors, service providers) is only made if a corresponding contract exists, and only for the specific purposes. If Personal Data is transferred to companies located outside the EEA, We confirm that an adequate level of data protection exists at the target location or organisation in accordance with the European Union's data protection requirements, e.g. by employing contracts based on the Standard Contractual Clauses.
5. DATA ENTRY CONTROL
Technical and organisational measures regarding recording and monitoring of the circumstances of data entry to enable retroactive review:
All data entry inputs are validated against malicious attacks such as SQL Injection, Cross Site Scripting (XSS), Authentication-session management attack, Insecure Direct Object Access and most common internet attacks that are covered under OWASP10.
System inputs are recorded in the form of log files therefore it is possible to review retroactively whether and by whom Personal Data was entered, altered or deleted.
6. DATA PROCESSING CONTROL
Technical and organisational measures to differentiate between the competences of principal and contractor:
The aim of the data processing control is to provide that Personal Data is processed by a commissioned data processor in accordance with the instructions of the principal.
Details regarding data processing control are set forth in the Agreement and the DPA.
7. AVAILABILITY CONTROL
Technical and organisational measures regarding data backup (physical/logical):
Data is stored in multiple physical locations, with parallel redundancy + central backup. The data centres can be switched in the event of flooding, earthquake, fire or other physical destruction or power outage protect Personal Data against accidental destruction and loss.
In the event of a disaster we will initiate Our disaster recovery plan which sets out policies, tools and procedures to enable the recovery or continuation of vital technology infrastructure and systems following a natural or human-induced disaster at Our operating location. The disaster recovery plan will be executed in the event of natural disasters / human-induced disaster that impacts the availability / accessibility of the System or Services where no workaround is found to:
7.1 Minimize interruptions to the normal operations.
7.2 Limit the extent of disruption and damage.
7.3 Minimize the economic impact of the interruption.
7.4 Establish alternative means of operation in advance.
7.5 Train personnel with emergency procedures.
7.6 Provide for smooth and rapid restoration of the System and Services.
A copy of Our disaster recovery plan including further details of our procedures is available upon request.
If Personal Data is no longer required for the purposes for which it was processed, it is deleted promptly. It should be noted that with each deletion, the Personal Data is only locked in the first instance and is then deleted for good with a certain delay. This is done in order to prevent accidental deletions or possible intentional damage.
8. SEPARATION CONTROL
Technical and organisational measures regarding purposes of collection and separated processing:
Personal Data used for internal purposes only e.g. as part of the respective customer relationship, may be transferred to a third party such as a subcontractor, solely under consideration of contractual arrangements and appropriate data protection regulatory requirements.
Employees are instructed to collect, process and use Personal Data only within the framework and for the purposes of their duties (e.g. service provision). At a technical level, multi -client capability includes separation of functions as well as appropriate separation of testing and production systems.
Your Data is stored in a way that logically separates it from other customer data.
You are assigned a unique encryption key, generated using a FIPS 140-2 compliant crypto library, which is used to encrypt and decrypt all of the Your archived data. In addition to the unique encryption keys, all data being written to the storage grid includes the Your unique account code. Our systems that write data to the storage grid retrieve the encryption key from one system and the customer code from another, which serves as a cross check against two independent systems. Your encryption key is further encrypted with Our key stored within a centralised and restricted key management system. In order for Us to access Your Data via the master key, the key management system provisions individual keys following a strict process of approval that includes multiple levels of executive authorisation. Use of these master encryption keys is limited to senior production engineers and all access is logged, monitored, and configured for alerting by security via a centralised Security Incident and Event Management (“SIEM”) system. Your archived data is encrypted at rest using All inputs are validated against malicious attacks such as SQL Injection, Cross Site Scripting (XSS), Authentication-session management attack, Insecure Direct Object Access and most common internet attacks that are covered under OWASP10.
Bit encryption and data in transit is protected by Transport Layer Security (“TLS”).
9. CERTIFICATION AND REPORTS
We use a third party data centres to host the Services which are SOC 3 Report, PCI DSS 3.2, ISO 27001 and FISMA certified. We will continue to use a data centre which maintains these certifications and/or other substantially similar or equivalent certifications for the term of the Agreement.
Upon Your written request (no more than once in any 12 month period), We shall provide You within a reasonable time, a copy of the most recently completed certification and/or attestation reports (to the extent that to do so does not prejudice the overall security of the System and Services). Any audit report submitted to You shall be treated as Confidential Information and subject to the confidentiality provisions of the Agreement between the parties. We reserve the right to charge a fee for providing any such report.