TECHNICAL AND ORGANISATIONAL MEASURES

Confidentiality

Physical Access Control

  • Data centers have restricted access to entry door, into server rooms, and at racks
  • Data centers have manned monitoring 24×7 and camera monitoring
  • Data centers are ISO certified and SOC2 attested
  • Offices are access controlled and monitored by cameras
  • Offices have manned reception desk during working hours

Electronic Access Control

  • All users require unique user ID
  • Centralized multi factor authentication (MFA)
  • Strong password security (complexity) with two-factor authentication
  • SAML compliant single sign-on

Internal Access Control (permissions for user rights of access to and amendment of data)

  • Access to systems and data is granted on a “need to know” basis
  • Management approval is required to access systems and data
  • Background checks are performed on individuals
  • Security, Privacy, and Data Handling trainings are mandatory

Isolation Control

  • Data is required to be stored in a specific and controlled location per each client/project
  • Management approval is required to access systems and data
  • Access limited to only users with the “need to know”

Pseudonymization (Article 32 Paragraph 1 Point a GDPR; Article 25 Paragraph 1 GDPR)

  • Only data that is required for obligations is collected
  • Based on jurisdiction or client requirements, data may be pseudonymized
  • Data is encrypted at rest using National Institute of Standards and Technology (NIST) Federal Information Processing Standards (FIPS) 140-2 approved encryption algorithms

Integrity

Data Transfer Control

  • Data is only transferred when required by obligation
  • Data transfer is protected in transit using NIST FIPS 140-2 approved encryption algorithms

Data Entry Control

  • Only data that is required for obligations is collected

Availability and Resilience

Availability Control

  • Information Technology stack and workforce is designed to allow work from any approved location
  • Data centers have redundant power
  • Data centers have redundant environment control systems
  • Data centers have redundant points of presence (internet connections)
  • Data center uptime requirement is 99.9%

Rapid Recovery (GDPR Article 32(1)(c))

  • Data is replicated to secondary geographically dispersed data centers
  • Incident Response (IR) plan to address security issues in a timely manner
  • Information Technology (IT) ticketing and tracking systems to manage and escalate IT issues
  • Business Continuity and Disaster Recovery policies and procedures
  • Mobile workforce

Procedures for Regular Testing, Assessment and Evaluation

Data Protection Management

  • Vendor Risk management in place
  • Risk assessment performed
  • Pertinent logs are stored locally and sent to a centralized tool for monitoring and alerting
  • Logs are aggregated to create tech stack visibility and allowing for behavioral and threat risk analysis
  • AV/Anti-Malware in place and update automatically
  • Patches are applied to OS and SW automatically

Data Protection by Design and Default (Article 25 Paragraph 2 GDPR); Order or Contract

  • Data is located in specifically assigned and controlled location
  • Management must approve access to resources
  • Access is limited to users with “need to know”