Technical And Organizational Measures

Last updated in April 2023

1. Access control to premises
   
   
   1. Access control system through controlled allocation of encrypted key fobs and person/security check by front desk, visitors must sign in;
   
   
   2. Electronic access control for sensitive areas within the buildings such as data centers and LAN closets are in place;
   
   
   3. Burglar alarm system;
   
   
   4. Video surveillance/ motion detection of sensitive areas.
   
   
   5. Access control records are reviewed by the administrator for alarm activity, including door held or door forced alarms.


2. Access control to use the Service
   
   
   1. A unique identifier is associated with each user of a system (network, server, database, application);
   
   
   2. Processes are in place to suspend the access authorizations within 24 hours of users whose employment ends;
   
   
   3. User passwords must have the minimum length of 12 characters;
   
   
   4. Double authentication for admin users;
   
   
   5. First-time login procedure: User is forced to change password directly at first login.


3. Access control to Personal Data
   
   
   1. Data is always encrypted in transit using non deprecated industry standard protocols (SSL/TLS);
   
   
   2. Processor's website and web software runs on secured https protocol;
   
   
   3. All backups of personal data are encrypted on backup media;
   
   
   4. Safe disposal / destruction of Personal Data;
   
   
   5. Differentiated authorization allocation according to predefined roles and profiles;
   
   
   6. Automated password protected screen-lock is set after more than 15 minutes of inactivity.


4. Organization control
   
   
   1. Annual Training of employees on data protection and privacy matters;
   
   
   2. Non-disclosure agreement with every employee having (potential and actual) access to personal data;
   
   
   3. 4-eye-principle;
   
   
   4. Clear desk principle;
   
   
   5. Access rights hierarchy to areas and electronic storage locations


5. Availability control
   
   
   1. Security events are monitored, notification and alert process is set up on all servers, networks, databases containing personal data;
   
   
   2. Security Incident Response Process is defined;
   
   
   3. Disaster Recovery plan is in place;
   
   
   4. Redundant power supply, fire and smoke alarms, fire suppression systems, cooling systems are in place for data centers;
   
   
   5. Full backups are performed at minimum on daily basis;
   
   
   6. Outsourcing/copies of full backups – different fire protection zone.


6. The Processor is using servers and cloud infrastructure of Amazon Web Services to store Personal Data.


7. Amazon Web Services (AWS) places a high priority on security to safeguard customer data and infrastructure.
   
   

   AWS has implemented security measures to protect against unauthorized access and ensure the confidentiality, integrity, and availability of customer resources.

   
   

   These measures include advanced network security, physical security, data encryption, and identity access management which provides strict control over who can access the services.

   
   

   Information about security of Amazon Web Services:

   
   
   1. Information about security of Amazon Web Services: https://aws.amazon.com/security.
   
   
   2. Information about physical security of Amazon Web Services: https://aws.amazon.com/compliance/data-center/controls/.
   
   
   3. Information about GDPR compliance of Amazon Web Services: https://aws.amazon.com/compliance/gdpr-center/.


8. The Controller can manage and delete any Personal data in his account used to access the Service. This allows the Controller to meet his obligations regarding requests of Data subjects for Personal data information or deletion.