This Security Policy is entered into between the Customer and the Company and is incorporated into and governed by the terms of the Agreement.
All terms in capitals used herein shall have the meaning given to them in the DPA.
Technical and Organisational Security Measures
The technical and organisational measures defined herein are implemented on the basis of the international standard ISO 27001 and ISO 27018. The Processor shall maintain controls materially as protective as those provided in the ISO 27001 and ISO 27018 or other substantially similar or equivalent certification requirements.
The Processor utilises third party data centres that maintain current ISO 27001 certifications. The Processor will not utilise third party data centres that do not maintain the aforementioned certifications and/or attestations, or other substantially similar or equivalent certifications and/or attestations.
Upon the Controller’s written request (no more than once in any 12 month period), the Processor shall provide within a reasonable time, a copy of the most recently completed certification (to the extent that to do so does not prejudice the overall security of the Products). Any audit report submitted to the Controller shall be treated as Confidential Information and subject to the confidentiality provisions of the Agreement between the parties.
The following descriptions provide an overview of the technical and organisational security measures implemented. It should be noted however that, in some circumstances, in order to protect the integrity of the security measures and in the context of data security, detailed descriptions may not be available, however additional information regarding technical and organisational measures can be requested. It’s acknowledged and agreed that this Security Policy and the technical and organisational measures described herein will be updated and amended from time to time, at the sole discretion of the Processor. Notwithstanding the foregoing, the technical and organisational measures will not fall short of those measures described in this Security Policy in any material, detrimental way.
Technical or organisational measures regarding access control, especially regarding legitimation of authorised persons:
The aim of the entrance control is to prevent unauthorised people from physically accessing such data processing equipment which processes or uses Personal Data.
Due to their respective security requirements, business premises and facilities are subdivided into different security zones with different access authorisations. They are monitored by security personnel. Access for employees is only possible with an encoded ID with a photo on it. All other persons have access only after having registered before (e.g. at the main entrance).
Access to special security areas for remote maintenance is additionally protected by a separate access area. The constructional and substantive security standards comply with the security requirements for data centres.
2.System Access Control
Technical and organisational measures regarding user ID and authentication:
The aim of the system access control is to prevent unauthorised use of data processing systems used for the processing of Customer Data.
Remote access to the data processing systems is only possible through unique user names and passwords. Additional technical protections are in place using firewalls and proxy servers and state of the art encryption technology that is applied where appropriate to meet the protective purpose based on risk.
3.Data Access Control
Technical and organisational measures regarding the on-demand structure of the authorisation concept, data access rights and monitoring and recording of the same:
Measures regarding data access control are targeted on the basis that only such data can be accessed for which an access authorisation exists and that data cannot be read, copied, changed or deleted in an unauthorised manner during the processing and after the saving of such data.
Access to data necessary for the performance of the particular task is ensured within the systems and applications by a corresponding role and authorisation concept. In accordance to the “least privilege” and "need-to-know" principles, each role has only those rights which are necessary for the fulfilment of the task to be performed by the individual person.
To maintain data access control, state of the art encryption technology is applied to the Personal Data itself where deemed appropriate to protect sensitive data based on risk.
4. Transmission Control
Technical and organisational measures regarding the transport, transfer, transmission, storage and subsequent review of Personal Data on data media (manually or electronically).
Transmission control is implemented so that Personal Data cannot be read, copied, changed or deleted without authorisation, during transfer or while stored on data media, and so that it can be monitored and determined as to which recipients a transfer of Personal Data is intended.
The measures necessary to ensure data security during transport, transfer and transmission of Personal Data as well as any other company or Customer Data includes a description of the protection required during the processing of data, from the creation of such data to deletion, including the protection of such data in accordance with the data classification level.
For the purpose of transfer control, an encryption technology is used. The suitability of an encryption technology is measured against the protective purpose.
The transfer of Personal Data to a third party (e.g. customers, sub-contractors, service providers) is only made if a corresponding contract exists, and only for the specific purposes. If Personal Data is transferred to companies located outside the EEA, the Processor provides that an adequate level of data protection exists at the target location or organisation in accordance with the European Union's data protection requirements, e.g. by employing contracts based on the Standard Contractual Clauses.
5.Data Entry Control
Technical and organisational measures regarding recording and monitoring of the circumstances of data entry to enable retroactive review.
System inputs are recorded in the form of log files therefore it is possible to review retroactively whether and by whom Personal Data was entered, altered or deleted.
6.Data Processing Control
Technical and organisational measures to differentiate between the competences of principal and contractor:
The aim of the data processing control is to provide that Personal Data is processed by a commissioned data processor in accordance with the Instructions of the principal.
Details regarding data processing control are set forth in the Agreement and DPA.
Technical and organisational measures regarding data backup (physical/logical):
Data is stored in multiple data centres, with separate cross connections. The data centres can be switched in the event of flooding, earthquake, fire or other physical destruction or power outage to protect Personal Data against accidental destruction and loss.
If Personal Data is no longer required for the purposes for which it was processed, it is deleted promptly. It should be noted that with each deletion, the Personal Data is only locked in the first instance and is then deleted for good with a certain delay. This is done in order to prevent accidental deletions or possible intentional damage.
Technical and organisational measures regarding purposes of collection and separated processing:
Personal Data used for internal purposes only e.g. as part of the respective customer relationship, may be transferred to a third party such as a subcontractor, solely under consideration of contractual arrangements and appropriate data protection regulatory requirements.
Employees are instructed to collect, process and use Personal Data only within the framework and for the purposes of their duties (e.g. service provision). At a technical level, multi-client capability includes separation of functions as well as appropriate separation of testing and production systems.
Customer Data is stored in a way that logically separates it from other customer data.