Data Protection Protocols
Taking into account the nature of the processing, the following Data Protection Protocols will be followed when processing Licensee Personal Data.
Technical and Organisational Security Measures
The Processor’s security framework is based on the ISO 27002 (2013) framework and also integrates the SANS CSC 20 v5, Student Privacy Pledge and the OWASP Top 10. The technical and organisational measures defined herein are implemented on the basis of these international standards. The Processor shall maintain controls materially as protective as those provided or other substantially similar or equivalent certification requirements.
Processor utilises third party data centres that maintain ISO 27001 certifications, but currently maintain certifications in C5, Cyber Essentials Plus, DoD SRG, FedRAMP, FIPS, IRAP, ISO 9001, ISO 27017, ISO 27001, ISO 27018, MTCS, PCI DSS Level 1, SEC Rule 17-a-4(f), SOC 1, SOC 2 and SOC 3. The Processor will not utilise third party data centres that do not maintain the aforementioned certifications and/or attestations, or other substantially similar or equivalent certifications and/or attestations.
The following descriptions provide an overview of the technical and organisational security measures implemented. It should be noted however that, in some circumstances, in order to protect the integrity of the security measures and in the context of data security, detailed descriptions may not be available. It’s acknowledged and agreed that the technical and organisational measures described therein will be updated and amended from time to time, at the sole discretion of the Processor. Notwithstanding the foregoing, the technical and organisational measures will not fall short of those measures described below in any material, detrimental way.
Technical or organisational measures regarding access control, especially regarding legitimation of authorised persons:
The aim of the entrance control is to prevent unauthorised people from physically accessing such data processing equipment which processes or uses Personal Data.
Due to security requirements, business premises are monitored by security cameras. Access for employees is only possible with personal key. All other persons have access only after having identified themselves (e.g. at the main entrance).
System Access Control
Technical and organisational measures regarding the user ID and authentication:
The aim of the system access control is to prevent unauthorised use of data processing systems, are used for the processing of customer data.
Remote access to the data processing systems is only possible through the Processor’s secure VPN tunnel. If the users first authenticate to the secure VPN tunnel, after successful authentication authorisation is executed by providing a unique username and password to a centralised directory service. All access attempts, successful and unsuccessful are logged and monitored.
Additional technical protections are in place using firewalls and proxy servers and robust encryption technology that is applied where appropriate to meet the protective purpose based on risk.
Data Access Control
Technical and organisational measures regarding the on-demand structure of the authorisation concept, data access rights and monitoring and recording of the same:
Measures regarding data access control are targeted on the basis that only such data can be accessed for which an access authorisation exists, and that data cannot be read, copied, changed or deleted in an unauthorised manner during the processing and after the saving of such data.
Access to data necessary for the performance of the particular task is ensured within the systems and applications by a corresponding role and authorisation concept. In accordance to the “least privilege” and “need-to-know” principles, each role has only those rights which are necessary for the fulfilment of the task to be performed by the individual person.
To maintain data access control, robust encryption technology is applied to the Personal Data itself where deemed appropriate to protect sensitive data based on risk.
Technical and organisational measures regarding the transport, transfer, transmission, storage and subsequent review of Personal Data on data media (manually or electronically).
Transmission control is implemented so that Personal Data cannot be read, copied, changed or deleted without authorisation, during transfer or while stored on data media, and so that it can be monitored and determined as to which recipients a transfer of Personal Data is intended.
The measures necessary to ensure data security during transport, transfer and transmission of Personal Data as well as any other company or customer data are detailed in the Security Policy. This standard includes a description of the protection required during the processing of data, from the creation of such data to deletion, including the protection of such data in accordance with the data classification level.
For the purpose of transfer control, an encryption technology is used. The suitability of an encryption technology is measured against the protective purpose.
The transfer of Personal Data to a third party (e.g. customers, sub-contractors, service providers) is only made if a corresponding contract exists, and only for the specific purposes. If Personal Data is transferred to companies located outside the EEA, the Processor provides that an adequate level of data protection exists at the target location or organisation in accordance with the European Union’s data protection requirements, e.g. by employing contracts based on the Standard Contractual Clauses.
Data Entry Control
Technical and organisational measures regarding recording and monitoring of the circumstances of data entry to enable retroactive review.
System inputs are recorded in the form of log files therefore it is possible to review retroactively whether and by whom Personal Data was entered, altered or deleted.
Data Processing Control
Technical and organisational measures to differentiate between the competences of principal and contractor:
The aim of the data processing control is to provide that Personal Data is processed by a commissioned data processor in accordance with the Instructions of the principal.
Details regarding data processing control are set forth in the Agreement and DPA.
Technical and organisational measures regarding data backup (physical/logical):
Data is stored in at least 2 data centres in a region, with multiple separate cross connections. The data centres can be switched in the event of flooding, earthquake, fire or other physical destruction or power outage protect Personal Data against accidental destruction and loss.
Technical and organisational measures regarding purposes of collection and separated processing:
Personal Data used for internal purposes only e.g. as part of the respective customer relationship, may be transferred to a third party such as a subcontractor, solely under consideration of contractual arrangements and appropriate data protection regulatory requirements.
Employees are instructed to collect, process and use Personal Data only within the framework and for the purposes of their duties (e.g. service provision). At a technical level, multi-client capability includes separation of functions as well as appropriate separation of testing and production systems.
Customer data is stored in a way that logically separates it from other customer data.