Data Security Policy
Version 01 July 2024
The following DATA SECURITY POLICY describes the technical and organizational measures (TOM) in accordance with the DATA SECURITY section in the DATA PROCESSING AGREEMENT (DPA).
These measures are taken by the Contractor in connection with the processing of personal data and the fulfillment of its obligations under the existing contract, Article 7 DSG (Article 8 revDSG in conjunction with Article 2 ff. DSV), and, as far as applicable, Article 32 GDPR.
The current version of the DATA PROCESSING AGREEMENT is published on the Provider's website (https://www.pelt8.com/legal/data-processing-agreement).
TECHNICAL MEASURES
Cybersecurity
The Controller is responsible for implementing cybersecurity measures to safeguard personal data against cyberattacks. These measures may include, but are not limited to:
Development environments on Azure and GitHub require two-factor authentication to access and update.
All work computers have company-wide Bitdefender installed.
Pushes to main branches on GitHub require code owner approval.
Regular software updates as required.
Data is stored in a non-publicly accessible SQL Server database that requires Microsoft Entra authentication to access.
The backend is secured via JSON web tokens using Microsoft Entra, requiring two-factor authentication.
Encryption and Pseudonymisation
The Controller is responsible for implementing encryption and pseudonymisation as recommended by the General Data Protection Regulation (GDPR) to protect personal data during processing. These measures may include, but are not limited to:
The database is encrypted at rest.
Personal data is anonymised in our database.
Physical Security
The Controller is responsible for establishing and maintaining robust physical security measures to protect access to offices and buildings.
Appropriate Disposal
The Controller is responsible for ensuring that the disposal of physical and digital data containing personal information is conducted securely, making data retrieval by unauthorized persons, intentional or unintentional, impossible.
Authentication
The Controller is responsible for adhering to an information security strategy, including two-factor authentication (2FA) and certificate-based procedures, encryption via HTTPS, and additional authentication. The requirements according to password regulations are technically enforced in the system.
Access Rights
Access to databases containing personal data shall be granted on a need-to-know basis. Blanket access to all employees is prohibited.
ORGANISATIONAL MEASURES
Information Security Policies
The Controller is responsible for establishing information security policies tailored to their size and the nature of processing activities. These policies shall guide data security practices.
Business Continuity Plan
The Controller is responsible for maintaining a business continuity plan to ensure the backup and recovery of business data, including personal data, in case of incidents.
Risk Assessments
The Controller is responsible for conducting risk assessments to identify and mitigate potential security risks associated with personal data processing.
Awareness & Training
The Controller is responsible for fostering a culture of security and data protection awareness among their employees. Regular training and awareness activities shall be conducted to ensure compliance with legal requirements.
Reviews & Audits
The Controller is responsible for establishing controls and audit mechanisms to assess the effectiveness of their data security measures. Any deficiencies identified shall be corrected promptly.
Due Diligence
The Controller is responsible for exercising due diligence in selecting data processors to ensure that appropriate technical and organizational measures (TOMs) are in place.
Version 01 July 2024
The following DATA SECURITY POLICY describes the technical and organizational measures (TOM) in accordance with the DATA SECURITY section in the DATA PROCESSING AGREEMENT (DPA).
These measures are taken by the Contractor in connection with the processing of personal data and the fulfillment of its obligations under the existing contract, Article 7 DSG (Article 8 revDSG in conjunction with Article 2 ff. DSV), and, as far as applicable, Article 32 GDPR.
The current version of the DATA PROCESSING AGREEMENT is published on the Provider's website (https://www.pelt8.com/legal/data-processing-agreement).
TECHNICAL MEASURES
Cybersecurity
The Controller is responsible for implementing cybersecurity measures to safeguard personal data against cyberattacks. These measures may include, but are not limited to:
Development environments on Azure and GitHub require two-factor authentication to access and update.
All work computers have company-wide Bitdefender installed.
Pushes to main branches on GitHub require code owner approval.
Regular software updates as required.
Data is stored in a non-publicly accessible SQL Server database that requires Microsoft Entra authentication to access.
The backend is secured via JSON web tokens using Microsoft Entra, requiring two-factor authentication.
Encryption and Pseudonymisation
The Controller is responsible for implementing encryption and pseudonymisation as recommended by the General Data Protection Regulation (GDPR) to protect personal data during processing. These measures may include, but are not limited to:
The database is encrypted at rest.
Personal data is anonymised in our database.
Physical Security
The Controller is responsible for establishing and maintaining robust physical security measures to protect access to offices and buildings.
Appropriate Disposal
The Controller is responsible for ensuring that the disposal of physical and digital data containing personal information is conducted securely, making data retrieval by unauthorized persons, intentional or unintentional, impossible.
Authentication
The Controller is responsible for adhering to an information security strategy, including two-factor authentication (2FA) and certificate-based procedures, encryption via HTTPS, and additional authentication. The requirements according to password regulations are technically enforced in the system.
Access Rights
Access to databases containing personal data shall be granted on a need-to-know basis. Blanket access to all employees is prohibited.
ORGANISATIONAL MEASURES
Information Security Policies
The Controller is responsible for establishing information security policies tailored to their size and the nature of processing activities. These policies shall guide data security practices.
Business Continuity Plan
The Controller is responsible for maintaining a business continuity plan to ensure the backup and recovery of business data, including personal data, in case of incidents.
Risk Assessments
The Controller is responsible for conducting risk assessments to identify and mitigate potential security risks associated with personal data processing.
Awareness & Training
The Controller is responsible for fostering a culture of security and data protection awareness among their employees. Regular training and awareness activities shall be conducted to ensure compliance with legal requirements.
Reviews & Audits
The Controller is responsible for establishing controls and audit mechanisms to assess the effectiveness of their data security measures. Any deficiencies identified shall be corrected promptly.
Due Diligence
The Controller is responsible for exercising due diligence in selecting data processors to ensure that appropriate technical and organizational measures (TOMs) are in place.
Version 01 July 2024
The following DATA SECURITY POLICY describes the technical and organizational measures (TOM) in accordance with the DATA SECURITY section in the DATA PROCESSING AGREEMENT (DPA).
These measures are taken by the Contractor in connection with the processing of personal data and the fulfillment of its obligations under the existing contract, Article 7 DSG (Article 8 revDSG in conjunction with Article 2 ff. DSV), and, as far as applicable, Article 32 GDPR.
The current version of the DATA PROCESSING AGREEMENT is published on the Provider's website (https://www.pelt8.com/legal/data-processing-agreement).
TECHNICAL MEASURES
Cybersecurity
The Controller is responsible for implementing cybersecurity measures to safeguard personal data against cyberattacks. These measures may include, but are not limited to:
Development environments on Azure and GitHub require two-factor authentication to access and update.
All work computers have company-wide Bitdefender installed.
Pushes to main branches on GitHub require code owner approval.
Regular software updates as required.
Data is stored in a non-publicly accessible SQL Server database that requires Microsoft Entra authentication to access.
The backend is secured via JSON web tokens using Microsoft Entra, requiring two-factor authentication.
Encryption and Pseudonymisation
The Controller is responsible for implementing encryption and pseudonymisation as recommended by the General Data Protection Regulation (GDPR) to protect personal data during processing. These measures may include, but are not limited to:
The database is encrypted at rest.
Personal data is anonymised in our database.
Physical Security
The Controller is responsible for establishing and maintaining robust physical security measures to protect access to offices and buildings.
Appropriate Disposal
The Controller is responsible for ensuring that the disposal of physical and digital data containing personal information is conducted securely, making data retrieval by unauthorized persons, intentional or unintentional, impossible.
Authentication
The Controller is responsible for adhering to an information security strategy, including two-factor authentication (2FA) and certificate-based procedures, encryption via HTTPS, and additional authentication. The requirements according to password regulations are technically enforced in the system.
Access Rights
Access to databases containing personal data shall be granted on a need-to-know basis. Blanket access to all employees is prohibited.
ORGANISATIONAL MEASURES
Information Security Policies
The Controller is responsible for establishing information security policies tailored to their size and the nature of processing activities. These policies shall guide data security practices.
Business Continuity Plan
The Controller is responsible for maintaining a business continuity plan to ensure the backup and recovery of business data, including personal data, in case of incidents.
Risk Assessments
The Controller is responsible for conducting risk assessments to identify and mitigate potential security risks associated with personal data processing.
Awareness & Training
The Controller is responsible for fostering a culture of security and data protection awareness among their employees. Regular training and awareness activities shall be conducted to ensure compliance with legal requirements.
Reviews & Audits
The Controller is responsible for establishing controls and audit mechanisms to assess the effectiveness of their data security measures. Any deficiencies identified shall be corrected promptly.
Due Diligence
The Controller is responsible for exercising due diligence in selecting data processors to ensure that appropriate technical and organizational measures (TOMs) are in place.