Technical & Organization Measures for Standard Contractual Clauses (Annex II)

TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA

Description of the technical and organisational measures implemented by the data importer(s) (including any relevant certifications) to ensure an appropriate level of security, taking into account the nature, scope, context and purpose of the processing, and the risks for the rights and freedoms of natural persons.

Measures of pseudonymisation and encryption of personal data: All data in db is encrypted at rest and in transit
Measures for ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and services:

Availability: Access to servers is limited to authorized personnel only,
Integrity: All data changes are handled through alembic updates which go through a review process,
Confidentiality: Access to view data is limited to those who have access to the server(s), resilience of processing systems and services: Servers and services are redundant. If a service goes out it will automatically create a new container to maintain replica requirement

Measures for ensuring the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident: Internal processes are documented and used to maintain uptime for clients
Processes for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures in order to ensure the security of the processing: All restoration processes are tested on a yearly basis
Measures for user identification and authorisation: Server access requires account and valid pub key
Measures for the protection of data during transmission: Data is encrypted in transit tls 1.2, 1.3
Measures for the protection of data during storage: Db instances are encrypted
Measures for ensuring physical security of locations at which personal data are processed: N/A Solely cloud based
Measures for ensuring events logging: Events are externally logged and kept off server for predetermined amount of time
Measures for ensuring system configuration, including default configuration: Standard set-up process enforced with ansible and preconfigured AMI’s where applicable
Measures for internal IT and IT security governance and management: Self attested ISO 27001
Measures for certification/assurance of processes and products: Maintained in CAIQ
Measures for ensuring data minimisation: Only PII is email and name of user
Measures for ensuring data quality: Last updated date is recorded for data sets, error’s are thrown for missing required data fields
Measures for ensuring limited data retention: Per client basis as per their requirements
Measures for ensuring accountability: Cyber Security Policy: Disciplinary Action