Functional Responsibilities. Assignment control measures Importer takes to ensure that, in the case of commissioned Processing, the Personal Information are Processed strictly in accordance with the instructions of the principal. Training of all Processor‘s representatives involved in Personal Data Processing for technical and organizational security measures. Follow-up training at regular intervals. Specific clauses in Contractor/Employment agreements with all Processor’s representatives, such as: The Right for Work Results, Confidentiality, Policies and work processes, Non-compete, Non Disclosure. Appointment of contact person in charge of data protection (▇▇▇@▇▇▇▇▇▇▇▇▇.▇▇▇). Availability control measures Importer applies to ensure that Personal Data are protected from accidental destruction or loss. Replication/Back-up processes. Active/Active and regional Data Centres. Centralized virus protection and firewall at Processor‘s infrastructure Air conditioning for work and server/network environment. Fire alarm system. Monitored alarm system. CCTV. Contingency plans. Measures of pseudonymisation and encryption of personal data All data at rest is encrypted. Data in transit encrypted via TLS between user end-points and core services. Pseudonymisation techniques assigned to all data sat within queues or at rest. Measures for ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and services Data Protection Officer, CTO and Director of Technical Services meet regularly to review current processes and risk register. Regular Penetration tests carried out on infrastructure and application (service and code level). 3rd party IDS and Cloud Native security products built into solution. Measures for ensuring the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident Multiple data centres operate in an active/active configuration. All personal data is aggregated across all per-geo data centres. Processes for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures in order to ensure the security of the processing 3rd party assessments of our security process and policies as part of our various ISO accreditations. Regular management reviews of process and risk register. Tooling to ensure adherence to process and policies, including but not limited to IDS, automated compliance tools, Managed Detection and Response systems and Zero Trust Access systems. Measures for user identification and authorisation MFA coupled with Zero trust. Measures for the protection of data during transmission TLS Encryption at all points of transmission, including between internal services. Measures for the protection of data during storage Data storage can only be accessed by internal services, all of which are protected by secured MFA access. Secure and encrypted transmission of data prior to storage. Storage technologies that incorporate encryption as standard. Partners only have access to their own data based on secure authentication and authorisation. Measures for ensuring physical security of locations at which personal data are processed Access controls at all Data Centres and Exclaimer offices. Secure door access, which is recorded and regularly reviewed. Camera surveillance and 24/7 security guard patrols in place. Measures for ensuring events logging 3rd party tooling to ensure all external events are logged. In product logging of all key events. Measures for ensuring system configuration, including default configuration New tenancies are created using standard image which is regularly checked against a baseline. All delivery pipelines update default configurations where necessary, ensuring built-in security and compliance to standard images. Measures for internal IT and IT security governance and management Accredited to ISO27001 & 27018. Robust process, policies and tooling to ensure compliance. Measures for certification/assurance of processes and products Regular external 3rd party penetration testing of product and infrastructure (on material infrastructure change, product change or annually). 3rd party quarterly assessment of compliance to process and certifications. Real-time tooling notifications on compliance to process and certifications. Measures for ensuring data minimisation Independent audit and product peer review of all data collected. Measures for ensuring data quality Independent teams assess multiple streams of data, with a focus on quality. Any quality issues are fed back into the process and resolved promptly. Measures for ensuring limited data retention All data storage retention timeframes are regularly reviewed and assessed. Audits of data storage are conducted by independent teams to ensure adherence to policies. Measures for ensuring accountability All core processes and procedures are owned by senior members of Exclaimer. All employees, contractual sub processors or other service providers are contractually bound to respect the confidential nature of all sensitive information. Measures for allowing data portability and ensuring erasure All data stored can be easily recreated from Partners own store. Export and import routines exist across core data points. Data erasure policies exist as part of our wider information security policies. List of sub-processors Name of Sub-Processor Company number Address Service Provided
Appears in 1 contract
Sources: Data Processing Agreement
Functional Responsibilities. Assignment control measures Importer takes to ensure that, in the case of commissioned Processing, the Personal Information are Processed strictly in accordance with the instructions of the principal. Training of all Processor‘s representatives involved in Personal Data Processing for technical and organizational security measures. Follow-up training at regular intervals. Specific clauses in Contractor/Employment agreements with all Processor’s representatives, such as: The Right for Work Results, Confidentiality, Policies and work processes, Non-compete, Non Disclosure. Appointment of contact person in charge of data protection (▇▇▇@▇▇▇▇▇▇▇▇▇.▇▇▇). Availability control measures Importer applies to ensure that Personal Data are protected from accidental destruction or loss. Replication/Back-up processes. Active/Active and regional Data Centres. Centralized virus protection and firewall at Processor‘s infrastructure Air conditioning for work and server/network environment. Fire alarm system. Monitored alarm system. CCTV. Contingency plans. Measures of pseudonymisation and encryption of personal data All data at rest is encrypted. Data in transit encrypted via TLS between user end-points and core services. Pseudonymisation techniques assigned to all data sat within queues or at rest. Measures for ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and services Data Protection Officer, CTO and Director of Technical Services meet regularly to review current processes and risk register. Regular Penetration tests carried out on infrastructure and application (service and code level). 3rd party IDS and Cloud Native security products built into solution. Measures for ensuring the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident Multiple data centres operate in an active/active configuration. All personal data is aggregated across all per-geo data centres. Processes for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures in order to ensure the security of the processing 3rd party assessments of our security process and policies as part of our various ISO accreditations. Regular management reviews of process and risk register. Tooling to ensure adherence to process and policies, including but not limited to IDS, automated compliance tools, Managed Detection and Response systems and Zero Trust Access systems. Measures for user identification and authorisation MFA coupled with Zero trust. Measures for the protection of data during transmission TLS Encryption at all points of transmission, including between internal services. Measures for the protection of data during storage Data storage can only be accessed by internal services, all of which are protected by secured MFA access. Secure and encrypted transmission of data prior to storage. Storage technologies that incorporate encryption as standard. Partners Customers only have access to their own data based on secure authentication and authorisation. Measures for ensuring physical security of locations at which personal data are processed Access controls at all Data Centres and Exclaimer offices. Secure door access, which is recorded and regularly reviewed. Camera surveillance and 24/7 security guard patrols in place. Measures for ensuring events logging 3rd party tooling to ensure all external events are logged. In product logging of all key events. Measures for ensuring system configuration, including default configuration New tenancies are created using standard image which is regularly checked against a baseline. All delivery pipelines update default configurations where necessary, ensuring built-in security and compliance to standard images. Measures for internal IT and IT security governance and management Accredited to ISO27001 & 27018. Robust process, policies and tooling to ensure compliance. Measures for certification/assurance of processes and products Regular external 3rd party penetration testing of product and infrastructure (on material infrastructure change, product change or annually). 3rd party quarterly assessment of compliance to process and certifications. Real-time tooling notifications on compliance to process and certifications. Measures for ensuring data minimisation Independent audit and product peer review of all data collected. Measures for ensuring data quality Independent teams assess multiple streams of data, with a focus on quality. Any quality issues are fed back into the process and resolved promptly. Measures for ensuring limited data retention All data storage retention timeframes are regularly reviewed and assessed. Audits of data storage are conducted by independent teams to ensure adherence to policies. Measures for ensuring accountability All core processes and procedures are owned by senior members of Exclaimer. All employees, contractual sub processors or other service providers are contractually bound to respect the confidential nature of all sensitive information. Measures for allowing data portability and ensuring erasure All data stored can be easily recreated from Partners customers own store. Export and import routines exist across core data points. Data erasure policies exist as part of our wider information security policies. List of sub-processors Name of Sub-Processor Company number Address Service Provided
Appears in 1 contract
Sources: Data Processing Agreement