Version
Last update: 25 August 2021

Annex 1: Technical and organizational data security measures

The data security measures defined by the Processor in this Annex have been agreed as binding.

1. Confidentiality (Art. 32(1)(b) GDPR)

1.1. Entry Control

Data processing by the Processor shall be performed in a secure computer center. The computer center can be certified according to ISO 27001 concerning its information security management system. Access to the computer center is secured by state-of-the-art control systems. This includes the following security measures and infra- structure:

• Subdivision of the facility into individual security areas;
• Physical access protection, for example through steel doors, windowless rooms or secured windows; Protection of security areas through an electronic access control system;
• Monitoring of the facility by security services and logging access to the facility;
• Video surveillance of all security-relevant security areas, such as entrances, emergency exits and server rooms;
• Central assignment and revocation of access authorizations; Identification of all visitors by means of identity card;
• Obligatory identification within the security areas for all employees and visitors; Visitors must be accompanied by employees at all times.

1.2.    Access Control

The Processor is required to prevent the intrusion by unauthorized persons into systems and applications used for the processing of personal data. The Processor ensures this by granting access to the data processing systems of the IaaS provider solely to explicitly authorized administrators. Login takes place exclusively via multi-factor authentication based on the login information stored in the respective personal user account. In addition, the Processor employs a differentiated rights system based on security groups and access control lists. It is only possible to log in via connections that are encrypted using state-of-the-art technology.

Individual services and components are divided into several network segments to further secure access. Isolation is provided by means of a hardware-based firewall systems and Virtual Private Clouds (VPC). Every access to systems and applications is documented, monitored and logged centrally.

The internal office network is protected against unauthorized access from outside by a hardware-based firewall. Access to computers in the Processor’s offices is controlled via user accounts. The internal office network can only be accessed from outside the premises via an encrypted VPN connection (Virtual Private Network).

The Controller can only access their “Cloud Services” instance via an encrypted connection (SSL/HTTPS).

1.3.    Access Controls

The Processor is required to prevent unauthorized activities within the data processing systems. Accordingly, only the respective Controller and a small group of individually-named administrators have access to the data. Technical measures shall ensure that a Controller cannot view, modify or erase data of other controllers.

Within an “Cloud Services” instance, access is controlled via a comprehensive role-based access control and authorization concept. Within an “Cloud Services” instance, rights are allocated by the Controller by assigning appropriate roles and rights. In addition, the Controller has the option of adapting the preconfigured roles and rights for their organization to their needs via an administrative interface.

Access to the Controller’s data by the Processor’s customer service representatives is limited to master data and billing data necessary for the performance of their customer service functions and invoicing hosting services. Customer service representatives do not have access to customer data within an “Cloud Services” instance.

Credit card data of their controllers are exclusively stored by the payment service provider; the Processor has no access to this data.

Administrators are only allowed access to customer data if there is a fault that cannot be resolved by the Controller and/or the Processor’s customer service alone.

1.4.    Separation Control

All data records that are collected, processed or used by the Processor’s systems and applications are explicitly and clearly assigned to the respective Processor and technically separated from other data. The Processor’s data processing systems are specially designed for data processing that is limited to a specific purpose and specific client. Access to the data of another client is thus technically impossible.

1.5.    Pseudonymization (Art. 32(1)(a) in conjunction with Art. 25(1) GDPR)

Pseudonymization is intended to ensure that the identification of a data subject affected by data processing is not possible or is made considerably more difficult.

Data concerning deleted users in “Cloud Services” are anonymized so that it is no longer possible to associate such data with the respective persons.

2. Integrity (Art. 32(1)(b) GDPR)

 2.1.    Transfer control 

Control of the transfer of the Controller’s data is ensured by various technical and organizational security measures. As part of these measures, the Processor never stores the Controller’s data outside the computer center. Employees of the computer center operator have no physical or technical access to the Controller’s data such that they can neither view, erase or modify such data. Data backups are only stored solely in encrypted form. The Controller’s data are not transported on physical data carriers.

For the purpose of invoicing for services, billing data is transferred to the Processor’s accounting systems via an encrypted connection.

2.2.    Input Control

The Processor must guarantee the transparency and/or documentation of data processing. For this purpose, all entries made into the systems and applications are logged by the Processor. The logs are archived and erased once the purpose has been achieved or on the basis of legal requirements.

The “Cloud Services” application supports the entry and modification of its own data exclusively via user interfaces and interfaces provided for this purpose in accordance with a detailed role-based access control and authorization concept.

3. Integrity (Article 32(1)(b) GDPR)

3.1.    Availability Control

The Processor must protect personal data against accidental destruction or loss. For this purpose, the architecture of the Processor’s data processing systems, including network infrastructure, the power supply and the connection to the Internet must be designed redundantly.

A comprehensive backup and recovery concept must be in place to prevent data loss. The Controller’s data is continuously backed-up in a separate availability zone via a replication mechanism. In addition, complete back- ups of all systems and data are made on a daily basis.

The systems and applications are continuously monitored with regard to availability, functionality, safety and utilization. A written emergency plan is in place to restore the backups in the event of loss or destruction.

3.2.    Rapid recoverability (Art. 32(1)(c) GDPR)

Measures must be taken to ensure that data can be recovered quickly in the event of data loss.

A combination of redundant systems and backup solutions is used to protect against the loss of the Controller’s data. All data are backed up at least once a day. In case of data loss, this data can be recovered from the existing backups. Data are stored in independent availability zones.

4. Availability and Resilience (Art. 32(1)(b GDPR)

Resilience means the ability to resist attacks or to quickly bring systems back into working order after an attack.

The technical systems of the “Cloud Services” platform are able to cope with expected disruptive events without their functionality being significantly impaired. IT systems are continuously hardened to protect against known attacks such as denial-of-service attacks.

In addition, each essential component is designed redundantly so that in the event of a fault, a switch to a defect-free component takes place automatically. Additional capacities can also be flexibly exchanged or expanded.

The “Cloud Services” platform has modern, multitier architecture. As part of this architecture, access to the aspects via network disconnections is technically so limited that, for example, the database management system cannot be accessed from the Internet but rather only the load balancers.

Emergency plans exist which, in the event of a fault, provide precise instructions for restoring the desired condition. These emergency plans, and the protection concepts, are continuously reviewed and the relevant employees receive regular training in connection with their deployment.

5. Data Protection Management

5.1.    Contact details of the Processor(s) or the Processor’s representative (s)

Mr. Ciprian Candea, (Data Protection Office)

Reconstructiei, 2A, 550129, Sibiu, Romania

Email – dp[at]tspace.eu

5.2.    Process for Regular Testing, Assessment and Evaluation (Art. 32(1)(d); Art. 25(1) GDPR)

A process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing must be implemented.

This measure is to be implemented with the aid of a data protection management system. The effectiveness of the technical and organizational measures implemented is to be tested and optimized within the scope of a continuous improvement process.

5.3.    Incident Response Management; Reporting Channel

Measures must be in place to ensure that the Processor informs the Controller without undue delay in the event of a personal data breach or the suspicion of a personal data breach.

All contractual partners are contractually obliged to report data protection incidents within the legal deadlines. Internal processes ensure that the Data Protection Officer is involved in case of data protection incidents.

5.4.    Data Protection by default (Art. 25(2) GDPR)

Appropriate technical and organizational measures must be implemented for ensuring that, by default, only personal data that are necessary for each specific purpose of the processing are processed.

After expiration of the test phase, as well as after termination of the contractual relationship, customer data that have been collected must be erased within three months. In addition, the customer can independently delete individual users within its “Cloud Services”. This results in the deletion of the following personal data:

• First and last name
• E-mail address
• Phone number
• User name
• User profile picture (avatar image)

Data that has been created, such as comments on work packages, are assigned to an anonymous user after deletion.

5.5.    Contractor Control

The Processor processes data submitted to them in accordance with the applicable contract and, in doing so, ensures compliance with statutory provisions and requirements defined by contract within the scope of the instructions provided by the Controller. The “Cloud Services” platform has an administration interface through which the Controller can manage their customer account. The Controller specifies their access data within their user account during the initial account creation process. Only persons who have such access data can enter, change or delete customer data within the scope of their assigned authorizations. The written form requirement applies to all other tasks that the Controller cannot perform independently via the administration interface