Technical and Organizational Measures

1. Physical Access Control

Measures and protocols to prevent access by unauthorized persons to data processing facilities in which personal data is processed or used. 

- Lock system throughout the facility with RFID scans and smartphone app  

- Facility entry via magnetic card

- Cards and RFID permissions are issues and returned in a controlled way

- Visitors need to be registered via invitation form, access code is checked at reception

 

2. Electronic Access Control

Measures and protocols to prevent unauthorized persons to use data processing systems.

- All systems are protected via user profiles using at least individual username and password

- Web-facing IT systems use multi-factor authentication whenever possible, especially for admin roles

- Encrypted discs for all devices (iPhone + FileVault for Mac)

- Use of antivirus software on devices

 -Use of software firewall on devices

- Use of mobile device management (MDM) software to track inventory, enforce security policies and ensure remote deletion (e.g. in case of theft)

 

3. Internal Access Control

Measures and protocols to ensure that the access to data processing system of any person granted user rights under the authority of the Processor is limited to the granted rights and that personal data cannot be read, copied, changed or deleted within the system when processed, used or after storage. 

- User rights are managed by system administrator(s)

- Number of administrators is limited to the minimum

- Access is granted following need-to-know principle for all systems

- Password policy with minimum requirements is technically enforced on all devices (mobile phones, laptops)

- Automatic logout due to inactivity (e.g. lock screen in absence) is technically enforced on all devices (mobile phones, laptops)

- Physical erasing of data carriers before reuse

 

4. Separation rule

Measures and protocols to ensure that data which have been collected for different purposes can be processed separately

- Authorization concept ensures logical separation of data

- Separation of productive systems from test-systems

- Database rights are stipulated

 

5. Data Entry Control

Measures and protocols to ensure subsequent verification and determination whether and by whom data is entered, changed, or deleted in a data processing system.

- Entry, change, deletion of data and failed attempts are tracked, whenever the IT systems we use allow to do so

- In case when log files are available, entry, change and deletion of data can usually be traced back to individual usernames (not user groups) 

- User rights to enter, change or delete data are assigned based on authorization concept 

 

6. Data Transfer Control

Measures and protocols to prevent unauthorized reading, copying, change or deletion of data during electronic transfer, transport or storage on data carrier and to allow determination of access points for intended transfer of personal data.

- Data transfer via secure platforms provided by client is used as the preferred option

- Emails are encrypted following industry standards (Office 365)

 

7. Order Control

Measures and protocols to ensure personal data processed in order and on behalf of contracting party will only be processed for the performance of the contract and according to the instructions of contracting party 

- Sub processors are selected considering due diligence and data security

- Legal documents and written instructions with sub processors are set up (e.g. through Data Processing Agreements)

- Employees are obliged to respect data confidentiality / data protection regulations / non-disclosure

- To ensure a reliable, secure and state-of-the-art operation of our cloud-hosted products, we rely on standard hosting service providers. The technical and organizational measures of our key sub processors can be found here:

Snowflake Inc: https://www.snowflake.com/legal/

Siemens AG: https://www.siemens.com/dpt

 

The technical and organizational measures are subject to technical progress and continuous development. In this respect, ctrl+s is permitted to implement alternative appropriate measures. The safety level of the specified measures must not be undercut. Significant changes must be documented.

 

Last update: 26 January 2023
 

Get in touch today.