Appendix 2 of the Agreement Pursuant to Art. 28 GDPR:
Technical and Organizational Measures in Accordance
with Art. 32 GDPR and Amendments
1.Confidentiality
Physical access control
•electronic physical entry control system with log
•high security perimeter fencing around the entire data center park
•documented distribution of keys to employees
•policies for accompanying and designating guests in the building
•data center staff present 24/7
•video monitoring at entrances and exits; security door interlocking systems and server rooms
•For people outside of the employment of TRITEMA SA, the entrance is not possible
•Datacenter Parks are located in Switzerland and Germany
•Monitoring
•electronic physical access control system with log
•video surveillance for all entrances and exits
Electronic access control
•for dedicated root server, colocation server, and cloud server principal commissions
•server passwords, which, after the initial deployment, can only be changed by Client and are not known to the Supplier
•The Client’s password for the administration interface is determined by the Client himself; the password must comply with predefined guidelines. In addition, the Client may employ two-factor authentication to further secure his account.
•for managed server, web hosting, and storage box principal commissions
•Access is password-protected and only employees of the Supplier have access to the passwords. Passwords must meet a minimum length, and new passwords shall be changed on a regular basis.
Internal access control
•for the Supplier’s internal administration systems
•The Supplier shall prevent unauthorized access by applying security updates regularly by using state of the art technology.
•a revision-proof, compulsory process for allocating authorization for Supplier employees
•for dedicated root server, and cloud server principal commissions
•The responsibility for access control is incumbent upon the Client.
•for managed server, web hosting, and storage box principal commissions
•The Supplier shall prevent unauthorized access by applying security updates regularly by using state of the art technology.
•a revision-proof, compulsory process for allocating authorization for Supplier employees
•Only the Supplier is responsible for transferred data/software with regard to security and updates.
Transfer control
•Drives that were in operation on canceled servers will be swiped multiple times (deleted) in accordance with data protection polices upon termination of the contract. After thorough testing, the swiped drives will be reused.
•Defective drives that cannot be securely deleted shall be destroyed (shredded) directly in the data center.
Isolation control
•for the Supplier’s internal administration systems
•Data shall be physically or logically isolated and saved separately from other data.
•Backups of data shall also be performed using a similar system of physical or logical isolation.
•for dedicated root server, and cloud server principal commissions
•The Client is responsible for isolation control.
•for managed server, web hosting, and storage box principal commissions
•Data shall be physically or logically isolated and saved separately from other data.
•Backups of data shall also be performed using a similar system of physical or logical isolation.
Pseudonymization
•The Client is responsible for pseudonymization.
2. Integrity (Art. 32 Para.1 Clause b GDPR)
Data transfer control
•All employees are trained in accordance with Art. 32 Para. 4 GDPR and are obliged to ensure that personal data is handled in accordance with data protection regulations.
•Deletion of data in accordance with data protection regulations after termination of the contract.
•Encrypted data transmission options are provided within the scope of the service description of the principal commission.
Data entry control
•for the Supplier’s internal administration systems
•Data is entered or collected by the Client.
•Changes in data are logged.
•for dedicated root server, colocation server, and cloud server principal commissions
•The responsibility for input control is incumbent upon the Client.
•for managed server, web hosting, and storage box principal commissions
•Data is entered or collected by the Client.
•Changes in data are logged.
3. Availability and Resilience (Art. 32 Para. 1 Clause b GDPR)
Availability control
•for the Supplier’s internal administration systems
•backup and recovery concept with daily backups of all relevant data
•professional employment of security programs (virus scanners, firewalls, encryption programs, spam filters)
•employment of disk mirroring on all relevant servers
•monitoring of all relevant servers
•employment of an uninterruptible power supply system or emergency power supply system
•permanently active DDoS protection
•for dedicated root server, colocation server, and cloud server principal commissions
•Data backup is incumbent upon the Client.
•employment of an uninterruptible power supply system or emergency power supply system
•permanently active DDoS protection
•for managed server, web hosting, and storage box principal commissions
•backup and recovery concept with daily backups of all relevant data depending upgon the services booked for the principal commission
•employment of disk mirroring
•employment of an uninterruptible power supply system or emergency power supply system
•employment of software firewalls and restricted ports
•permanently active DDoS protection
Rapid recovery measures (Art. 32 Para. 1 Clause c GDPR)
•For all internal systems, there is a defined escalation chain which specifies who is to be informed in the event of an error in order to restore the system as quickly as possible.
4. Procedures for regular testing, assessment, and evaluation (Art. 32 Para. 1 Clause d GDPR; Art. 25 Para. 1 GDPR)
•The data protection management system and the information security management system have been combined into a DIMS (data protection information security management system).
•Incident response management is available.
•Data-protection-friendly default settings are taken into account for software development (Art. 25 Para. 2 GDPR).
Agreement or contract control
•TRITEMA SA employees are regularly instructed in data protection law and are familiar with the procedural instructions and user guidelines for data processing on behalf of the Client also with regard to the Client’s right of instruction. The General Terms and Conditions contain detailed information on the type and scope of the commissioned data processing and use of the Client’s personal data.
•The General Terms and Conditions contain detailed information about the purpose limitation of Client’s personal data.
•Denali TRITEMA SA has appointed a company Data Protection Officer and an Information Security Officer. The data protection organization and the information security management systems integrate both officers into the relevant operational procedures.