Technical & Organizational Measures
We take our responsibility serious and therefore have implemented a variety of technical and organizational measures to protect and secure personal data as good as possible. Our measures are aligned with the GDPR regulations (article 32).
Confidentiality
Physical access control
Measures that make sure that no unauthorized access to data processing and data storage facilities takes place.
Concrete measures:
- Electronic keys with safety locks to get into the office.
- Use of state-of-the-art cloud providers to store data with proven protection processes and within highly secured locations.
- Careful selection of staff (e.g., cleaning, maintenance, security)
- Employees are using privacy screens whenever they access the systems remotely in public surrounding
Logical access control
Measure that make sure that there is no unauthorized use of data processing and data storage systems.
Concrete measures:
- Secure passwords including use of state-of-the-art password managers
- Two-Factor authentication for all key systems
- Single-Sign-On (SSO) to reduce risk of managing multiple accounts
- Encryption of data whenever possible
- Limitation of who can access the systems with very restrictive granting of rights
- Internal “data protection policy” that all employees agreed to and apply accordingly
- Clear separation of employee sessions for company and private use
Data access control
Measures that make sure that authorized persons can only access the data according to their assigned rights, so that there is no unauthorized reading, copying, changing or deleting of data within the systems.
Concrete measures:
- Rights authorization concept
- Need-based rights of access
- Limitation of who can access the systems with very restrictive granting of rights
- Logging of system access events with regular checks
Asset Classification and Control
WiserNotify’s practice is to track and manage key information and physical, software and logical assets. Examples of the assets that WiserNotify might track include:
Concrete measures:
- information assets, such as identified databases, disaster recovery plans, business continuity plans, data classification, archived information;
- Need-based rights of access
- Limitation of who can access the systems with very restrictive granting of rights
- Logging of system access events with regular checks
The assets are classified based on business criticality to determine confidentiality requirements. Industry guidance for handling personal data provides the framework for technical, organizational and physical safeguards. These safeguards may include controls such as access management, encryption, logging and monitoring, and data destruction.
Isolation and separation
Measures that make sure that data which is collected for a specific purpose is isolated from data related to other purposes
Concrete measures:
- Clear separation of core database systems
- Database rights are centrally managed and set as granular as possible
- Production and test systems are clearly separated
Pseudonymization
Measures that make sure that personal data is processed in such a way, that the data cannot be associated with a specific data subject without the assistance of additional information, provided that this additional information is stored separately, and is subject to appropriate technical and organizational measures.
Concrete measures:
- Sensitive data is pseudonymized or even anonymized when not in regular need
- Use of only internal identifiers (e.g., internal user id) instead of the raw personal data whenever sufficient
Security
Security Practices
WiserNotify has implemented corporate information security practices and standards that are designed to safeguard WiserNotify’s corporate environment and to address business objectives across information security, system and asset management, development, and governance.
WiserNotify shall maintain an appropriate data privacy and information security program, including policies and procedures for physical and logical access restrictions, data classification, access rights, credentialing programs, record retention, data privacy, information security and the treatment of personal data and sensitive personal data throughout its lifecycle. Key policies will be reviewed at least annually.
Organizational Security
It is the responsibility of all of WiserNotify employees who are involved in the processing of Customer Personal Data to comply with these practices and standards. WiserNotify’s Information Security (“IS”) function is responsible for the following activities:
Security strategy –The IS function works to ensure compliance with its own security related policies and standards and all relevant regulations, and to raise awareness and provide education to users. The IS function also carries out risk assessments and risk management activities, and manages contract security requirements.
Security engineering – the IS function manages testing, design and implementation of security solutions to enable adoption of security controls across WiserNotify’s online and information technology environment.
Security operations – the IS function manages support of implemented security solutions, monitors and scans WiserNotify’s online and information technology environment and assets, and manages incident response.
Security consulting and testing – the IS function works with software developers on developing security best practices, consults on application development and architecture for software projects, and carries out assurance testing.
Employee Screening & Training
Screening/background checks: Where reasonably practicable and appropriate, as part of the employment/recruitment process, WiserNotify performs employee screening and background checks on employees or prospective employees (which shall vary from country to country based on local laws and regulations), where such employees will have access to WiserNotify’s networks, systems or facilities.
Training: WiserNotify’s annual compliance training program includes a requirement for employees to complete an online data protection and information security awareness.
Security engineering – the IS function manages testing, design and implementation of security solutions to enable adoption of security controls across WiserNotify’s online and information technology environment.
Confidentiality: WiserNotify ensures its employees are legally bound to protect and maintain the confidentiality of any data they handle pursuant to standard agreements.
Integrity
Data transmission and transport control
Measures that make sure that no data is compromised during transmission and transport and that there is no unauthorized reading, copying, changing or deleting of data in electronic transfer.
Concrete measures:
- Using only secured connections (SSL/HTTPS)
- Encrypting sensitive data
- No use of physical transportable storage (e.g., external hard drives, USB storage)
- Reducing use of physical paper as transport medium
- Limiting storage of local files
Data entry control
Measures that make sure that data entry is verified, whether and by whom personal data is entered, changed or deleted in the systems.
Concrete measures:
- User-level logging for all critical system components
- Central cloud-based document storage with detailed change-logs
Data protection by design & default
Measures which are designed to implement data-protection principles, such as data minimisation, in an effective manner:
- Privacy by Design
- Privacy by Default
- Organisational assurance that notification and notification obligations are fulfilled
- Data protection by default with regard to the scope of data processing
- Data protection by default with regard to the amount of personal data collected
- Data protection by default with regard to storage and deletion periods
Availability and resilience
Availability control
Measures that make sure that data is protected against destruction or loss.
- In-depth backup strategy depending on sensitivity of data
- Backups are stored in secured cloud storage with multi-location security
- Hosting through state-of-the-art cloud providers in order to minimize risk
- Recovery plan
Rapid recovery
Measures that make sure that data can be restored and recovered rapidly after an incident.
Concrete measures:
- Easy backup recovery plan
- Use of only state-of-the-art cloud providers and subcontractors to increase flexibility for recovery
Regular testing, assessing and evaluation
Measures to make sure that the implemented processes are regularly tested, assessed and evaluated on effectiveness for ensuring the security of the data processing.
Concrete measures:
- External and unbiased data protection officer
- Data protection management
- Data protection by design
- Data protection trainings with the employees
- Regular review of all data privacy agreements with subprocessors and subcontractors
- Internal “data protection policy” that all employees agreed to and apply accordingly
- Regular review of our data protection concept
- No third-party data processing without in-depth checks of the subprocessor and guaranteeing clear contractual agreements to make data transfers compliant with the regulations