Security

Description of the technical and organizational security measures implemented by Deltatre

1. Physical Access control

Unauthorised persons are denied access to the equipment, with which personal data is processed.

Deltatre implements the following physical access control measures:

Restriction of access rights to office buildings, data centers and server rooms to the minimum necessary

Effective control of access rights through an adequate locking system (for example, security key with documented key management, electronic locking systems with documented management of authorization)

A comprehensive and fully documented processes for attainment, change and withdrawal of access authorization

Regular and documented review of access authorizations granted to date

Measures for the prevention and detection of unauthorized access and access attempts (e.g. regular review of burglary protection of the doors, gates and windows, alarm systems, video surveillance, security guards, security patrol)

rules for employees and visitors for dealing with technical access security measures

2. Logical Access Control to systems

Use by unauthorized persons of personal data processing systems is prevented.

Deltatre implements the following measures to control access to systems and networks in which Client data is processed:

Restriction of admission rights to IT systems and non-public networks to the minimum necessary

Effective control of authentication, authorization and accounting through personalized and unique user identifications and secure authentication process

When using passwords for authentication, rules are adopted to ensure the quality of passwords in terms of length, complexity and change frequency. Technical testing methods are implemented in order to ensure password quality

When using asymmetric key methods (e.g. certificates, private-public-key-methods) for authentication, secret (private) keys are always protected with a password (passphrase). The requirements of paragraph 3 are observed

Full reviews of all accounts regularly undertaken and access removed if not required on a regular basis

Regular and documented review of the logical access authorizations to date

Appropriate measures to secure the network infrastructure undertaken (e.g. network port security IEEE 802.1X, Intrusion Detection Systems, use of 2-factor authentication for remote access, separation of networks, content filtering, encrypted network protocols, etc.)

Rules for employees when dealing with the above security measures and safe use of passwords

immediate installation of critical/ or important security-updates/patches:

in Controller operating systems,

in server operating systems, which are accessible via public networks (e.g. web server),

in application programs (including browser, plugins, PDF reader, etc.),and

in security infrastructure (virus scanners, firewalls, IDS systems, content filters, routers, etc.) within 48 hours after publication by the manufacturer as well as,

in server operating systems of internal server within 1 week after publication by the manufacturer

3. Access control to data

Only persons authorized to use a personal data processing system are allowed access exclusively to the personal data, subject to their access authorization, and personal data cannot be read, copied, changed or removed without authorization.

Deltatre implements the following measures for access control:

Restriction of access authorization to personal data to the bare minimum required

Effective control of access authorization through an adequate rights and role concept

Comprehensive and fully documented process for authorizing access, changing, copying and withdrawal of personal data

Regular and documented reviews of the assigned access authorizations to date

Reasonable measures for the protection of terminal equipment, servers and other infrastructure elements against unauthorized access (e.g. multi-level virus protection concept, content filtering, application firewall, intrusion detection systems, desktop firewalls, system hardening, content encryption)

Data media encryption – aligned to the current state of the art technology – algorithms to be enforced for the protection of mobile devices (laptops, tablet PCs, smartphones, etc.) and data media (external hard drives, USB sticks, memory cards, etc.)

Logging of accesses to personal data by all users including administrators

Technical security measures for export and import interfaces (hardware and application related)

Deltatre cooperates with the access control, unless the Client managing the access authorization to those personal data:

comprehensive and fully documented process for application, change and withdrawal of access authorizations

Regular and documented review of the assigned access authorizations to date as far as is possible

notification to the Client if the existing access authorizations are no longer required

4 Data Flow Controls

State of the art encryption technology is used as method of transmission of personal data.

Personal data is not read, copied, changed or removed without authorization during electronic transfer or during transportation or storage on data carriers, and it can be checked and established at which locations a transfer of personal data by means of equipment for data transmission is provided for.

Deltatre implements the following measures for transmission control, insofar as personal data are received, transferred or transported by Deltatre:

Appropriate measures to secure the network infrastructure (e.g. network port security IEEE 802.1X, Intrusion Detection Systems, use of 2-factor authentication for remote access, separation of networks, content filtering, encrypted network protocols, etc.)

Data media encryption with algorithms classified as safe for protection of mobile devices (laptops, tablet PCs, smartphones, etc.) and data media (external hard drives, USB sticks, memory cards, etc.)

Use of encrypted communication protocols (such as TLS-based protocols)

Inspection mechanisms to identify remote terminals during transmissions

Checksums adjustment with received data

rules for employees for the handling and security of mobile devices and data carriers

5 Data Entry control

Deltatre can subsequently check and verify whether and by whom personal data can be accessed, modified in or removed from data processing systems

Deltatre implements the following measures to control entry onto its systems that serve the processing of personal data or enable or provide access to such systems:

Creation and revision-secure storage of process protocols

Securing of backup log files against tampering

Logging and analysis of failed login attempts

Ensuring that no group accounts (also administrators or root) can be used

Data Processing control

Deltatre ensures that any personal data that is processed can only be processed in accordance with the instructions of the Client

Deltatre implements the following measures for Data Processing control:

selection of (sub)processors providing sufficient guarantees to implement appropriate technical and organisational measures

confidentiality obligations of all persons responsible for processing of personal data pursuant to applicable law provisions

regular verification of the correctness of the application of personal data processing programs by which personal data is processed

familiarization of the persons entrusted with personal data processing with the relevant data protection specific regulations

6 Availability control

Deltatre ensures that all personal data is protected against accidental destruction or loss.

Deltatre implements the following measures to control availability of the personal data:

Operation and regular maintenance of fire alarm systems in server rooms, data centres and critical infrastructure spaces directly under Deltatre’s control

Creation of daily backups and robust and resilient disaster recovery capability

backup storage in a separate fire compartment

Regular review and testing of backup integrity

Processes and documentation for the recovery of systems and data

Storage, process and destruction in accordance with security good practice

7. Appropriation control

Deltatre ensures that personal data collected for different purposes can be processed separately.

Deltatre implements the following measures for the separation of personal data, provided that they lie under its control:

Logical and/or physical separation of test, development and production systems

separation within the processing systems and at interfaces

continued identifiability of the data

8 Retention and Deletion of data

Personal data are retained only for as long as required and deleted when the processing is completed.

Deltatre implements the following measures to ensure the deletion of data, provided that they lie under its control:

continued deletion of personal data upon request of the Client

Processes, tools and documentation for secure deletion in such a way that recovery of the data is not possible using current state of the art technology

Guidelines for employees on how, when and which data should be deleted.

Resources