Security
Description of the technical and organizational security measures implemented by Deltatre
1. Physical Access control
Unauthorised persons are denied access to the equipment, with which personal data is processed.
Deltatre implements the following physical access control measures:
- Restriction of access rights to office buildings, data centers and server rooms to the minimum necessary
- Effective control of access rights through an adequate locking system (for example, security key with documented key management, electronic locking systems with documented management of authorization)
- A comprehensive and fully documented processes for attainment, change and withdrawal of access authorization
- Regular and documented review of access authorizations granted to date
- Measures for the prevention and detection of unauthorized access and access attempts (e.g. regular review of burglary protection of the doors, gates and windows, alarm systems, video surveillance, security guards, security patrol)
- Rules for employees and visitors for dealing with technical access security measures
2. Logical Access Control to systems
Use by unauthorized persons of personal data processing systems is prevented.
Deltatre implements the following measures to control access to systems and networks in which Client data is processed:
- Restriction of admission rights to IT systems and non-public networks to the minimum necessary
- Effective control of authentication, authorization and accounting through personalized and unique user identifications and secure authentication process
- When using passwords for authentication, rules are adopted to ensure the quality of passwords in terms of length, complexity and change frequency. Technical testing methods are implemented in order to ensure password quality
- When using asymmetric key methods (e.g. certificates, private-public-key-methods) for authentication, secret (private) keys are always protected with a password (passphrase). The requirements of paragraph 3 are observed
- Full reviews of all accounts regularly undertaken and access removed if not required on a regular basis
- Regular and documented review of the logical access authorizations to date
- Appropriate measures to secure the network infrastructure undertaken (e.g. network port security IEEE 802.1X, Intrusion Detection Systems, use of 2-factor authentication for remote access, separation of networks, content filtering, encrypted network protocols, etc.)
- Rules for employees when dealing with the above security measures and safe use of passwords
- Immediate installation of critical or important security-updates/patches:
-
- in Controller operating systems,
- in server operating systems, which are accessible via public networks (e.g. web server),
- in application programs (including browser, plugins, PDF reader, etc.),and
- in security infrastructure (virus scanners, firewalls, IDS systems, content filters, routers, etc.) within 48 hours after publication by the manufacturer as well as,
- in server operating systems of internal server within 1 week after publication by the manufacturer
-
3. Access control to data
Only persons authorized to use a personal data processing system are allowed access exclusively to the personal data, subject to their access authorization, and personal data cannot be read, copied, changed or removed without authorization.
Deltatre implements the following measures for access control:
- Restriction of access authorization to personal data to the bare minimum required
- Effective control of access authorization through an adequate rights and role concept
- Comprehensive and fully documented process for authorizing access, changing, copying and withdrawal of personal data
- Regular and documented reviews of the assigned access authorizations to date
- Reasonable measures for the protection of terminal equipment, servers and other infrastructure elements against unauthorized access (e.g. multi-level virus protection concept, content filtering, application firewall, intrusion detection systems, desktop firewalls, system hardening, content encryption)
- Data media encryption – aligned to the current state of the art technology – algorithms to be enforced for the protection of mobile devices (laptops, tablet PCs, smartphones, etc.) and data media (external hard drives, USB sticks, memory cards, etc.)
- Logging of accesses to personal data by all users including administrators
- Technical security measures for export and import interfaces (hardware and application related)
Deltatre cooperates with the access control, unless the Client managing the access authorization to those personal data:
- Comprehensive and fully documented process for application, change and withdrawal of access authorizations
- Regular and documented review of the assigned access authorizations to date as far as is possible
- Notification to the Client if the existing access authorizations are no longer required
4. Data Flow Controls
State of the art encryption technology is used as method of transmission of personal data.
Personal data is not read, copied, changed or removed without authorization during electronic transfer or during transportation or storage on data carriers, and it can be checked and established at which locations a transfer of personal data by means of equipment for data transmission is provided for.
Deltatre implements the following measures for transmission control, insofar as personal data are received, transferred or transported by Deltatre:
- Appropriate measures to secure the network infrastructure (e.g. network port security IEEE 802.1X, Intrusion Detection Systems, use of 2-factor authentication for remote access, separation of networks, content filtering, encrypted network protocols, etc.)
- Data media encryption with algorithms classified as safe for protection of mobile devices (laptops, tablet PCs, smartphones, etc.) and data media (external hard drives, USB sticks, memory cards, etc.)
- Use of encrypted communication protocols (such as TLS-based protocols)
- Inspection mechanisms to identify remote terminals during transmissions
- Checksums adjustment with received data
- Rules for employees for the handling and security of mobile devices and data carriers
5. Data Entry control
Deltatre can subsequently check and verify whether and by whom personal data can be accessed, modified in or removed from data processing systems
Deltatre implements the following measures to control entry onto its systems that serve the processing of personal data or enable or provide access to such systems:
- Creation and revision-secure storage of process protocols
- Securing of backup log files against tampering
- Logging and analysis of failed login attempts
- Ensuring that no group accounts (also administrators or root) can be used
6. Data Processing control
Deltatre ensures that any personal data that is processed can only be processed in accordance with the instructions of the Client
Deltatre implements the following measures for Data Processing control:
- Selection of (sub)processors providing sufficient guarantees to implement appropriate technical and organisational measures
- Confidentiality obligations of all persons responsible for processing of personal data pursuant to applicable law provisions
- Regular verification of the correctness of the application of personal data processing programs by which personal data is processed
- Familiarization of the persons entrusted with personal data processing with the relevant data protection specific regulations
7. Availability control
Deltatre ensures that all personal data is protected against accidental destruction or loss.
Deltatre implements the following measures to control availability of the personal data:
- Operation and regular maintenance of fire alarm systems in server rooms, data centres and critical infrastructure spaces directly under Deltatre’s control
- Creation of daily backups and robust and resilient disaster recovery capability
- Backup storage in a separate fire compartment
- Regular review and testing of backup integrity
- Processes and documentation for the recovery of systems and data
- Storage, process and destruction in accordance with security good practice
8. Appropriation control
Deltatre ensures that personal data collected for different purposes can be processed separately.
Deltatre implements the following measures for the separation of personal data, provided that they lie under its control:
- Logical and/or physical separation of test, development and production systems
- Separation within the processing systems and at interfaces
- Continued identifiability of the data
9. Retention and Deletion of data
Personal data are retained only for as long as required and deleted when the processing is completed.
Deltatre implements the following measures to ensure the deletion of data, provided that they lie under its control:
- Continued deletion of personal data upon request of the Client
- Processes, tools and documentation for secure deletion in such a way that recovery of the data is not possible using current state of the art technology
- Guidelines for employees on how, when and which data should be deleted.