Technical and Organisational Security Measures
Description of the technical and organisational security measures implemented by the Provider:
The Provider shall implement suitable measures that are adequate in relation to the nature and type of the relevant personal data or categories of personal data processed and the risks inherent in the processing,
To prevent unauthorized persons from gaining access to data processing systems with which personal data is processed or used (access control), Measures: The platform runs on AWS. Firewall only enables port 22, 80, 443 from everywhere. The 5432 enabled only for management IPs. SSH requires certificate. User data is stored in postgresql on the server. Server is located inside EU: Frankfurt.
To prevent data processing systems from being used without authorization (access control),
Measures: Only users with certification can access to the system and only authorized personnel can access to the platform with an email address and a password (encrypted with bcrypt)
To ensure that persons entitled to use a data processing system have access only to the data to which they have a right of access, and that personal data cannot be read, copied, modified or removed without authorization in the course of processing or use and after storage (access control),
Measures: Every admin access point requires the user to be authenticated and checks that the user has the permission for that entity that their trying to reach.
To ensure that personal data cannot be read, copied, modified or removed without authorization during electronic transmission or transport, and that it is possible to check and establish to which entities the transfer of personal data by means of data transmission facilities is envisaged (transmission control),
Measures: Every datatransfer goes through https protocol, the certificate for it was provided by “Let’s Encrypt (ISRG)
To ensure that it is possible to check and establish whether and by whom personal data has been input into data processing systems, modified or removed (input control),
Measures: We save team member logs into the database, and admin logs into nginx standard log file
To ensure that, in the case of commissioned processing of personal data, the data is processed strictly in accordance with the instructions of the controller (job control),
Measures: We train our primary contact for the system usage, support him/her to share information about the system with other users. Any user can ask the Provider’s team using our help feature, or email.
To ensure that personal data is protected from accidental destruction or loss (availability control),
Measures: Provider has hourly backup,
To ensure that data collected for different purposes can be processed separately,
Measures: The data is used for a singular purpose.