TOMs - Technical & Organizational Measures

⌘K

TOMs – Technical & Organizational Measures

Version 2.3

The Contractor undertakes vis-à-vis the  Customer to comply with the following technical and organizational measures, which are necessary to comply with the applicable data protection regulations to be applied:

1. Measures to ensure the confidentiality of systems and services, which are intended to prevent unauthorized access or access to personal data, at the site of the Controller itself or in transit to Processors or third parties.

These include, but are not limited to:

(1) Access control

Measures taken to prevent unauthorized persons from gaining access to data processing systems with which personal data are processed or used:

  • Electronic access control system with loggin
  • High-security fence around the entire data center park
  • Documented key assignment
  • Guidelines for escorting and identifying guests in the building
  • 24/7 staffing of the data centers
  • Video surveillance at entrances and exits, security gates and server rooms

(2) Access control

Measures to prevent the use of data processing systems by unauthorized persons are implemented:

Operating system level:

  • Server systems are protected from outside operation and access by password protection.
  • Maintenance accesses via network are carried out via SSH over an encrypted connection using user name and password or private keys
  • The server operating system is Debian Linux with the latest patch status
  • Access ports are protected by a host firewall and access is only granted by maintenance systems of Adtelligence GmbH (monitoring, backup, etc.) or the privileged network of network of Adtelligence GmbH Mannheim
  • Access data for customer systems is only accessible to a small group of the supervising Admins in charge
  • Access at operating system level is logged by a central IDS system
  • Role-based access concept with separation of maintenance at application level and maintenance at operating system level
  • Data media are only stored within the data center suite

Application level:

  • Role-based access control concept with name-based separation of accounts
  • Administrative access to application only for restricted group of employees
  • Regular control of accounts with access rights
  • Logging of accesses by dedicated audit log
  • Logging of access attempts by dedicated audit log
  • Access only via encrypted SSL connection

(3) Access control

Measures that ensure that the persons authorized to use a data processing system have authorized to use a data processing system have access only to the data subject to their access authorization and that personal data cannot be unauthorized, read, copied, or modified during processing, use, or after storage cannot be read, copied, modified, or removed without authorization:

Operating System Level:

  • Server systems are protected from outside operation and access by password protection.
  • Maintenance accesses via network are carried out via SSH over an encrypted connection using private keys
  • The server operating system is Debian Linux with the latest patches.
  • Access ports are protected by a host firewall and access is only granted by maintenance systems of Adtelligence GmbH (monitoring, backup, etc.) or the network of Adtelligence GmbH Mannheim network
  • Access data for customer systems are only accessible to a small group of administrators
  • Access at operating system level is logged by central IDS system
  • Role-based access concept with separation of maintenance on application level and maintenance at operating system level
  • Monitoring by central IDS system

Application level:

  • Role-based access control concept with name-based separation of accounts.
  • Administrative access to application only for restricted group of employees
  • Regular control of accounts with access rights
  • Logging of accesses by dedicated audit log
  • Logging of access attempts by dedicated audit log
  • Access only via encrypted SSL connection

Backup system:

  • Separate storage of backups per customer
  • Separate access authorization for backups of individual customers
  • Administrative access only

(4) Transfer control

Measures to ensure that personal data is not read by unauthorized persons during its electronic transmission or during their transport or storage on data media cannot be read, copied or removed by unauthorized persons, copied, altered, or removed, and that it is possible to verify and identify to which to which the transmission of personal data by means of data transmission equipment is intended:

  • Data is only transmitted in encrypted form during administration work (secured

SSH connections)

  • Access at application level only via encrypted SSL connection
  • In the case of physical transport by third party contractors, data systems are only transported encrypted and the handover and takeover is logged.
  • Defective or no longer required data media are either deleted by multiple overwriting or overwriting or mechanically destroyed
  • The creation of copies is documented
  • The inventory of data media is documented and regularly checked.
  • There is an internal regulation for administrative remote access.

(5) Separation control

Measures to ensure that data collected for different purposes can be processed separately:

  • Strict separation of production systems, test systems and development systems.
  • If economically feasible, physical separation of customer systems, otherwise at least logical separation at system, network and application level
  • Data from different customers is not merged at any time
  • System access data is assigned restrictively in accordance with the tasks in question

2. Measures to ensure the integrity of the systems and services, which guarantee that personal data cannot be changed (unnoticed). These include:

Input control

Measures that ensure that it is possible to verify retrospectively whether and by whom personal data have been entered, changed or removed in data processing systems.

  • Allocation of personal user accounts and access data.
  • Logging of system accesses by means of system log files
  • Regular checking of system logs for anomalies
  • Logging of changes by application-specific log file
  • Logging of deletions through application-specific log file
  • Logging of changes at operating system level by a central IDS system

3. Measures to ensure the availability of the systems and services, which guarantee that personal data are permanently and unrestrictedly available and, in particular, are available when they are needed.

These include:

Availability control

Measures that ensure that personal data are protected against accidental destruction or loss:

  • Use of uninterruptible power supply,
  • Emergency diesel power for autonomous operation
  • Permanently active DDoS protection
  • Temperature monitoring of room air and in server/distribution cabinets
  • Server systems are equipped with RAID systems
  • Backup and recovery concept with daily backup of all relevant data.
  • Automated monitoring of servers and backup systems with alarms (monitoring)
  • 24/7 on-call service by Adtelligence GmbH employees
  • Redundant execution of the systems, if economically justifiable

(2) Order control

Measures to ensure that personal data processed on behalf of the customer can only be processed in accordance with the instructions of the client:

  • Contractual and operational regulations
  • Regular monitoring of contractors
  • Role-based access concept with separation on a per-user basis
  • Regular control of user accounts with access rights
  • Orders must be placed in writing or confirmed in writing

4. Measures for pseudonymization of personal data

  • Randomly generated identifier as pseudonym for the assignment of otherwise individual personal data
  • Separation of data storage into pseudonym and raw data depending on the level of protection of the type of personal data actually processed per business case
  • In each individual case, the necessity is examined and documented

5. Measures for encrypting personal data

  • Encryption of all system accesses
  • Encryption of backups

6. Measures to ensure the resilience of systems and services, which ensure that that the systems and services are designed in such a way that even selectively high loads or high continuous processing loads remain feasible. (storage, access and line capacities):

  • Virtualization platform with dynamically adaptable resource allocation
  • Permanent 24/7 monitoring of all processing systems

7. Measures to ensure the availability of and access to personal data after a physical or technical incident:

  • Automated backup system
  • Backup and recovery concept

8. Procedures for periodically reviewing, assessing, and evaluating the effectiveness of the aforementioned measures:

  • Appointment of a data protection officer
  • Obligation of employees to maintain data secrecy
  • All employees are obligated to comply with the requirements of data protection law in accordance with the General Data Protection Regulation (GDPR).
  • Sufficient training of employees in data protection matters
  • Maintaining an overview of procedure directories
  • Carrying out data protection impact assessments, where necessary
  • Maintenance of a security concept and associated processes
  • Audits by the data protection officer
  • Regular testing of data recovery
  • Regular testing of recovery procedures
  • External & internal reviews & audits
  • Incident response management

The German version of the explanations made above shall prevail; the English translation is added for convenience purposes only.

Wie können wir helfen?