DATA PROCESSING PROVISIONS 

1.          DEFINITIONS; interpretation

 

1.1                 The following terms shall have the meanings ascribed for purposes of this Agreement:

“Client Area” means any part or instance of the Deluxe One SaaS Platform made available by Deluxe to Client under this Agreement which is from time to time allocated to Client and which contains Client Content and/or is used to make Client Content available to Client and other authorized parties.

 

"Client Personal Data" means any personal data (including any special category data or sensitive personal data) that Deluxe, its employees, agents or sub-contractors process on behalf of Client in performing Deluxe’s obligations under or in connection with this Agreement, which (for the avoidance of doubt) may include (a) elements of Client Content and (b) personal data relating to users of the Deluxe One SaaS Platform;

“Data Protection Laws" means any Applicable Laws relating to data protection or privacy, including (a) the ePrivacy Directive 2002/58/EC as implemented by countries within the EEA and the UK, (b) the General Data Protection Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016  (“GDPR”), as implemented by countries within the EEA and the UK (c) the UK’s Data Protection Act 2018 and/or (d) other Applicable Laws that are similar, equivalent to or that are intended to or implement the Applicable Laws that are identified in (a), (b) and (c) above;

EU Standard Contractual Clauses” means the “Standard Contractual Clauses (Processors)” as laid down in the European Commission Decision 2010/87/EU of 5 February 2010 or any replacement to them;

“Sub-Processor” means a data processor engaged by the Deluxe to process Client Personal Data; and

The terms "data controller", "data processor", "data subject", "personal data", “personal data breach”, "processing" and “special category data” shall have the same meanings ascribed to them under Data Protection Laws.

1.2                 Capitalized terms not defined in this Clause 1 shall have the meaning ascribed to them elsewhere in this Agreement.

1.3                 To the extent that the terms contained in these Data Processing Provisions conflict with those contained elsewhere in this Agreement, the terms contained in this Data Processing Schedule shall control to the extent of such conflict.

1.                    GENERAL OBLIGATIONS

 

1.1                 Deluxe shall:

1.1.1            process the Client Personal Data only in accordance with the Client’s instructions that are set out in this Agreement including as to the subject-matter and duration of the processing, the nature and purpose of the processing, the type of Client Personal Data and categories of data subjects, in each case, which are more specifically set out in Annex 1;

1.1.2            ensure that Deluxe’s personnel, agents and contractors who process the Client Personal Data are subject to appropriate contractual or statutory obligations of confidentiality; and

1.1.3            at all times comply with all Data Protection Laws applicable to it as a data processor.

 

2.                    DATA SECURITY

 

2.1                 Deluxe shall:

2.1.1            implement appropriate technical and organizational security measures in relation to Client Personal Data as set out in Annex 3; and

2.1.2            taking into account the nature of Deluxe’ processing of the Client Personal Data and the information available to Deluxe and at the Client’s cost: (i) notify the Client of a personal data breach without undue delay; and (ii) at the Client’s request, provide reasonable assistance to the Client in relation to any mandatory obligations applicable to the Client as a data controller in relation to such Personal Data Breaches under Data Protection Laws.

 

3.                    Deletion; rights of individuals; COOPERATION

 

3.1                 Deluxe shall:

3.1.1            taking into account the nature of Deluxe’s processing activities and at the Client’s cost and request, assist the Client, insofar as this is possible, to fulfill the obligations of Client to respond to requests by data subjects in relation to their rights under Data Protection Laws;

 

3.1.2            taking into account the nature of Deluxe’s processing of the Client Personal Data and the information available to Deluxe and at the Client’s cost and request, provide reasonable assistance to the Client in relation to any mandatory obligations applicable to the Client in relation to the performance of data protection impact assessments by the Client under Data Protection Laws; and

3.1.3            at the election of the Client and at the Client’s cost, delete or return all the Client Personal Data to the Client at the end of the term of this Agreement, and delete existing copies of such data unless Data Protection Laws require or allow storage of such data beyond such term.

 

4.               SUB-PROCESSORS

 

4.1                 Deluxe shall not have the Client Personal Data processed by a Sub-Processor except to the extent:

4.1.1            Deluxe is authorized by the Client under Clause 8.1.2 below; and

4.1.2            any such Sub-Processor is bound by at least the same level of data protection obligations as contained in this Agreement.

 

5.                    COMPLIANCE; AUDIT

 

5.1                 Subject to Clause 8.1.3 below and at the Client’s cost and request, Deluxe shall make available to the Client all information reasonably necessary to demonstrate compliance with Deluxe’s obligations under this Agreement and allow for and contribute to audits, including inspections, conducted by the Client or another auditor mandated by the Client or Data Protection Laws, but in each case only:

5.1.1            if such audits are in relation to the Client Personal Data; and

5.1.2            to the extent that such audits are required under Data Protection Laws,

provided that Deluxe shall notify the Client in writing if it believes in good faith that the exercise of rights under this Clause 6.1 would infringe Data Protection Laws.

 

6.                    INTERNATIONAL TRANSFERS

 

6.1                 Deluxe may transfer and otherwise process or have transferred or otherwise processed the Client Personal Data outside the European Economic Area (“EEA”), including by any Sub-Processor subject to Clause 5.1 above, provided that such transfer is made in compliance with applicable Data Protection Laws, including, if applicable, EU Standard Contractual Clauses, certification under the EU-US Privacy Shield, or a European Commission positive adequacy decision under Article 45 of the GDPR. In the event that Client is incorporated within the EEA, Client and Deluxe shall enter into the standard Controller-to-Processor Standard Contractual Clauses set out in Annex 2.

 

7.               CLIENT OBLIGATIONS

 

7.1                 The Client agrees and acknowledges that:

7.1.1            with respect to Clause 3.1.1 above, the technical and organizational security measures that Deluxe has agreed to implement with respect to the Client Personal Data ensure a level of security appropriate to the risk to such data;

7.1.2            with respect to Clause 5.1.1 above, Deluxe may have the Client Personal Data processed by a Sub-Processor; and

7.1.3            notwithstanding Clause 6.1 above and to the extent permitted under Data Protection Laws, Deluxe may demonstrate its and, if applicable, its Sub-Processor’s compliance with its obligations under this Agreement through its compliance with a certifications scheme or code of conduct approved under Data Protection Laws;

7.1.4            it shall comply with its obligations relating to Client Personal Data that apply to it under applicable Data Protection Laws (including applying appropriate technical and organizational security measures to prevent the occurrence of a personal data breach) under or in connection with this Agreement;

7.1.5            it shall and shall cause, appropriate notices to be provided to, and valid consents to be obtained from, data subjects, in each case, that are necessary for Deluxe to process (and have processed by Sub-Processors) Client Personal Data under or in connection with this Agreement, including processing outside the EEA on the basis of any of the legal conditions for such transfer and processing set out in Clause 7.1 above. In particular, and without limitation, where the Client Area is used by Client to make Client Content available to third parties, Client shall ensure that at all times the Client Area features a privacy policy clearly accessible and comprehensible to users which names the Client as the data controller and describes the processing of Client Personal Data under or in connection with this Agreement, including processing outside the EEA, and which generally complies with all Data Protection Laws;

7.1.6            it shall not, by act or omission, cause Deluxe or Sub-Processors to violate any Data Protection Laws, notices provided to, or consents obtained from, data subjects as result of Deluxe or its Sub-Processors processing the Client Personal Data; and

7.1.7            it shall not upload or permit the upload of any special category data or sensitive data to the Deluxe One SaaS Platform except with the prior written approval of Deluxe.

 

8.                    INDEMNITY

 

8.1                 Client shall indemnify and keep indemnified Deluxe against all costs, claims, losses, damages, liabilities and expenses (including legal expenses) arising out of, or in connection with any: (i) non-compliance by the Client with the Data Protection Laws; (ii) processing carried out by Deluxe, its permitted Sub-Processors, employees and/or agents pursuant to any instruction from the Client that infringes any Data Protection Laws; or (iii) breach by the Client of any of its obligations under Clause 8 above.

Annex 1

Annex 2

EU Standard Contractual Clauses

(Data Controller to Data Processor)

For the purposes of Article 26(2) of Directive 95/46/EC for the transfer of personal data to processors established in third countries which do not ensure an adequate level of data protection

[                 ] of [                             ] (a data exporter)

And

Deluxe One LLC,  of  [                                    ] (a data importer)

each a “party”; together “the parties”,

 

HAVE AGREED on the following Contractual Clauses (the Clauses) in order to adduce adequate safeguards with respect to the protection of privacy and fundamental rights and freedoms of individuals for the transfer by the data exporter to the data importer of the personal data specified in Appendix 1.

Clause 1

Definitions

For the purposes of the Clauses:

(a)             'personal data', 'special categories of data', 'process/processing', 'controller', 'processor', 'data subject' and 'supervisory authority' shall have the same meaning as in Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data;

(b)             'the data exporter' means the controller who transfers the personal data;

(c)             'the data importer' means the processor who agrees to receive from the data exporter personal data intended for processing on his behalf after the transfer in accordance with his instructions and the terms of the Clauses and who is not subject to a third country's system ensuring adequate protection within the meaning of Article 25(1) of Directive 95/46/EC;

(d)             'the subprocessor' means any processor engaged by the data importer or by any other subprocessor of the data importer who agrees to receive from the data importer or from any other subprocessor of the data importer personal data exclusively intended for processing activities to be carried out on behalf of the data exporter after the transfer in accordance with his instructions, the terms of the Clauses and the terms of the written subcontract;

(e)             'the applicable data protection law' means the legislation protecting the fundamental rights and freedoms of individuals and, in particular, their right to privacy with respect to the processing of personal data applicable to a data controller in the Member State in which the data exporter is established;

(f)              'technical and organisational security measures' means those measures aimed at protecting personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing.

Clause 2

Details of the transfer

The details of the transfer and in particular the special categories of personal data where applicable are specified in Appendix 1 which forms an integral part of the Clauses.

Clause 3

Third-party beneficiary clause

1.              The data subject can enforce against the data exporter this Clause, Clause 4(b) to (i), Clause 5(a) to (e), and (g) to (j), Clause 6(1) and (2), Clause 7, Clause 8(2), and Clauses 9 to 12 as third-party beneficiary.

2.              The data subject can enforce against the data importer this Clause, Clause 5(a) to (e) and (g), Clause 6, Clause 7, Clause 8(2), and Clauses 9 to 12, in cases where the data exporter has factually disappeared or has ceased to exist in law unless any successor entity has assumed the entire legal obligations of the data exporter by contract or by operation of law, as a result of which it takes on the rights and obligations of the data exporter, in which case the data subject can enforce them against such entity.

3.              The data subject can enforce against the subprocessor this Clause, Clause 5(a) to (e) and (g), Clause 6, Clause 7, Clause 8(2), and Clauses 9 to 12, in cases where both the data exporter and the data importer have factually disappeared or ceased to exist in law or have become insolvent, unless any successor entity has assumed the entire legal obligations of the data exporter by contract or by operation of law as a result of which it takes on the rights and obligations of the data exporter, in which case the data subject can enforce them against such entity. Such third-party liability of the subprocessor shall be limited to its own processing operations under the Clauses.

4.              The parties do not object to a data subject being represented by an association or other body if the data subject so expressly wishes and if permitted by national law.

Clause 4

Obligations of the data exporter

The data exporter agrees and warrants:

(a)             that the processing, including the transfer itself, of the personal data has been and will continue to be carried out in accordance with the relevant provisions of the applicable data protection law (and, where applicable, has been notified to the relevant authorities of the Member State where the data exporter is established) and does not violate the relevant provisions of that State;

(b)             that it has instructed and throughout the duration of the personal data processing services will instruct the data importer to process the personal data transferred only on the data exporter's behalf and in accordance with the applicable data protection law and the Clauses;

(c)             that the data importer will provide sufficient guarantees in respect of the technical and organisational security measures specified in Appendix 2 to this contract;

(d)             that after assessment of the requirements of the applicable data protection law, the security measures are appropriate to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing, and that these measures ensure a level of security appropriate to the risks presented by the processing and the nature of the data to be protected having regard to the state of the art and the cost of their implementation;

(e)             that it will ensure compliance with the security measures;

(f)              that, if the transfer involves special categories of data, the data subject has been informed or will be informed before, or as soon as possible after, the transfer that its data could be transmitted to a third country not providing adequate protection within the meaning of Directive 95/46/EC;

(g)             to forward any notification received from the data importer or any subprocessor pursuant to Clause 5(b) and Clause 8(3) to the data protection supervisory authority if the data exporter decides to continue the transfer or to lift the suspension;

(h)             to make available to the data subjects upon request a copy of the Clauses, with the exception of Appendix 2, and a summary description of the security measures, as well as a copy of any contract for subprocessing services which has to be made in accordance with the Clauses, unless the Clauses or the contract contain commercial information, in which case it may remove such commercial information;

(i)              that, in the event of subprocessing, the processing activity is carried out in accordance with Clause 11 by a subprocessor providing at least the same level of protection for the personal data and the rights of data subject as the data importer under the Clauses; and

(j)              that it will ensure compliance with Clause 4(a) to (i).

Clause 5

Obligations of the data importer

The data importer agrees and warrants:

(a)             to process the personal data only on behalf of the data exporter and in compliance with its instructions and the Clauses; if it cannot provide such compliance for whatever reasons, it agrees to inform promptly the data exporter of its inability to comply, in which case the data exporter is entitled to suspend the transfer of data and/or terminate the contract;

(b)             that it has no reason to believe that the legislation applicable to it prevents it from fulfilling the instructions received from the data exporter and its obligations under the contract and that in the event of a change in this legislation which is likely to have a substantial adverse effect on the warranties and obligations provided by the Clauses, it will promptly notify the change to the data exporter as soon as it is aware, in which case the data exporter is entitled to suspend the transfer of data and/or terminate the contract;

(c)             that it has implemented the technical and organisational security measures specified in Appendix 2 before processing the personal data transferred;

(d)             that it will promptly notify the data exporter about:

(i)         any legally binding request for disclosure of the personal data by a law enforcement authority unless otherwise prohibited, such as a prohibition under criminal law to preserve the confidentiality of a law enforcement investigation,

(ii)        any accidental or unauthorised access, and

(iii)       any request received directly from the data subjects without responding to that request, unless it has been otherwise authorised to do so;

(e)             to deal promptly and properly with all inquiries from the data exporter relating to its processing of the personal data subject to the transfer and to abide by the advice of the supervisory authority with regard to the processing of the data transferred;

(f)              at the request of the data exporter to submit its data processing facilities for audit of the processing activities covered by the Clauses which shall be carried out by the data exporter or an inspection body composed of independent members and in possession of the required professional qualifications bound by a duty of confidentiality, selected by the data exporter, where applicable, in agreement with the supervisory authority;

(g)             to make available to the data subject upon request a copy of the Clauses, or any existing contract for subprocessing, unless the Clauses or contract contain commercial information, in which case it may remove such commercial information, with the exception of Appendix 2 which shall be replaced by a summary description of the security measures in those cases where the data subject is unable to obtain a copy from the data exporter;

(h)             that, in the event of subprocessing, it has previously informed the data exporter and obtained its prior written consent;

(i)              that the processing services by the subprocessor will be carried out in accordance with Clause 11;

(j)              to send promptly a copy of any subprocessor agreement it concludes under the Clauses to the data exporter.

Clause 6

Liability

1.              The parties agree that any data subject, who has suffered damage as a result of any breach of the obligations referred to in Clause 3 or in Clause 11 by any party or subprocessor is entitled to receive compensation from the data exporter for the damage suffered.

2.              If a data subject is not able to bring a claim for compensation in accordance with paragraph 1 against the data exporter, arising out of a breach by the data importer or his subprocessor of any of their obligations referred to in Clause 3 or in Clause 11, because the data exporter has factually disappeared or ceased to exist in law or has become insolvent, the data importer agrees that the data subject may issue a claim against the data importer as if it were the data exporter, unless any successor entity has assumed the entire legal obligations of the data exporter by contract of by operation of law, in which case the data subject can enforce its rights against such entity.

The data importer may not rely on a breach by a subprocessor of its obligations in order to avoid its own liabilities.

3.              If a data subject is not able to bring a claim against the data exporter or the data importer referred to in paragraphs 1 and 2, arising out of a breach by the subprocessor of any of their obligations referred to in Clause 3 or in Clause 11 because both the data exporter and the data importer have factually disappeared or ceased to exist in law or have become insolvent, the subprocessor agrees that the data subject may issue a claim against the data subprocessor with regard to its own processing operations under the Clauses as if it were the data exporter or the data importer, unless any successor entity has assumed the entire legal obligations of the data exporter or data importer by contract or by operation of law, in which case the data subject can enforce its rights against such entity. The liability of the subprocessor shall be limited to its own processing operations under the Clauses.

Clause 7

Mediation and jurisdiction

1.              The data importer agrees that if the data subject invokes against it third-party beneficiary rights and/or claims compensation for damages under the Clauses, the data importer will accept the decision of the data subject:

(a)        to refer the dispute to mediation, by an independent person or, where applicable, by the supervisory authority;

(b)        to refer the dispute to the courts in the Member State in which the data exporter is established.

2.              The parties agree that the choice made by the data subject will not prejudice its substantive or procedural rights to seek remedies in accordance with other provisions of national or international law.

Clause 8

Cooperation with supervisory authorities

1.              The data exporter agrees to deposit a copy of this contract with the supervisory authority if it so requests or if such deposit is required under the applicable data protection law.

2.              The parties agree that the supervisory authority has the right to conduct an audit of the data importer, and of any subprocessor, which has the same scope and is subject to the same conditions as would apply to an audit of the data exporter under the applicable data protection law.

3.              The data importer shall promptly inform the data exporter about the existence of legislation applicable to it or any subprocessor preventing the conduct of an audit of the data importer, or any subprocessor, pursuant to paragraph 2. In such a case the data exporter shall be entitled to take the measures foreseen in Clause 5 (b).

Clause 9

Governing Law

The Clauses shall be governed by the law of the Member State in which the data exporter is established

Clause 10

Variation of the contract

The parties undertake not to vary or modify the Clauses. This does not preclude the parties from adding clauses on business related issues where required as long as they do not contradict the Clause.

Clause 11

Subprocessing

1.              The data importer shall not subcontract any of its processing operations performed on behalf of the data exporter under the Clauses without the prior written consent of the data exporter. Where the data importer subcontracts its obligations under the Clauses, with the consent of the data exporter, it shall do so only by way of a written agreement with the subprocessor which imposes the same obligations on the subprocessor as are imposed on the data importer under the Clauses[1]. Where the subprocessor fails to fulfil its data protection obligations under such written agreement the data importer shall remain fully liable to the data exporter for the performance of the subprocessor's obligations under such agreement.

2.              The prior written contract between the data importer and the subprocessor shall also provide for a third-party beneficiary clause as laid down in Clause 3 for cases where the data subject is not able to bring the claim for compensation referred to in paragraph 1 of Clause 6 against the data exporter or the data importer because they have factually disappeared or have ceased to exist in law or have become insolvent and no successor entity has assumed the entire legal obligations of the data exporter or data importer by contract or by operation of law. Such third-party liability of the subprocessor shall be limited to its own processing operations under the Clauses.

3.              The provisions relating to data protection aspects for subprocessing of the contract referred to in paragraph 1 shall be governed by the law of the Member State in which the data exporter is established

4.              The data exporter shall keep a list of subprocessing agreements concluded under the Clauses and notified by the data importer pursuant to Clause 5 (j), which shall be updated at least once a year. The list shall be available to the data exporter's data protection supervisory authority.

Clause 12

Obligation after the termination of personal data processing services

1.              The parties agree that on the termination of the provision of data processing services, the data importer and the subprocessor shall, at the choice of the data exporter, return all the personal data transferred and the copies thereof to the data exporter or shall destroy all the personal data and certify to the data exporter that it has done so, unless legislation imposed upon the data importer prevents it from returning or destroying all or part of the personal data transferred. In that case, the data importer warrants that it will guarantee the confidentiality of the personal data transferred and will not actively process the personal data transferred anymore.

2.              The data importer and the subprocessor warrant that upon request of the data exporter and/or of the supervisory authority, it will submit its data processing facilities for an audit of the measures referred to in paragraph 1.

SIGNED by [SIGNATORY NAME] for and on behalf of Deluxe One LLC Data Importer ) Signature:

) Position:

SIGNED by [SIGNATORY NAME] for and on behalf of [  ] Data Exporter ) Signature:

) Position:

 

Appendix 1 to the Standard Contractual Clauses

 

This Appendix forms part of the Clauses and must be completed and signed by the parties.

The Member States may complete or specify, according to their national procedures, any additional necessary information to be contained in this Appendix.

 

Data exporter

The data exporter is: a recipient of software development and implementation services from the data importer.

 

Data importer

The data importer is: a provider of software development and implementation services.

 

Data subjects

The personal data transferred concern the following categories of data subjects: customers of data importer.

 

Categories of data

The personal data transferred concern the following categories of data:

×        Identification data (which may include full name, IP address)

×        Contact details (which may telephone number and email address)

×        Content purchased and payment details/history

 

Special categories of data (if appropriate)

None.

 

Processing operations

The data importer will provide software development and implementation services to the data exporter. The personal data transferred to the data importer will be subject to processing necessary to allow the data exporter to receive the services.

The personal data transferred shall be processed or used solely for the purposes of providing the services and in accordance with the specific individual instructions of the data exporter.


Appendix 2 to the Standard Contractual Clauses

Description of the technical and organisational security measures implemented by the data importer in accordance with Clauses 4(d) and 5(c) (or document/legislation attached):

  1. Access control to premises where data is hosted and facilities to prevent physical access via

    • Electronic access control system protecting offices, rooms, facilities, etc. from non-authorized access

    • Hosting premises and facilities provide protecting against external and environmental threats

    • Surveillance utilities are provided - CCTV, access logging, intrusion detection systems

    • List of authorized personnel is maintained and regularly reviewed

  1. Access control to systems to prevent unauthorized access to IT infrastructure

    • All infrastructure components, e.g. DB server, are in security groups within VPC (virtual private cloud) except web server endpoints (need to be exposed to public)

    • SSH access for operators through tunnelling from bastion instance only

    • 2FA enforced for all operators accessing AWS' management console

    • No credentials in code but encrypted in central vault

    • Particular IAM (Identity & Access Management‎) roles for each environment (staging, presentation, production)

    • Password policy (incl. special characters, minimum length, change of password)

    • State-of-the-art protection against attackers from outside (hackers)

    • Fraud and anomalies detection procedures established

  1. Access control to data to prevent activities in IT systems not covered by the allocated access rights

    • Encryption of data media - Server-Side Encryption with Amazon S3-Managed Keys: 256-bit Advanced Encryption Standard (AES-256)

    • Differentiated access rights (profiles, roles, transactions and objects)

    • Passwords stored with highly secure one-way encryption (bcrypt)

    • Support of client-specific password policy (configurable complexity and term)

    • Automated blocking of user account after limited number of failed logins

    • Dedicated support accounts per affiliation

    • Activity logging on Access, Change, Deletion of records

  1. Disclosure control to prevent disclosure of personal data during electronic transfer, data transport, etc.

    • SSL/TLS transport encryption for internal and external communication with enforced HTTPs redirect

    • Enforced SSH login (via public/private keys)

    • No physical storage media allowed to exchange personal data

  1. Input control to prevent malicious data/code entered exploiting personal data

    • Documentation of data management and maintenance

    • Logging of data entered, changed or removed (deleted), and by whom

    • Escaping of user-entered data during processing

  1. Job control to ensure commissioned data processing is carried out according to instructions

    • Formal commissioning (statement of works) with third party data processors

    • Confidentiality agreements with third parties receiving and processing personal data

    • Confidentiality agreements with all employees and relevant contractors

    • Strict criteria for selecting third parties processing personal data

    • Monitoring of contract performance

  1. Availability control to protect data against accidental destruction or loss

    • Full daily data backups

    • Storage of data backups in different locations

    • Established disaster recovery procedures

    • Restoring of data in case of data loss and/or falsely or intentionally changed possible

    • Regular bump tests for recovering data

  1. Segregation control to process data collected for different purposes separately

    • Environments (staging, presentation, production) run on separate AWS accounts and use own infrastructure components

    • "Internal admin" concept

    • Email blocking in non-production environments

  1. Security documentation to ensure all security and business continuity measures are defined

    • Documented security policies, procedures and persons in charge, e.g. Encryption policy, Firewall policy, Intrusion detection policy, IT disaster recovery plan, Patch management policy, Change Management policy, Recovery scenarios and business continuity, etc.

    • Yearly reviews and updates of documentation

  1. Disposal of information to prevent subsequent retrieval of personal data

    • Vendors are obliged to dispose of equipment, physical documents and files, and physical media which stored personal data in a secure way, e.g. physical destruction

    • Vendors have to commit to formally document and implement the erasure of personal data held on equipment, in physical documents and files, and in physical media

  1. Audits to test, assess and evaluate the effectiveness of technical and organisational security measures

    • Yearly internal audit and whenever information systems are substantially modified

    • Yearly external audit to ensure e.g. OWASP compliancy

 

Annex 3

Appropriate technical and organizational security measures in relation to Client Personal Data:

  1. Access control to premises where data is hosted and facilities to prevent physical access via

    • Electronic access control system protecting offices, rooms, facilities, etc. from non-authorized access

    • Hosting premises and facilities provide protecting against external and environmental threats

    • Surveillance utilities are provided - CCTV, access logging, intrusion detection systems

    • List of authorized personnel is maintained and regularly reviewed

  1. Access control to systems to prevent unauthorized access to IT infrastructure

    • All infrastructure components, e.g. DB server, are in security groups within VPC (virtual private cloud) except web server endpoints (need to be exposed to public)

    • SSH access for operators through tunnelling from bastion instance only

    • 2FA enforced for all operators accessing AWS' management console

    • No credentials in code but encrypted in central vault

    • Particular IAM (Identity & Access Management‎) roles for each environment (staging, presentation, production)

    • Password policy (incl. special characters, minimum length, change of password)

    • State-of-the-art protection against attackers from outside (hackers)

    • Fraud and anomalies detection procedures established

  1. Access control to data to prevent activities in IT systems not covered by the allocated access rights

    • Encryption of data media - Server-Side Encryption with Amazon S3-Managed Keys: 256-bit Advanced Encryption Standard (AES-256)

    • Differentiated access rights (profiles, roles, transactions and objects)

    • Passwords stored with highly secure one-way encryption (bcrypt)

    • Support of client-specific password policy (configurable complexity and term)

    • Automated blocking of user account after limited number of failed logins

    • Dedicated support accounts per affiliation

    • Activity logging on Access, Change, Deletion of records

  1. Disclosure control to prevent disclosure of personal data during electronic transfer, data transport, etc.

    • SSL/TLS transport encryption for internal and external communication with enforced HTTPs redirect

    • Enforced SSH login (via public/private keys)

    • No physical storage media allowed to exchange personal data

  1. Input control to prevent malicious data/code entered exploiting personal data

    • Documentation of data management and maintenance

    • Logging of data entered, changed or removed (deleted), and by whom

    • Escaping of user-entered data during processing

  1. Job control to ensure commissioned data processing is carried out according to instructions

    • Formal commissioning (statement of works) with third party data processors

    • Confidentiality agreements with third parties receiving and processing personal data

    • Confidentiality agreements with all employees and relevant contractors

    • Strict criteria for selecting third parties processing personal data

    • Monitoring of contract performance

  1. Availability control to protect data against accidental destruction or loss

    • Full daily data backups

    • Storage of data backups in different locations

    • Established disaster recovery procedures

    • Restoring of data in case of data loss and/or falsely or intentionally changed possible

    • Regular bump tests for recovering data

  1. Segregation control to process data collected for different purposes separately

    • Environments (staging, presentation, production) run on separate AWS accounts and use own infrastructure components

    • "Internal admin" concept

    • Email blocking in non-production environments

  1. Security documentation to ensure all security and business continuity measures are defined

    • Documented security policies, procedures and persons in charge, e.g. Encryption policy, Firewall policy, Intrusion detection policy, IT disaster recovery plan, Patch management policy, Change Management policy, Recovery scenarios and business continuity, etc.

    • Yearly reviews and updates of documentation

  1. Disposal of information to prevent subsequent retrieval of personal data

    • Vendors are obliged to dispose of equipment, physical documents and files, and physical media which stored personal data in a secure way, e.g. physical destruction

    • Vendors have to commit to formally document and implement the erasure of personal data held on equipment, in physical documents and files, and in physical media

  1. Audits to test, assess and evaluate the effectiveness of technical and organisational security measures

    • Yearly internal audit and whenever information systems are substantially modified

    • Yearly external audit to ensure e.g. OWASP compliancy