Technical And Organizational Measures
Orum data protection and security concepts around technical and organizational measures follow International Organization for Standardization (ISO) and National Institute of Standards and Technology (NIST) standards.
The following measures are subject to change based on operational requirements and the evolution of technology and security threats. These measures apply generally to all transfers contemplated by this Agreement.
The information security organization has established relevant technical standards documented as follows:
Measures of encryption of personal data
- All sensitive data is hashed using an HMAC function based on SHA512
- HTTPS encryption for data in transit (using TLS 1.2 or greater) on every login interface, using industry standard algorithms and certificates.
- Encryption of data at rest using the industry standard AES-256 algorithm
Measures for ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and services
- Multi-Factor Authentication (MFA)
- Differentiated rights system based on security groups and access control lists.
- Secure transmission of credentials using TLS 1.2 (or greater)
- Passwords require a defined minimum complexity. Initial passwords must be changed after the first login.
- Automatic account locking
- Guidelines for handling of passwords
- Access controls to infrastructure that is hosted by cloud service provider
- Access right management including authorization concept, implementation of access restrictions, implementation of the "need-to-know" principle, managing of individual access rights.
- Training and confidentiality agreements for internal staff and external staff
- Network separation
- Segregation of responsibilities and duties
- Secure network interconnections ensured by firewalls etc.
- Logging of transmissions of data from IT system that stores or processes personal data. Logging authentication and monitored logical system access
- Documentation of data entry rights and logging security related entries
- Customer data is backed up to multiple durable data stores and replicated across multiple availability zones
- Protection and encryption of stored backup media
- Intrusion Detection System / Intrusion Prevention System (IDS/IPS)
Measures for ensuring the ability to restore the availability and access to personal Data in a timely manner in the event of a physical or technical incident
- Continuity Planning and Disaster Recovery Plan
- Disaster recovery processes to restore data and processes
- Recovery Time Objective (RTO)
- Recovery Point Objective (RPO)
- Maximum Tolerable Downtime (MTD)
- Capacity management measures to monitor resource consumption of systems as well as planning of future resource requirements.
- Procedures for handling and reporting incidents (incident management) including the detection and reaction to possible security incidents.
- Productive data is backed up hourly in incremental form and daily as a full backup. All backups are kept redundant and in encrypted form (AES-256).
Processes for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures in order to ensure the security of the processing
- Testing of emergency equipment
- Documentation of interfaces and personal data fields
- Internal and external audits
- Security checks (e.g. penetration tests) conducted by external parties
- Bug bounties
- SOC 2 audits
- Regular benchmarking and testing with industry standards, e.g. Cloud Security Alliance, Controls for Internet Security, NIST guidelines, etc.
Measures for user identification and authorization
- Secure network interconnections ensured by MFA, firewalls etc.
- Logging of transmissions of data from IT system that stores or processes personal data
- Logging authentication and monitored system access
- Access to data necessary for the performance of the particular task is ensured within the systems and applications by a corresponding role and authorization concept in accordance with the “need-to-know” principle.
- Intrusion Detection System / Intrusion Prevention System (IDS/IPS)
Measures for the protection of Data during transmission
- Remote access to the network via VPN tunnel and end-to-end encryption
- HTTPS encryption for data in transit (using TLS 1.2 or greater)
Measures for the protection of Data during storage
- System inputs recorded via log files
- Access Control Lists (ACL)
- Multi-factor Authentication (MFA)
Measures for ensuring physical security of locations at which personal Data are processed
- Subdivision of the facility into individual zones with different access authorizations
- Physical access protection (e.g. steel doors, windowless rooms or secured windows).
- Electronic access control system to protect security areas.
- Monitoring of the facility by security services and access logging to the facility.
- Video surveillance of all security-relevant security areas, such as entrances, emergency exits and server rooms.
- Central assignment and revocation of access authorizations.
- Identification of all visitors by verification of their identity card and registration (a log of visitors is kept).
- Mandatory identification within the security areas for all employees and visitors.
- Visitors must always be accompanied by employees.
Measures for ensuring system configuration, including default configuration
- Access Control Policy and Procedures
- Baseline configuration identification
- Configuration Planning and Management
- Configuration Change Management
- Configuration Status Accounting
- Configuration Verification and Audits
- Mobile device management
Measures for internal IT and IT security governance and management
- Dedicated and identified person to oversee the company's information security and compliance program
- Information and network security staff holding security certifications
- Information Security Management System around development and maintenance of policy and technical standards
- Audit programs that use Information Security frameworks for measurement (ISO 27001, NIST, Cloud Security Alliance, SOC 2)
Measures for certification/assurance of Processes and products
- Information security or quality management certifications such as ISO 27001, SOC 2, or PCI
Measures for ensuring Data minimization
- Restrict access to personal data to the parties involved in the processing in accordance with the “need to know” principle and according to the function behind the creation of differentiated access profiles.
- Strict time limits for data retention and operational mechanisms that guarantee compliance (e.g. automatic deletion of data after predefined time period).
- Technological barriers to the unauthorized linking of independent sources of data.
- Limitation to the level of detail used in personal data processing: for example, through techniques such as differential privacy, k-anonymity, obfuscation and added noise measurement.
- Deletion of metadata generated during certain processes that are not necessary for the pursued goal.
Measures for ensuring Data quality
- Process for the exercise of data protection rights (right to amend and update information)
- Clear documentation of requirements for all data conditions and scenarios
- Rigorous data profiling and control of incoming data
- Data pipeline design to avoid duplicate data
- Quality Assurance team
- Enforcement of data integrity
Measures for ensuring limited data retention
- In order to ensure the effectiveness and reliability of such retention schedule, the deletion of such data should be automated and tests should be conducted to ensure the effectiveness of such retention policies.
Measures for ensuring accountability
- Assign responsibility to ensure end-user privacy throughout the product lifecycle and through applicable business processes.
- Data protection impact assessments as an integral part of any new processing initiative.
- Document all decisions that are adopted within the organization from a “privacy and security by design thinking” perspective.
Measures for allowing Data portability and ensuring erasure
- Documented processes in relation to the exercise by users of their privacy rights (e.g. right of erasure or right to data portability)
- Use of open formats such as CSV, XML or JSON.
Applied restrictions or safeguards for sensitive data (if applicable)
- Encrypting or hashing special category data, although not an explicit legal requirement, should be the norm.