TOM – Appendix 1 DPA

Approved technical and organisational measures of the Processor

General information on security measurements of the Application Contract Alert as from Version 33. (Security by design)

General approach to data privacy:            

All personal data is encrypted and saved into the database of your application,

Encryption of personal information

Personal information in respect of contacts of contractors and the user accounts are encrypted with a password and saved in your database (First name, Family name, Email, Username and Password). Encryption reduces the risk of divulging personal data in a readable format in case of data leakage.

The used password for encryption is saved into a system file. The system file is also encrypted with a password. The password used to encrypt the system file is not available in production environment.

Portability of saved user data

All information saved on a user can be downloaded by the user. The option is available in the user profile. (Date and time of login, changes made to contracts, contract approval requests, contract- and event ownership)

Single tenant environment

Every customer is having its own application files and associated database separated from other customer installations, as such limiting the quantity of data leakage in case of breach.

AES Encryption

The administrator of a Contract Alert installation (the customer) can activate document encryption and set a password in its user profile. Once the AES-Encryption is activated, all documents uploaded to the system are encrypted with the password and stored on the servers.

The Advanced Encryption Standard is a symmetric-key block cipher algorithm and standard for secure and classified data encryption and decryption.

Documents can only be opened after a valid login into your system. The encryption and decryption of your documents is a background procedure.

Account blocking

After three attempts to login with a wrong password, the user account is blocked and the user is forced away from the login page. The blocking consists of changing the password and the user can retrieve the new password by using the option “forgot my password” on the login page.

Legal data retention period

The administrator of your application can permanently delete information from the application based on the legal retention period applicable in your country.

All information like contracts, associated documents, contract history, related contractor- and contact information will be permanently deleted from contracts with an ending date before the end of the retention period.

Right to be forgotten

User accounts

User accounts can be deleted permanently as well if desired (not recommended). If any changes to a contract, approval, request or contract event is available in the contract history, the user name and first name will be replaced by “Deleted GDPR”.

Contact information of contractors

As contact information of contractors is just having an informational function within Contract Alert, contact information can be deleted permanently from the database by a user, if sufficient rights have been granted.

SSL Security

When users are entering data, the data is protected with a SSL-Certificate, similar to online banking. The SSL Certificate encrypts all data transferred between the client (browser) and our server.

 Encoded program files

All program files are encoded / compiled. This protects the scripts from unauthorised changes.

 Backups and data replication

A backup of the full system is made on a daily basis and saved on an external and offsite server. Daily backups being deleted after 4 days.

A monthly backup is saved on an external server and deleted after 6 months.

Database dumps are executed on an hourly basis and saved to an external server.

File replication: All files from the production server are replicated to an external server. This concern newly uploaded documents and also the removal of an application.

 Physical access control to the data center

Appropriate measures for preventing unauthorised persons from gaining access to data processing facilities.

  • Chip card / transponder locking system
  • Light barriers / Motion detectors
  • Record of visitors
  • Personal presence (doorman / reception)
  • Alarm system

Logical access control production environment

Measures intended to prevent data processing systems being used by unauthorised persons.

  • Creation of user profiles
  • Allocation of user rights
  • Authentication with username / password
  • Access log scanning
  • Use of antivirus software
  • Use of a hardware firewall

Data access control production server

Measures that ensure that parties authorised to use a data processing system can modify solely the data pertaining to their access level, and that data cannot be read, copied, modified or removed without authorisation during processing and use and once it has been saved.

  • Rights administered by an administrator
  • Number of administrators reduced to “bare minimum”
  • Recording access to applications
  • Single tenant environment
  • Creation of user profiles and allocation of rights combined with username / password

Data transfer control production server

Measures to ensure that data cannot be read, copied, modified or removed without authorisation during electronic transfer or when being transported or saved onto data storage media, and to ensure that the locations at which data is to be transferred via data transfer facilities can be checked and identified.

  • Data transferred in anonymised or pseudo-anonymised form (SSL)
  • Creation of dedicated lines or VPN tunnels

Data entry control

Measures to ensure that it can be subsequently verified and determined whether and by whom personal data has been entered, modified or removed in the data processing system.

  • Allocation of rights to enter, modify and delete data based on the authorisation concept.

Control of Processing Instructions

Measures to ensure that data that is to be processed under the Contract can be processed only in accordance with the data owner’s instructions.

  • Written instructions to the processor is mandatory
  • Guarantee that data will be destroyed after the end of the contract

Availability control

Measures to ensure that data is protected against potential loss or destruction.

  • Interruption-free power supply (UPS)
  • Devices for monitoring temperature and humidity in server rooms
  • Fire and smoke detectors
  • Testing of data restoration
  • Data backups stored in a secured offsite location
  • Instant file replication and hourly database dumps
  • Air conditioning in server rooms
  • Fire extinquishers
  • Server rooms not located under sanitation facilities

Separation control

Measures to ensure that data collected for different purposes can be processed separately.

  • Definition of database rights
  • Physically separate storage on distinct systems

Fragen?

Fragen?

Wir sind für Sie da!

T: +352 - 20.20.23.21
E: info@contract-alert.com

Questions?

Questions?

We are here to help you!

T: +352 - 20.20.23.21
E: info@contract-alert.com

Questions?

Contactez-nous !

T: +352 - 20.20.23.21
E: info@contract-alert.com