Legal
Technical and organisational measures
Processor adopts the following standards and measures to ensure the security of Processing.
Technical Measures | Answer | Comments |
---|---|---|
Data centre | Use of certified (SOC 2 and/or PCI DSS and/or SSAE 16) data centres | Processor uses SOC 2 certified data centres. |
Hosting provider | Amazon Web Services (‘AWS’). |
To use the application developed by Processor and process the Personal Data, Processor uses the services of AWS. The data which is received, including the Personal Data, is hosted in a Virtual Private Cloud environment. |
Classification | AWS operates all their data centres with Tier III+ guidelines. | AWS has chosen not to use a certified Uptime Institute based tiering level in order to keep an amount of flexibility to expand and improve performance. |
Server locations | Production Servers in Ireland and backups in Germany. | |
Backup data centre | Production Servers in Ireland and backups in Germany. |
Processor implements all necessary measures in terms of backup and restoration, including regular tests of the reliability and completeness of the backups. Processor encrypts all backups Processor keeps audit logs and web server logs with a retention period of 12 months. |
Communications security | Access restriction | Processor restricts - at network-level - any access from the Internet to private infrastructures services, operating systems and middleware interfaces. |
Environment segregation | Processor segregates - at the network-level - production and development/staging environments. | |
Encryption | Processor ensures that any remote access from the Internet uses strong encryption. | |
System acquisition, development and maintenance | OWASP vulnerabilities | Processor develops and maintains applications and Application Programming Interfaces (API) according to OWASP Top 10 vulnerabilities and risks. |
Multi-Factor Authentication | Processor enforces Multi-Factor Authentication for any access to source management platforms (e.g. GitHub). All source code repositories are private. | |
Approval of Controller | Processor guarantees that the Personal Data are never exported to or used in a non-production environment (including for testing purposes) without previous formal approval of Controller. | |
Penetration test frequency | Annually | Processor runs a penetration test of the solution and associated infrastructure used to carry out the Contract on an annual basis and at its own costs and communicates the executive summary and related mitigation action plan to the Controller upon its request. |
Vulnerability scan frequency | Quarterly | Processor runs network, system and application vulnerability scans at minimum on a quarterly basis. |
Advisories monitoring frequency | Daily | Processor monitors AWS security advisories from all hardware and software used to carry out the Contract. |
Vulnerability remediation delays |
12 hours in case of critical vulnerability that can be exploited directly from the Internet without requiring authentication and that could lead to a direct compromise of Personal Data and where an exploitation proof-of-concept exists. 48 hours in case of a high vulnerability that can be exploited directly from Internet that could lead to a direct compromise of Personal Data or Processors’ systems but where an exploitation proof-of-concept does not exist or exploitation requires an action from a logged user. 2 months in case of a medium vulnerability that can lead to a direct compromise of Personal Data or Processors’ systems where exploitation requires the attacker to have an advantage, such as having stolen legitimate credentials by sending a malicious link to a victim, sniffing network traffic or gaining unauthorized access. Next release in case of a low vulnerability that can never lead to direct or indirect compromise of Personal Data. |
Processor ensures that applicable security hotfixes (or workarounds) recommended by AWS and possible other hardware/software vendors are installed within the defined vulnerability remediation delays. Processor ensures that any identified vulnerabilities are remediated without delay and no later than the defined vulnerability remediation delays. Processor ensures that in case of a critical vulnerability measures are put in place immediately to avoid the exploitation of the vulnerability. |
Data recovery capabilities |
Daily snapshot Recovery time objective is 4 hours |
Processor takes a database snapshot every day, which is kept for thirty days. Processor ensures a maximum time allowed to recover failed application or provide products and services after a disruptive incident occurs. |
Cryptography |
Encryption (e.g. HTTPS) Secure File Transfer Protocol |
Processor encrypts all data in transit and at rest. Processor has implemented a process to protect and manage lifecycle of cryptographic keys. |
Operations security | Installation, configuration and operational guides on all security devices, network components, servers and middleware. | Processor defines and applies guides that follow best practises such as those from National Institute of Standards and Technology (NIST) or Centre for Information Security (CIS). |
Information security policy | Security Policy, Pera People Science B.V. | The security policy used by Processor is approved by the management and communicated to all employees and relevant external parties. |
Organization of information security |
Security officer Data protection officer |
security@getpera.com dpo@getpera.com |
Human resource security |
Confidentiality clause Security awareness program Revoke Access |
All employees and contractors sign a confidentiality clause and are informed about the security policy used by Processor and follow a security awareness program. Former employees/contractors access is disabled to any asset used to carry out the Contract with the Controller after departure or when not required anymore within (at maximum) a period of 1 month. |
Asset management |
Return/destruction Personal Data |
Processor undertakes, upon expiration or termination of the Contract for any reason whatsoever, to destroy and / or return to Controller in a maximum of 60 days, all Personal Data, files or other items provided by the Controller or Data Subjects or resulting from the processing of Personal Data. |
Access control |
Use of nominative account/formal procedure in order to be able to affect each action to a specific user. Store passwords only using a strong encryption hash (e.g. PBKDF2 with a SHA-256 hash) |
Processor adopts organizational measures to permit access to the Personal Data only by duly authorized persons. Processor enforces related access-control rules to any cloud storage services (e.g. S3 buckets) used to store Personal Data of the Controller or needed to carry out the Contract. |