Technical and Organisational Security Measures
(Including Technical and Organisational Measures to Ensure the Security of Data)

Below is a description of the technical and organisational measures implemented by the Processor(s) / Data Importer(s) (including any relevant certifications) to ensure an appropriate level of security, taking into account the nature, scope, context and purpose of the processing, and the risks for the rights and freedoms of natural persons.

Full details of the Processor’s/Data Importer’s technical and organisational security measures used to protect Personal Data is included in the Security Document.

Where applicable this Schedule 2 will serve as Annex II to the SCCs.

Measures for encryption of Personal Data

Personal Data is stored and archived at rest using AES256 encryption.

Personal Data in transit is protected by Transport Layer Security (“TLS”).

Measures for ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and services

The Processor utilises Amazon Web Services (AWS) regions and availability zones with extensive application and infrastructure monitoring with 24x7 application support rosters. We maintain redundancy throughout our IT infrastructure in order to minimize the lack of availability to or loss of data.

The operation of Processor’s service requires that some employees have access to the systems which store and process Personal Data. These employees are prohibited from using these permissions to view Personal Data unless it is necessary to do so. All of the Processor’s employees and contract personnel are bound to our policies regarding Personal Data and we treat these issues as matters of the highest importance within our company. All staff employment contracts have full confidentiality clauses and all employees are required to read and sign our comprehensive information security policy covering the security, availability, and confidentiality of Processor’s service.

Measures for ensuring the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident

Our application environments are managed and tested using configuration management templates allowing us to recreate servers and environments easily without manual intervention.

Data is stored in triplicate across 3 data centres. The data centres can be switched in the event of flooding, earthquake, fire or other physical destruction or power outage to protect Personal Data against accidental destruction and loss.

Backups are maintained continuously and daily in accordance with our backup procedures. Testing of backups is performed on a weekly basis using an automated process.

Processes for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures in order to ensure the security of the processing

We conduct multiple internal audits. We strive to automate audits hence the majority of our monitoring of our infrastructure is automated and running 24/7. We obtain an external security and compliance audit once per calendar year and operate a bug bounty programme.

Measures for user identification and authorisation

Passwords for authentication are salted and hashed using industry standard hashing functions. The Controller can also elect to enable Single Sign On (SSO) function with the identity providers Microsoft 365 Active Directory or Google Workspace.

The Controller invites and removes users and applies permission levels in the account. Users can enable Multi Factor Authentication to provide additional protection.

Measures for the protection of data during transmission

Personal Data in transit is protected by Transport Layer Security (“TLS”).

Measures for the protection of data during storage

Personal Data is stored and archived at rest using AES256 encryption.

Measures for ensuring physical security of locations at which Personal Data are processed

The Service is hosted and Personal Data is stored within data centres provided by Amazon Web Services (AWS). As such, the Processor relies on the physical, environmental and infrastructure controls of AWS. The Processor periodically reviews certifications and third-party attestations provided by AWS relating to the effectiveness of its data centre controls.

Measures for ensuring events logging

System events are recorded in the form of log files therefore it is possible to review retroactively whether and by who Personal Data was entered, altered or deleted.

Measures for ensuring system configuration, including default configuration

The Processor hardens its server infrastructure using a hardening standard based on a common industry standard. Security patches are applied to its servers in accordance with its Vulnerability Management Procedure.

Configuration is only applied to servers using automated configuration management software which provides a complete history of changes made to the environment. Deviation in the configuration is detected and reported to our Security Operation Center (SOC).

Measures for internal IT and IT security governance and management

Access to systems which store and process Personal Data is subject to role based need. Employees have individual logins for such systems. Two factor authentication must be enabled where available. Technical controls and policies are in place to ensure Personal Data is never held on end user devices of Employees, or otherwise transferred by Employees to unauthorised systems. Security and privacy awareness takes place during onboarding and on an ongoing basis. Employees are subject to regular audits to ensure adherence to our information security policy.

Measures for certification/assurance of processes and products

The Processor utilises third party data centres that maintain current ISO 27001 certifications and SOC 2 Attestation Reports. The Processor will not utilise third party data centres used for primary storage that do not maintain the aforementioned certifications and/or attestations, or other substantially similar or equivalent certifications and/or attestations.

Measures for ensuring data minimisation

The Controller decides the Personal Data to be stored on the Service and is responsible for defining its own policies for minimising data collection and storage.

If Personal Data is no longer required the Controller can delete it from the service. See “Measures for ensuring limited data retention”.

Measures for ensuring data quality

We do not assess the quality of the data provided by the Controller. We provide reporting tools within our product to help the Controller understand and validate the data that is stored.

Measures for ensuring limited data retention

The Controller is responsible for defining its own retention policies and using the tools provided by the Service to delete Personal Data.

If Personal Data is no longer required the Controller can delete it from the service. It should be noted that with each deletion the data is in the first instance locked and then permanently deleted from the production system after a certain delay. This is done in order to prevent accidental deletions, but may be overridden by the Controller using the purge action within the “Trash Can” feature of the Service.

Cancellation or Termination of the Service will also automatically result in permanent deletion of Personal Data after a certain recovery period.

Following permanent deletion from the live systems, partial data resides on the Processor’s backup archives and is removed over time in line with our data retention policy.

Measures for ensuring accountability

The Processor has designated local representation in Europe and the United Kingdom.

Our contact details in the United Kingdom

Contact details of our European representative

Measures for allowing data portability and ensuring erasure

The Service has built-in tools that allow the Controller to export and permanently erase data.

Measures to be taken by the (Sub-) processor to be able to provide assistance to the Controller (and, for transfers from a Processor to a Sub-processor, to the Data Exporter).

The transfer of Personal Data to a third party (e.g. customers, sub-contractors, service providers) is only made if a corresponding contract exists, and only for the specific purposes. If Personal Data is transferred outside the EEA, the Processor provides that an adequate level of data protection exists at the target location or organisation in accordance with the European Union's data protection requirements, e.g. by employing contracts based on the EU SCCs.