Learn More About the Alternative App Future
App Developers
Brands & Agencies
Telecom
Company
Resources
Contact

ANNEX

Organizational and Technical Measures

The Processor has implemented the measures described in this exhibit insofar as each measure contributes or can contribute directly or indirectly to protecting the Personal Data under the DPA entered between the Parties. 

These measures are commercially reasonable and aligned with industry-standard technical and organizational measures to protect Personal Data. They are consistent with applicable laws and meet the standard of protection appropriate to the risk of processing Personal Data while providing the Processor’s services. The Processor will regularly carry out, test, review, and update all such measures. 

These measures will be subject to technical progress and future developments of the Processor’s services. As such, the Processor will be permitted to implement alternative adequate measures. In such an event, the security level may not be lower than the measures memorialized here. Material changes are to be coordinated and documented with the Controller. 

Measures for ensuring physical security of locations at which Personal Data are processed

The Processor has implemented the following entry control measures insofar as Personal Data are processed in the Processor’s premises, or access to such data from these premises cannot be precluded: 

  • Unauthorized persons are to be denied entry to the data processing facilities where Personal Data are processed or used. 
  • Entry authorizations to office buildings, computer centers, and server rooms are restricted to the necessary minimum. 
  • Use effective entry authorization controls through an adequate locking system (e.g., security key with documented key management, electronic locking systems with documented authorization management). 
  • Documented and comprehensible processes for obtaining, changing, and rescinding entry authorizations, including routine and documented review of whether the granted entry authorizations are up to date.
  • Reasonable prophylactic and detection measures regarding unauthorized entry and entry attempts (e.g., routine checks of burglary security system for doors, gates, and windows, burglar alarm, video monitoring, guard service, and security patrol).
  • Written rules for employees and visitors for dealing with technical entry security measures. 

Measure for user identification, authorization and for ensuring events logging

Potential use of data processing systems by unauthorized persons is to be prevented. The Processor has implemented the following access control measures for systems and networks, in which Personal Data are processed or through which access to Personal Data is possible, insofar as the Processor is responsible for the Personal Data access authorizations:

  • Persons authorized to use a data processing system will be able to access only the data underlying their access authorization and that Personal Data will be incapable of being read, copied, changed, or removed without authorization during the processing and use of the data and after the data have been stored. 
  • Access authorizations to Personal Data is restricted to the necessary minimum.
  • Access authorizations to Demand Partners systems and non-public networks are restricted to the necessary minimum. 
  • Use adequate access authorization controls through personalized and unambiguous user identification and a secure authentication process. 
  • Recording of access, even by administrators.
  • For password authentications: some text
    • Specifications are to be made that ensure continuous password quality of at least eleven (11) characters, three (3) degrees of complexity (from upper case, lower case, numbers, special characters), and a change cycle of a maximum of ninety (90) days. 
    • Technical test procedures are to be used to ensure password quality. 
  • If asymmetric key procedures (e.g., certificates, private-public-key method) are used for authentication, it is to be assured that secret (private) keys are always protected by a password (passphrase). 
  • Implement documented and comprehensible processes for obtaining, changing, and rescinding access authorizations, including routine and documented review of whether the granted access authorizations are up to date.
  • Implement reasonable measures for securing network infrastructure (e.g., intrusion detection systems, use of 2-factor authentication for remote access, separation of networks, encrypted network protocols, and so forth). 
  • Written rules for employees for dealing with the security measures above and the secure use of passwords.
  • Use of input controls - there is a possibility to subsequently review and determine whether and by whom Personal Data was entered, altered in, or removed from data processing systems. The Processor has implemented the following input control measures on its systems, which are used for processing the Personal Data or which enable or convey access to such systems: some text
    • Creation and audit-proof storage of processing protocols. 
    • Securing log files against manipulation.
    • Recording and evaluating unauthorized and failed login attempts. 
    • Ensuring that no group accounts (including administrators or root) are used.

Measures for ensuring system configuration, including default configuration and encryption of Personal Data

  • Ensuring that critical or material security updates/patches will be installed according to the Processor’s internal Patch Management Policy: a. in client operating systems; b. in server operating systems reachable via public networks (e.g., webservers); c. in application programs (incl. browser, plugins, PDF-reader, etc.); d. in security infrastructure (virus scanner, firewalls, IDS-systems, content filters, routers, and so forth.); and e. in server operating systems of internal servers. 
  • Reasonable measures are used for the protection of end-devices, servers, and other infrastructure elements against unauthorized access (such as multi-level virus protection concept, content filters, application firewall, intrusion detection systems, desktop firewalls, system hardening, content encryption).
  • The Processor has implemented the following sharing control measures insofar as Personal Data will be received, transferred, or transported by the Processor: some text
    • Reasonable measures for securing network infrastructure (e.g., intrusion detection systems, use of 2-factor authentication for remote access, separation of networks, encrypted network protocols, and so forth.) 
    • Encryption – Processor implements encryption technology which commensurate with the state-of-the-art to be prescribed so that Personal Data will be incapable of being read, copied, changed, or removed during electronic transmission or during transport for storage on data carriers, such as RSA 2048. some text
      • Data carrier encryption with state–of–the–art algorithms and protocols to be classified as secure (e.g., TLS-based protocols) for the protection of mobile devices (notebooks, tablet PCs, smartphones, etc.) and data carriers (external hard drives, USB sticks, memory cards, and so forth). 
  • Implement technical security measures for export and import interfaces (hardware and application-related).

Measures for ensuring ongoing confidentiality, integrity, availability, and resilience of processing systems and services and the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident

Personal Data will be protected against accidental destruction or loss. The Processor has implemented the following availability control measures through the Cloud Provider insofar as the processing is required for maintaining productive services: 

  • Operation and routine maintenance of fire alarms in server rooms, computer centers, and material infrastructure rooms. 
  • Creating sufficient backups 
  • Ensuring backup storage in a separate fire compartment.
  • Routine backup integrity reviews.
  • Systems and data restoration processes and documentation. 

An incident would receive immediate attention from all relevant personnel. Once identified and validated, incidents will be reported according to the Processor’s security and privacy policies.

The processor’s development processes follow secure software development industry-standard practices, which include formal design reviews, threat modeling, and the completion of a risk assessment.

Measures for ensuring data quality and allowing data portability and processes for regularly testing, assessing, and evaluating the effectiveness of technical and organizational measures to ensure the security of the processing

Personal Data collected for different purposes will be capable of being processed separately. The Processor has implemented the following separation measures insofar as such is within its area of responsibility: 

  • Logical and/or physical separation of test, development, and production systems.
  • Separation of Controller’s Personal Data from other data sets including, but not limited to, its own, within the processing systems, and at interfaces. 
  • Ensuring that Personal Data are constantly identifiable on account of suitable labels; if such are processed for different purposes, including information specifying the respective purpose. 

Measures for ensuring limited Personal Data retention

Personal data is to be deleted if processed for purposes as soon as the knowledge thereof is no longer necessary to fulfill the purpose of saving it per DT’s applicable data retention policy.

The Processor has implemented the following measures ensuring data deletion insofar as such is within its area of responsibility:

  • Ensuring that the Personal Data can be deleted at any time upon request of the Controller.
  • Implementation of processes, tools, and documentation for secure deletion in a manner such that data recovery is not possible given today’s state of technology (e.g., through overwriting).
  • Provide the employees with specifications regarding how and when data will be deleted.

Measures for internal IT and IT security governance and management and for ensuring accountability

The Processor has internal policies in place containing formal instructions for data processing procedures; Contractors are being carefully vetted regarding data security; The Processor personnel is being trained periodically to maintain awareness regarding data protection and security requirements.