SECURITY OF PROCESSING MEASURES
The Data Processor has an independent obligation to implement suitable security measures pursuant to Article 32. The following list of measures are requirements that we undertake.
| No. | Requirement | Answer | Description |
|---|---|---|---|
| 1 | Does the Data Processor have detailed knowledge of, and does the Data Processor act in accordance with, all relevant sections of the GDPR? | Yes | We operate in a number of jurisdictions including Europe. Our company is headquartered in Ireland and we are well versed in GDPR regulations. |
| 2 | Does the Data Processor have an information security management system (ISMS) based on best practice, as for example, outlined in ISO27001/2? | Yes | We use Microsoft Azure platform for hosting our application and databases; one of the main reasons being the underlying data processing competencies and ISO 27001 pass through agreements. |
| 3 | Are data security responsibilities and tasks documented in an organisational chart? | Yes | We have an internal data protection officers, as well as Infosec consultants on retainer who perform regular black hat, and white hat testing alongside informing us in real time of any emerging security attack vectors or vulnerabilities we should be aware of. |
| 4 | Are responsibilities and tasks described at all levels? | Yes | Our employee handbook and onboarding describes data security and company policies. |
| 5 | Has everyone in the organisation been made aware of the distribution of responsibility? | Yes | Our employee handbook and onboarding describes data security and company policies. |
| 6 | Have all security measures been documented (organisational, physical and technical)? | Yes | Our policies are documented in our document “Data Security Overview”. |
| 7 | Have security objectives been set for the organisation? | Yes | One of our primary objectives is to stay current with and defend against vulnerabilities outlined by OWASP. |
| 8 | Has a security strategy to achieve the security objectives been drafted? | Yes | Key infosec hires made, and we have a good grasp of best practice in security management through our own internal knowledge, as well as passing thorough technical and security due diligence from a number of tenders in Europe and US. |
| 9 | Have routines been drawn up to carry out risk assessments, including following up on the measures taken? | Yes | Yes, we maintain a risk register document which includes risks and mitigation strategies. |
| 10 | Have all employees been informed of their confidentiality obligations and are clear about its content and scope? | Yes | It’s part of employee handbook. |
| 11 | Have the consequences of breach of confidentiality been outlined? | Yes | Aside from stated penalties from GDPR breaches, internal risk assessments for the company seek to quantify direct and indirect financial risks to the company. |
| 12 | Are security audits performed regularly and at least once per year? | Yes | We employ an Infosec consultant who carries out black hat and white hat testing on the OpenFIT platform. |
| 13 | Does the security audit cover at minimum: a) Placement of responsibility and organisation of security work b) Quality assurance of security objectives and security strategy c) Compliance with procedures for the use of data systems and personal data d) Results of retraining e) Administration and use of personal data f) Access to personal data and measures against unauthorised access g) The effect of established security measures h) Safeguarding of data security with communications partners, data processors and providers? | Yes | Specifics covered in each audit can vary, but all these areas are considered within our overall security audit framework. |
| 14 | Are there established procedures for following up on the result (breach) of security audits? | Yes | This depends on the jurisdiction. In most European countries notifying the customer and data protection commission is required; whereas in UK it’s also required to notify the metropolitan policy for hospital data. |
| 15 | Are all employees aware of their responsibility to report breaches? | Yes | |
| 16 | Are there established procedures which ensure that the Data Controller is notified immediately following unauthorised disclosure or alteration of personal data or other security breaches? | Yes | As an example, we have automatic notifications via SMS and email of any data leaks of sensitive information which would trigger a notification to Data Controllers. |
| 17 | Is a management review of security conducted and documented at least once per year? | Yes | Quarterly, since security and data governance is a key part of our value proposition. |
| 18 | Have measures been implemented to prevent technical personnel misusing their authorisation? | Yes | We use role-based access to data, and dummy data on test instances that developers may use on their local machines. |
| 19 | Have procedures been put in place for the administration of keys/access cards in access-controlled systems? | Yes | Our office has key/access control. Our data hosting provider (Microsoft) has ISO27001 documented physical control measures in place. |
| 20 | Have technical and organisational measures been implemented to secure access from un-secured locations (for example, home office and via mobile devices)? | Yes | |
| 21 | Have security measures been established so that only authorised personnel can access operational equipment (servers, network equipment, SAN, backup media etc.)? | Yes | |
| 22 | Has a configurations map of the data systems been drawn up? | Yes | We can supply our architecture diagram. |
| 23 | Has a technical description of the configuration been drawn up? | Yes | |
| 24 | Is the organisation’s data separated from other clients’ data? | Yes | As a multi-tenant SaaS provider we use row level data security to separate data for different partner organisations. |
| 25 | Does the solution have adequate capacity, irrespective of the total load the provider has from other clients? | Yes | We use auto scaling to handle spikes in usage and intensive temporary activities such as ETL, etc. |
| 26 | Does the provider have emergency procedures for failure of the solution? | Yes | |
| 27 | Does the data processor have suitable backup and restore routines that are regularly tested? | Yes | All OpenFIT data is stored in MSSQL databases within the Windows Azure environment with Geo-Restore capabilities. It uses database backups, incremental backups and transaction log backups that are automatically maintained for the production database. |
| 28 | Has the provider implemented technical or organisational measures against hacking? | Yes | We follow OWASP guidance for security the system, for example using the top 10 vulnerabilities list as a checklist for security testing. |
| 29 | Are regular penetration tests performed to uncover weaknesses? | Yes | Yes, we perform regular white hat and black hat testing. |
| 30 | Does the Data Processor have appropriate routines to authorise and authenticate users? | Yes | We use oAuth based authentication and SAML based authentication. Users are assigned a designated role per location/department that they are authorized to access. |
| 31 | Does the Data Processor have technical measures against denial of service (DoS) attacks? | Yes | OpenFIT servers alerts are set up on Disk read/write, Network in/out and CPU % that notify designated administrators of increased activity which may signify DDoS attacks. |
| 32 | Does the Data Processor have suitable solutions for logging and traceability? | Yes | All application and systems logs are consolidated within Azure Application Insights. |
| 33 | Does the Data Processor use its own “dummy” test data? | No | Yes, we also import this test data for any new account for training purposes. |
| 34 | Is data stored encrypted? | Yes | Real-time encryption and decryption of the OpenFIT database, associated backups, and transaction log files. Data volume and boot volumes on our virtual machines are encrypted. |
| 35 | Is data encrypted in transit (communication)? | Yes | All data sent between Azure data centers is encrypted. SSL is used as transport protocol between the OpenFIT application/web client and user devices. Keys/Secrets are managed using the Windows Azure key vault accessible with designated CSO. We ensure that developers do not hard code keys or other configuration information in their code and have configured our code management platforms to exclude configuration files. No customer's sensitive data is stored on hard drives, laptops, writable optical media, USB attached storage, or other movable media. |
| 36 | Does the solution have the option of giving the organisation access to logs, as well as the ongoing export of log data to the organisation’s SIEM solution? | Yes to logs, no to SIEM | |
| 37 | When using IoT devices does the provider have an adequate regime for the use of strong passwords and the regular change of these? | No |