Views:

SECURITY OF PROCESSING MEASURES

The Data Processor has an independent obligation to implement suitable security measures pursuant to Article 32. The following list of measures are requirements that we undertake.

No.RequirementDescription
1Does the Data Processor have detailed knowledge of, and does the Data Processor act in accordance with, all relevant sections of the GDPR?We operate in a number of jurisdictions including Europe. Our company is headquartered in Ireland and we are well versed in GDPR regulations.
2Does the Data Processor have an information security management system (ISMS) based on best practice, as for example, outlined in ISO27001/2?We use Microsoft Azure platform for hosting our application and databases; one of the main reasons being the underlying data processing competencies and ISO 27001 pass through agreements.
3Are data security responsibilities and tasks documented in an organisational chart?We have an internal data protection officers, as well as Infosec consultants on retainer who perform regular black hat, and white hat testing alongside informing us in real time of any emerging security attack vectors or vulnerabilities we should be aware of.
4Are responsibilities and tasks described at all levels?Our employee handbook and onboarding describes data security and company policies.
5Has everyone in the organisation been made aware of the distribution of responsibility?Our employee handbook and onboarding describes data security and company policies.
6Have all security measures been documented (organisational, physical and technical)?Our policies are documented in our document “Data Security Overview”.
7Have security objectives been set for the organisation?One of our primary objectives is to stay current with and defend against vulnerabilities outlined by OWASP.
8Has a security strategy to achieve the security objectives been drafted?Key infosec hires made, and we have a good grasp of best practice in security management through our own internal knowledge, as well as passing thorough technical and security due diligence from a number of tenders in Europe and US.
9Have routines been drawn up to carry out risk assessments, including following up on the measures taken?Yes, we maintain a risk register document which includes risks and mitigation strategies.
10Have all employees been informed of their confidentiality obligations and are clear about its content and scope?It’s part of employee handbook.
11Have the consequences of breach of confidentiality been outlined?Aside from stated penalties from GDPR breaches, internal risk assessments for the company seek to quantify direct and indirect financial risks to the company.
12Are security audits performed regularly and at least once per year?We employ an Infosec consultant who carries out black hat and white hat testing on the OpenFIT platform.
13Does the security audit cover at minimum: a) Placement of responsibility and organisation of security work b) Quality assurance of security objectives and security strategy c) Compliance with procedures for the use of data systems and personal data d) Results of retraining e) Administration and use of personal data f) Access to personal data and measures against unauthorised access g) The effect of established security measures h) Safeguarding of data security with communications partners, data processors and providers?Specifics covered in each audit can vary, but all these areas are considered within our overall security audit framework.
14Are there established procedures for following up on the result (breach) of security audits?This depends on the jurisdiction. In most European countries notifying the customer and data protection commission is required; whereas in UK it’s also required to notify the metropolitan policy for hospital data.
15Are all employees aware of their responsibility to report breaches? 
16Are there established procedures which ensure that the Data Controller is notified immediately following unauthorised disclosure or alteration of personal data or other security breaches?As an example, we have automatic notifications via SMS and email of any data leaks of sensitive information which would trigger a notification to Data Controllers.
17Is a management review of security conducted and documented at least once per year?Quarterly, since security and data governance is a key part of our value proposition.
18Have measures been implemented to prevent technical personnel misusing their authorisation?We use role-based access to data, and dummy data on test instances that developers may use on their local machines.
19Have procedures been put in place for the administration of keys/access cards in access-controlled systems?Our office has key/access control. Our data hosting provider (Microsoft) has ISO27001 documented physical control measures in place.
20Have technical and organisational measures been implemented to secure access from un-secured locations (for example, home office and via mobile devices)? 
21Have security measures been established so that only authorised personnel can access operational equipment (servers, network equipment, SAN, backup media etc.)? 
22Has a configurations map of the data systems been drawn up?We can supply our architecture diagram.
23Has a technical description of the configuration been drawn up? 
24Is the organisation’s data separated from other clients’ data?As a multi-tenant SaaS provider we use row level data security to separate data for different partner organisations.
25Does the solution have adequate capacity, irrespective of the total load the provider has from other clients?We use auto scaling to handle spikes in usage and intensive temporary activities such as ETL, etc.
26Does the provider have emergency procedures for failure of the solution? 
27Does the data processor have suitable backup and restore routines that are regularly tested?All OpenFIT data is stored in MSSQL databases within the Windows Azure environment with Geo-Restore capabilities. It uses database backups, incremental backups and transaction log backups that are automatically maintained for the production database.
28Has the provider implemented technical or organisational measures against hacking?We follow OWASP guidance for security the system, for example using the top 10 vulnerabilities list as a checklist for security testing.
29Are regular penetration tests performed to uncover weaknesses?Yes, we perform regular white hat and black hat testing.
30Does the Data Processor have appropriate routines to authorise and authenticate users?We use oAuth based authentication and SAML based authentication. Users are assigned a designated role per location/department that they are authorized to access.
31Does the Data Processor have technical measures against denial of service (DoS) attacks?OpenFIT servers alerts are set up on Disk read/write, Network in/out and CPU % that notify designated administrators of increased activity which may signify DDoS attacks.
32Does the Data Processor have suitable solutions for logging and traceability?All application and systems logs are consolidated within Azure Application Insights.
33Does the Data Processor use its own “dummy” test data?Yes, we also import this test data for any new account for training purposes.
34Is data stored encrypted?Real-time encryption and decryption of the OpenFIT database, associated backups, and transaction log files. Data volume and boot volumes on our virtual machines are encrypted.
35Is data encrypted in transit (communication)?All data sent between Azure data centers is encrypted. SSL is used as transport protocol between the OpenFIT application/web client and user devices. Keys/Secrets are managed using the Windows Azure key vault accessible with designated CSO. We ensure that developers do not hard code keys or other configuration information in their code and have configured our code management platforms to exclude configuration files. No customer's sensitive data is stored on hard drives, laptops, writable optical media, USB attached storage, or other movable media.
36Does the solution have the option of giving the organisation access to logs, as well as the ongoing export of log data to the organisation’s SIEM solution?Yes
37When using IoT devices does the provider have an adequate regime for the use of strong passwords and the regular change of these?Yes
38What is your Cookie Policy for the OpenFIT App?

Only essential cookies or their equivalent for Apps.

Apps such as OpenFIT generate and store cookies similarly to web browsers, but there are some differences in how this process is handled.

HTTP Cookies in Web Views: If an app uses a web view (essentially an embedded browser) to load web content.

Token-Based Authentication: OpenFIT uses authentication cookies for session management and user authentication, which are stored securely on the device.

Local Storage: OpenFIT uses shared preferences (Android), user defaults (iOS) for settings. 
One of the future plans for OpenFIT is to allow people to use the system offline. This will use a local storage mechanisms like SQLite.