Schedule 2 to the Agreement on Contract Processing ?· version 4.0 Schedule 2 to the Agreement on Contract…

Download Schedule 2 to the Agreement on Contract Processing ?· version 4.0 Schedule 2 to the Agreement on Contract…

Post on 21-Aug-2018

212 views

Category:

Documents

0 download

Embed Size (px)

TRANSCRIPT

  • version 4.0 Schedule 2 to the Agreement on Contract Processing NAME page 1

    ProfitBricks GmbH I Greifswalder Strae 207 I D - 10405 Berlin I www.profitbricks.de/en I

    Executive management: Achim Weiss, Matthias Steinberg

    District Court Charlottenburg, Berlin I Registration number: HRB 125506 B I VAT number: ID: DE 270700052

    Schedule 2 to the Agreement on Contract Processing

    Technical and organizational measures

    between

    (referred to as Customer hereinafter)

    and

    ProfitBricks GmbH,

    Greifswalder Str. 207, 10405 Berlin

    (referred to as Contractor hereinafter)

    1. General

    Taking into account the state of the art, the cost of implementation and the nature, scope, context and

    purposes of Processing as well as the risks of varying likelihood and severity for rights and freedoms of Data

    Subjects posed by Processing, the Customer and the Contractor shall implement the required technical and

    organizational measures to provide an adequate level of protection when processing Personal Data, in

    particular in respect of certain categories of Personal Data. In this process, the Contractor shall take into

    account the relevant technical guidelines and recommendations issued by the Federal Office for Information

    Security.

    Both the Contractor and the individual computing centres commissioned by the Contractor have implemented

    the measures described below. As a general rule, the use of data processing systems by the operator of the

    computing centre is not provided. Insofar the Contractor uses its own hardware installed in the security areas,

    meaning that the computing centres have no access rights and cannot access, disclose or enter the

    Contractors data.

    2. Technical and organizational measures pursuant to Art. 32 GDPR

    The Contractor has implemented appropriate measures to ensure confidentiality, integrity, availability and

    resilience as well as procedures for periodical testing, assessing and evaluating.

  • version 4.0 Schedule 2 to the Agreement on Contract Processing NAME page 2

    ProfitBricks GmbH I Greifswalder Strae 207 I D - 10405 Berlin I www.profitbricks.de/en I

    Executive management: Achim Weiss, Matthias Steinberg

    District Court Charlottenburg, Berlin I Registration number: HRB 125506 B I VAT number: ID: DE 270700052

    (1) Denying unauthorized persons admission to processing systems involved in Processing (access

    control)

    ProfitBricks premises in Greifswalder Str. 207 in 10405 Berlin are located on the ground floor, first,

    second and fifth upper floor of a rear building used entirely for business purposes.

    All entrances are sufficiently secured against unauthorized entry, meaning that:

    all and any exterior doors are equipped with a manual and technical master key system (security

    locks) and locked all the time;

    employees receive personalized keys and acknowledge receipt of such keys;

    admittance to server rooms is granted only to a limited number of people (restricted area);

    employees work exclusively with their personalized user profiles requiring the input of an at least

    eight-digit alphanumerical password which must be changed at least every three months;

    screens and access are subject to automatic blocking for 30 minutes after maximum 5 minutes or

    if more than five erroneous inputs have been made, respectively;

    VPN technology (SSL/TLS) is in place;

    data media are encrypted (as far as possible);

    visitors can only move about the premises if accompanied by an employee;

    third-party personnel, especially for cleaning and maintenance tasks, is carefully selected;

    admission rights and visitor regulations have been fixed.

    The operation of the computing centre meets the following requirements:

    admission to the computing centre is permitted to authorized persons only;

    admission is controlled by a material (RFID chip) and an immaterial (PIN) identification feature.

    Admission rights can be permanently assigned or deposited with the security service for

    collection. If an admission right is deposited for collection, authorization is established by

    inspection of the persons ID card. The data are deposited with a security service (whitelist),

    guaranteeing that only authorized persons can enter the computing centre.

    admission to the individual customer cabinets or customer areas is reserved to the customer and

    the responsible personnel;

    admission control systems and alarm systems are safeguarded against power failure by

    uninterruptible power supply and an emergency power plant;

    video surveillance is in place in the computing centre, especially at entrances to security zones;

  • version 4.0 Schedule 2 to the Agreement on Contract Processing NAME page 3

    ProfitBricks GmbH I Greifswalder Strae 207 I D - 10405 Berlin I www.profitbricks.de/en I

    Executive management: Achim Weiss, Matthias Steinberg

    District Court Charlottenburg, Berlin I Registration number: HRB 125506 B I VAT number: ID: DE 270700052

    the computing centre is inspected by a security service at regular defined intervals. The places to

    be inspected by the security services inside the computing centres are defined. Conspicuous

    findings are reported. The defined paths to be walked by the security personnel are recorded.

    (2) Preventing any unauthorized reading, copying, altering or deleting of data media (data media control)

    The Contractor guarantees that

    data media (as far as possible) are used restrictively and encrypted;

    hardware is tested and issued by the Contractors IT department;

    access rights (both for users and for administrators) reflect the requirements of the project and of

    the provisions of data protection law;

    discarded data media are deleted or physically destroyed in conformity with data protection law;

    access to applications (input, alteration and deletion) is recorded and can be analysed (over a

    period of at least 14 days)

    protection against unauthorized internal and external access is provided by encryption and

    firewalls.

    Authenticated user identification is ensured in particular through:

    all technical systems (central and decentral), both hardware and software, being protected by a

    firewall, and

    the virus protection (anti-virus software) in place being maintained and updated.

    Input is controlled by:

    recording any input, alteration or deletion of data for traceability (through logfiles) and

    tailoring access rights (both for users and administrators) to reflect the requirements of the

    project and the provisions of data protection law.

    (3) Preventing any unauthorized input of Personal Data, as well as any unauthorized taking of notice,

    alteration or deletion of stored Personal Data (memory control)

    Aspects of memory control include:

    access rights (both for users and for administrators) reflect the requirements of the project and of

    the provisions of data protection law (authorization based on need to know),

    access to applications and use of files (input, alteration and deletion) is recorded and can be

    analysed,

  • version 4.0 Schedule 2 to the Agreement on Contract Processing NAME page 4

    ProfitBricks GmbH I Greifswalder Strae 207 I D - 10405 Berlin I www.profitbricks.de/en I

    Executive management: Achim Weiss, Matthias Steinberg

    District Court Charlottenburg, Berlin I Registration number: HRB 125506 B I VAT number: ID: DE 270700052

    protection against unauthorized internal or external access is provided by encryption and firewalls,

    systems to be administered by the customer are pre-set in a way to provide a high level of data

    protection (e.g. transparent deletion is possible at any time),

    deallocated memory areas are overwritten (zeroized) prior to reallocation.

    Authenticated user identification is ensured in particular by:

    protecting all technical systems (central and decentral), both hardware and software, by a firewall,

    and

    maintaining and updating the virus protection (anti-virus software) installed.

    Input is controlled by:

    recording any input, alteration or deletion of data for traceability (through logfiles) and

    tailoring access rights (both for users and administrators) to reflect the requirements of the

    project and the provisions of data protection law.

    (4) Preventing the use of automated processing systems by means of data transmission devices by

    unauthorized persons (user control)

    Conditions for user control include:

    access rights (both for users and for administrators) reflect the requirements of the project and of

    the provisions of data protection law (authorization based on need to know),

    access to applications (input, alteration and deletion) is recorded and can be analysed (over a

    period of at least 14 days) and,

    remote access to infrastructural systems is via dedicated management networks and encrypted

    services secured by passphrases and certificates.

    Authenticated user identification is ensured in particular by:

    protecting all technical systems (central and decentral), both hardware and software, by a firewall,

    and

    maintaining and updating the virus protection (anti-virus software) installed.

    (5) Guaranteeing that persons authorized to use an automated processing system have access exclusively

    to such Personal Data as are covered by their authorization for access (access control)

    Unauthorized activities in data processing systems beyond authorizations granted are prevented in

    particular by:

  • version 4.0 Schedule 2 to the Agreement on Contract Processing NAME page 5

    ProfitBricks GmbH I Greifswalder Strae 207 I D - 10405 Berlin I www.profitbricks.de/en I

    Executive management: Achim Weiss, Matthias Steinberg

    District Court Charlottenburg, Berlin I Registration number: HRB 125506 B I VAT number: ID: DE 270700052

    tailoring access rights (both for users and for administrators) to reflect the requirements of the

    project and of the provisions of data protection law (authorization based on need to know),

    issuing password policies including password length and password change,

    allowing access to applications (input, alterations and deletions) to be recorded and analysed

    (over a period of at least 14 days),

    providing protection against unauthorized internal and external access through encryption and

    firewalls,

    putting an IT security policy for the ITSM in place and

    defining dedicated obligations to preserve records.

    (6) Guaranteeing the possibility to check and establish where Personal Data have been or can be

    transmitted or made available by means of data transmission devices (transmission control)

    Transmission of Personal Data is protected by:

    using VPN technology (SSL/TLS) for data communication,

    providing the possibility to send all email messages and other information in encrypted or

    pseudonymised form,

    carefully selecting persons for physical transport.

    (7) Guaranteeing the possibility to check and establish subsequently which Personal Data were entered in

    automated processing systems at what time and by whom (input control)

    Input control is implemented by:

    recording entries, alterations and deletion of data for traceability (by means of logfiles) and

    tailoring access rights (both for users and for administrators) to reflect the requirements of the

    project and of the provisions of data protection law (authorization based on need to know),

    (8) Guaranteeing the safeguarding of data confidentiality and data integrity in the processes of

    transmission of Personal Data and transport of data media (transport control)

    Transport control requires

    the careful selection of third parties (esp. because of data security) in cooperation with the data

    protection officer (where possible, only companies/computing centres certified under ISO/IEC

    27001:2005),

    contract processing to be based on detailed contractual stipulations,

    the stipulation of effective supervision rights and/or access/deletion rights (contractual penalties,

    if applicable),

  • version 4.0 Schedule 2 to the Agreement on Contract Processing NAME page 6

    ProfitBricks GmbH I Greifswalder Strae 207 I D - 10405 Berlin I www.profitbricks.de/en I

    Executive management: Achim Weiss, Matthias Steinberg

    District Court Charlottenburg, Berlin I Registration number: HRB 125506 B I VAT number: ID: DE 270700052

    supervision by the data protection officer on a regular basis.

    The transmission of Personal Data is protected by:

    using VPN technology (SSL/TLS) for data communication,

    providing the possibility to send all email messages and other information in encrypted or

    anonymized form

    carefully selecting people and vehicles for physical transport, and fixing transport routes

    Input control is implemented by:

    recording entries, alterations and deletion of data for traceability (by means of logfiles) and

    tailoring access rights (both for users and for administrators) to reflect the requirements of the

    project and of the provisions of data protection law.

    (9) Guaranteeing that the systems used can be restored in case of disturbances (recoverability)

    To guarantee recoverability, the Contractor undertakes to

    draw up a Backup & Recovery concept,

    test data recoverability,

    provide a RAID controller (Redundant Array of Independent Disks),

    support data portability and

    record and analyse any disturbances.

    (10) Guaranteeing that all functions of the system are available and any malfunction occurring will be

    reported (reliability)

    Reliability requires

    processual reporting of any cases of escalation (display of error and disturbance messages in the

    IT systems)

    performance of external/internal technical security analyses

    the existence of test and release procedures e.g. for the introduction of new soft- or hardware

    activities to raise employees awareness of data protection and/or data security issues

    (11) Guaranteeing that stored Personal Data cannot be damaged by system malfunction (data integrity)

    To ensure data integrity,

    the Contractor follows an Information Security Management System (ISMS) and

  • version 4.0 Schedule 2 to the Agreement on Contract Processing NAME page 7

    ProfitBricks GmbH I Greifswalder Strae 207 I D - 10405 Berlin I www.profitbricks.de/en I

    Executive management: Achim Weiss, Matthias Steinberg

    District Court Charlottenburg, Berlin I Registration number: HRB 125506 B I VAT number: ID: DE 270700052

    the Processing of Personal Data may in individual cases and in agreement with the Contractor be

    performed in such a way that the data cannot be attributed to a specific Data Subject without

    using additional information.

    Authenticated user identification is ensured in particular by:

    protecting all technical systems (central and decentral), both hardware and software, by a firewall,

    and

    maintaining and updating the virus protection in...