Tech & Org Measures Addendum

Technical and Organizational Measures Addendum

Last Updated: August 4, 2023

1. General Considerations

This data protection policy outlines the technical and organizational measures implemented for secure and compliant processing of personal data. It takes into account the rights of data subjects and requirements of the articles 24, 25, and 32 GDPR.

Terabitten Technologies Inc. deals with the categories of data listed in the Data Protection Addendum.

The following description of technical and organizational measures will be differentiated, where applicable, according to these categories of data.

2. Organization

Terabitten maintains data privacy guidelines documented in the company’s Information Security Management System (ISMS) in accordance with the ISO 27001 framework. Terabitten shall create and implement an information security policy that addresses the information security risks and controls identified through risk assessments for each area of information security. Such policy shall be formally approved by upper management. Such policy shall apply to all relevant employees and contractors of Terabitten and be reviewed annually.

3. Confidentiality

3.1. Entry Control

Terabitten is a 100% remote company that uses a cloud provider to provide its serverless cloud architecture for storage and processing of customer data and therefore has no physical office location. Terabitten does not maintain servers, server rooms, or data centers. All personal data is processed and stored within the data centers of the cloud provider.

3.2. Access Control

Terabitten Technologies Inc. has implemented the following measures for access to software systems:

All personnel are assigned a unique identifier set up with a password bound to strict requirements.
Passwords must be strong, at least 20 characters in length, cannot be reused, and must be changed periodically.
Central authentication with username and password, including mandatory 2-factor authentication where possible.
Access and activity is monitored and logged.
Only authorized personnel get access to the majority of files and systems and the extent of access can be determined selectively.

3.3. Usage Control

Terabitten Technologies Inc. has implemented following measures when working within software systems:

The password rules for access control must also be followed for usage control.
User-dependent authentication with username and password.
The use of personal data is limited, so that only authorized individuals can use the personal data necessary for their task (Principle of Least Privilege).
Usage and changes are logged.

3.4. Separation Control

Separation of data is ensured for customer data based on software system management, e.g. through data storage in separate directories/collections.
Application development activity is separated from the production and lower environments.

4. Integrity

4.1. Transfer Control

Transfer control shall ensure that only authorized individuals can inspect personal data. Personnel mobile devices must be encrypted if personal data is stored on them.

The use of single USB flash drives or related data carrier tools is not allowed. Information should only be printed out if absolutely needed.
The use of public networks when transferring personal data is not allowed.
Personal data will only be transferred where necessary for effective business processes.
Personal data is encrypted in transit.

4.2. Input Control

Terabitten has implemented the following measures for its software systems:

Traceability of inputs, changes, and deletions by personalized users.
Traceability in assigning, changing, and deleting user authorizations.

4.3. Availability and Resilience

System tuning and monitoring will be applied to ensure and improve (when needed) the availability and efficiency of systems.
Continuous availability of data is guaranteed by means of redundant storage media and backups of systems according to the latest technical standards.
Cloud provider data centers and server rooms are state of the art (temperature control, fire protection, water penetration, uninterrupted power supply (UPS) ensuring controlled shutdown without any loss of data).
A Business Continuity Plan has been implemented in accordance with the ISO 27001 framework.
A Disaster Recovery Plan has been implemented in accordance with the ISO 27001 framework.
Personal data shall be backed up regularly at a secured location other than the location of the primary data.

4.4. Product Development

Development Tools
- Third party applications must be approved prior to use by the CISO according to the company’s Acceptable Use Policy to ensure compliance with quality management and data privacy requirements.
- Where possible, single-sign-on or multi-factor authentication is used for third party applications.
Privacy-Friendly Settings
- Product development must take into account giving users the option of entering only the information necessary for the purpose of processing. Input fields with additional, unnecessary information should be avoided or at least designed as non-mandatory.

4.5. Data Deletion

Data is retained and deleted in accordance with Terabitten’s Data Retention policy. Such data that is no longer required will be properly deleted in accordance with:

Applicable law and regulations;
Relevant third-party agreement; and
According to Terabitten’s Data Retention policy.

5. Personnel Workplace

Personnel must encrypt their hard drives with state-of-the-art encryption (e.g. Apple FileVault for macOS or equivalent software for other operating systems).
The email account provider applies a default virus, spam and phishing filter to detect malicious software and avert cyber attacks.
Workstation hard drives shall be encrypted and contain firewalls enabled to prevent unauthorized access.
Workstations that store confidential information of Terabitten shall be set to automatically lock the screen after no more than 25 minutes of inactivity.
Terabitten shall perform background verification checks on Personnel with access to personal data upon hire or the Effective Date of this Agreement. Terabitten shall consider the role of the individual, the sensitivity of the data to be accessed by the individual, and the risks that could arise from the misuse of such data. Terabitten shall train Personnel on information security awareness annually.
Terabitten employers or contractors with access to personal data shall be trained on the requirements of GDPR on an annual basis.

6. Procedure for Regular Review, Assessment and Evaluation

Data protection and IT security within the company is reviewed annually and, based on these assessments, improved as needed. Internal review may include data privacy requirements such as:

Review and reapproval of relevant security policies on an annual basis
Obligation of personnel to sign relevant security policies on an annual basis
Procedures in case of data breaches and the protection of data subjects’ rights

Terabitten shall annually review its systems and equipment that enables access to or otherwise processes personal data for 1) compliance with applicable law and 2) compliance with contractual requirements. Such review shall be reported to Terabitten’s senior management.

Terabitten shall provide evidence and/or responses, relevant to Terabitten’s adherence to the Agreement with Customer, to Customer in a reasonable time if so requested by Customer.

Terabitten shall conduct a SOC 2 Type 2 audit at least annually. Terabitten shall also maintain and comply with an ISO 27001 certification. These independently verified reports shall be made available to Customer upon Customer’s request.

Terabitten shall conduct an annual review of technical advancements in accordance with Article 32 GDPR.

Template Copyright openregulatory.com. See template license.

Please don’t remove this notice even if you’ve modified contents of this template.