Version 01 July 2024 

The following DATA SECURITY POLICY describes the technical and organizational measures (TOM) in accordance with the DATA SECURITY section in the DATA PROCESSING AGREEMENT (DPA).  

These measures are taken by the Contractor in connection with the processing of personal data and the fulfillment of its obligations under the existing contract, Article 7 DSG (Article 8 revDSG in conjunction with Article 2 ff. DSV), and, as far as applicable, Article 32 GDPR. 

The current version of the DATA PROCESSING AGREEMENT is published on the Provider's website (https://www.pelt8.com/legal/data-processing-agreement). 

1. TECHNICAL MEASURES 

Cybersecurity 

The Controller is responsible for implementing cybersecurity measures to safeguard personal data against cyberattacks. These measures may include, but are not limited to: 

• Development environments on Azure and GitHub require two-factor authentication to access and update. 

• All work computers have company-wide Bitdefender installed. 

• Pushes to main branches on GitHub require code owner approval. 

• Regular software updates as required. 

• Data is stored in a non-publicly accessible SQL Server database that requires Microsoft Entra authentication to access. 

• The backend is secured via JSON web tokens using Microsoft Entra, requiring two-factor authentication. 

Encryption and Pseudonymisation 

The Controller is responsible for implementing encryption and pseudonymisation as recommended by the General Data Protection Regulation (GDPR) to protect personal data during processing. These measures may include, but are not limited to: 

• The database is encrypted at rest. 

• Personal data is anonymised in our database. 

Physical Security 

The Controller is responsible for establishing and maintaining robust physical security measures to protect access to offices and buildings. 

Appropriate Disposal 

The Controller is responsible for ensuring that the disposal of physical and digital data containing personal information is conducted securely, making data retrieval by unauthorized persons, intentional or unintentional, impossible. 

Authentication 

The Controller is responsible for adhering to an information security strategy, including two-factor authentication (2FA) and certificate-based procedures, encryption via HTTPS, and additional authentication. The requirements according to password regulations are technically enforced in the system. 

Access Rights 

Access to databases containing personal data shall be granted on a need-to-know basis. Blanket access to all employees is prohibited. 

2. ORGANISATIONAL MEASURES 

Information Security Policies 

The Controller is responsible for establishing information security policies tailored to their size and the nature of processing activities. These policies shall guide data security practices. 

Business Continuity Plan 

The Controller is responsible for maintaining a business continuity plan to ensure the backup and recovery of business data, including personal data, in case of incidents. 

Risk Assessments 

The Controller is responsible for conducting risk assessments to identify and mitigate potential security risks associated with personal data processing. 

Awareness & Training 

The Controller is responsible for fostering a culture of security and data protection awareness among their employees. Regular training and awareness activities shall be conducted to ensure compliance with legal requirements. 

Reviews & Audits 

The Controller is responsible for establishing controls and audit mechanisms to assess the effectiveness of their data security measures. Any deficiencies identified shall be corrected promptly. 

Due Diligence 

The Controller is responsible for exercising due diligence in selecting data processors to ensure that appropriate technical and organizational measures (TOMs) are in place.