Technical and organizational measures

acc. to Art. 32 GDPR

 

Technical and organizational measures of realworld one GmbH & Co. KG

 

realworld one GmbH & Co. KG
Neunlindenstraße 3
79106 Freiburg im Breisgau
Germany
Phone: +49 761 3809980

 

1 Introduction and framework

1.1 Introductory remarks

Organizations which collect, process or use personal data themselves or on their behalf must take the technical and organizational measures necessary to ensure that the provisions of the data protection laws are implemented. Measures are only required if their expenditure is proportionate to the intended purpose of protection.

The list of technical and organizational measures has been developed together with the external data protection officer of realworld one. This document is the result of joint coordination.

realworld one software is offered as a ‘Software as a Service’ and is hosted on Microsoft® Azure®. Therefore, this document distinguishes between the technical and organizational measures that are implemented by realworld one and those implemented by Microsoft as the sub-processor.

1.2 Company / Authority

The following specifications represent the data protection concept of the

realworld one GmbH & Co. KG
Neunlindenstraße 3
79106 Freiburg im Breisgau
Germany
Phone: +49 761 3809980

1.3 External Data Protection Officer

V-Formation GmbH
Oliver Meyer-van Raay (external Data Protection Officer)
Stephanienstrasse 18
76133 Karlsruhe
Germany
Phone: +49 721 17029034
E-mail: om@v-formation.gmbh

 

 

2 Technical and organizational measures

Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of the processing, as well as the varying likelihood and severity of the risk to the rights and freedoms of natural persons, the controller and processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk. realworld one implements the following measures:

2.1 Confidentiality guarantee

2.1.1 Access control

Measures designed to prevent unauthorized persons from gaining access to data processing equipment that processes or uses personal data.

Measures:

• realworld one facilities where information systems that process customer data or professional services data are located are office buildings only
• realworld one facilities where information systems that process customer data or professional services data are located maintain a list of individuals who have keys
• realworld one facilities where information systems that process customer data or professional services data are located use access controls systems
• Visitors to realworld one facilities where information systems that process customer data or professional services data are located are noted in a visitor list

2.1.2 Physical access control

Measures designed to prevent data processing systems (computers) from being used by unauthorized persons.

Measures:

• realworld one maintains data privacy policies. These policies include, among others, handling of personal data breaches, responsibilities, and documentation requirements.
• realworld one managed devices are automatically locked in case of inactivity
• realworld one manages initial access to critical systems using industry standards and best practices
• realword one maintains information security policies. The information security policies cover, among others, creation of secure passwords, secure destruction of confidential information, clean desk policies, locking of workstations and handling of mobile devices
• realworld one informs its internal employees about relevant security procedures and their respective roles. realworld one also informs its internal employees of possible consequences of breaching the security rules and procedures. realworld one provides user awareness training to internal employees

2.1.3 Data access control

Measures to ensure that persons authorized to use a data processing system have access only to data subject to their right of access and that personal data cannot be read, copied, altered or removed without authorization during processing, use and after storage.

Measures:

• Applications developed by realworld one that process customer data have technical measures in place to manage user access rights
• realworld one provisions access rights to critical systems centrally. Furthermore, realworld one ensures that access rights for user management are only provided to a small group of individuals
• realworld one secures employee, contractor and 3rd party access to critical systems using multi factor authentication

2.1.4 Separation control

Measures to ensure that data collected for different purposes can be processed separately. This can be ensured, for example, by logical and physical separation of data.

Measures:

• realworld one separates customer data logically
• realworld one separates development, test and productive environments

2.2 Ensuring integrity

2.2.1 Handover control

Measures to ensure that personal data cannot be read, copied, altered or removed without authorization during their electronic transmission or during their transport or storage on data carriers and that it is possible to verify and establish the points to which personal data are to be transmitted by data transmission facilities.

Measures:

• realworld one ensures transfer of critical data is encrypted in transit using TLS encryption

2.2.2 Input control

Measures to ensure that it can be subsequently verified and established whether and by whom personal data have been entered, modified or removed in data processing systems.

Measures:

• realworld one maintains change logs for data in critical information systems

2.3 Encryption

Measures that guarantee the encryption of data.

Measures:

• realworld one infrastructure encrypts critical customer data or professional services data at rest in its Microsoft infrastructure

2.4 Ensuring availability

Measures to ensure that personal data are protected against accidental destruction or loss - ensuring the availability of data.

Measures:

• realworld one creates daily backups for their professional services
• realworld one has availability agreements with their hosting providers in place

2.5 Ensuring availability, resilience and recoverability

2.5.1 Order control

Measures to ensure that personal data processed on behalf of the customer can only be processed in accordance with the instructions of the customer.

Measures:

• realworld one selects sub processors with diligence
• realworld one ensures required data processing agreements with customers are in place
• realworld one ensures non-disclosure agreements with customers are in place
• realworld one ensures standard contractual clauses are in place with its data processors
• realworld one verifies that sub processors for realworld one professional services have adequate technical and organizational measures in place

2.5.2 Privacy management

Measures that ensure that methods have been evaluated to systematically plan, organize, manage and control the legal and operational requirements of data protection.

Measures:

• realworld one has appointed one or more security officers responsible for coordinating and monitoring the security rules and procedures
• realworld one obtains customer feedback to ensure continuous improvement in regard to data privacy and security
• realworld one utilizes data protection management software to support data protection activities
• realworld one has appointed an external data protection officer 
• realworld one employees sign a non-disclosure agreement prior to employment
• realworld one employees receive training in regard to General Data Protection Regulation
• realworld one ensures employees have access to information security and data privacy guidelines, policies and processes

2.5.3 Incident response management

Measures to ensure that security incidents can be prevented or, in the case of security incidents that have already occurred, that data and systems can be protected and that a rapid analysis and resolution of the security incident can be carried out.

Measures:

• realworld one uses documented procedures for handling personal data breaches
• realworld one email accounts are secured with state-of-the-art phishing protection mechanisms 
• realworld one managed devices are secured by state-of-the-art malware protection
• realworld one involves the data protection officer in case of a personal data breach

2.5.4 Privacy friendly presets

Measures that ensure that a certain level of data protection already exists in advance through the corresponding technology design (privacy by design) and factory settings (privacy by default) of a software.

Measures:

• realworld one ensures that only necessary personal data is collected 

3 Measures of the hosting provider Microsoft

Microsoft has implemented the following security measures:

Domain	Practices
Organization of Information Security	Security Ownership. Microsoft has appointed one or more security officers responsible for coordinating and monitoring the security rules and procedures. Security Roles and Responsibilities. Microsoft personnel with access to Customer Data or Professional Services Data are subject to confidentiality obligations. Risk Management Program. Microsoft performed a risk assessment before processing the Customer Data or launching the Online Services service and before processing Professional Service Data or launching the Professional Services. Microsoft retains its security documents pursuant to its retention requirements after they are no longer in effect.
Asset Management	Asset Inventory. Microsoft maintains an inventory of all media on which Customer Data or Professional Services Data is stored. Access to the inventories of such media is restricted to Microsoft personnel authorized in writing to have such access. Asset Handling - Microsoft classifies Customer Data and Professional Services Data to help identify it and to allow for access to it to be appropriately restricted. - Microsoft imposes restrictions on printing Customer Data and Professional Services Data and has procedures for disposing of printed materials that contain such data. Microsoft personnel must obtain Microsoft authorization prior to storing Customer Data or Professional Services Data on portable devices, remotely accessing such data, or processing such data outside Microsoft’s facilities.
Human Resources Security	Security Training. Microsoft informs its personnel about relevant security procedures and their respective roles. Microsoft also informs its personnel of possible consequences of breaching the security rules and procedures. Microsoft will only use anonymous data in training.
Physical and Environmental Security	Physical Access to Facilities. Microsoft limits access to facilities where information systems that process Customer Data or Professional Services Data are located to identified authorized individuals. Physical Access to Components. Microsoft maintains records of the incoming and outgoing media containing Customer Data or Professional Services Data, including the kind of media, the authorized sender/recipients, date and time, the number of media and the types of such data they contain. Protection from Disruptions. Microsoft uses a variety of industry standard systems to protect against loss of data due to power supply failure or line interference. Component Disposal. Microsoft uses industry standard processes to delete Customer Data and Professional Services Data when it is no longer needed.
Communications and Operations Management	Operational Policy. Microsoft maintains security documents describing its security measures and the relevant procedures and responsibilities of its personnel who have access to Customer Data or Professional Services Data. Data Recovery Procedures - On an ongoing basis, but in no case less frequently than once a week (unless no updates have occurred during that period), Microsoft maintains multiple copies of Customer Data and Professional Services Data from which such data can be recovered. - Microsoft stores copies of Customer Data and Professional Services Data and data recovery procedures in a different place from where the primary computer equipment processing the Customer Data and Professional Services Data are located. - Microsoft has specific procedures in place governing access to copies of Customer Data and Professional Services Data. - Microsoft reviews data recovery procedures at least every six months, except for data recovery procedures for Professional Services and for Azure Government Services, which are reviewed every twelve months. - Microsoft logs data restoration efforts, including the person responsible, the description of the restored data and where applicable, the person responsible and which data (if any) had to be input manually in the data recovery process. Malicious Software. Microsoft has anti-malware controls to help avoid malicious software gaining unauthorized access to Customer Data and Professional Services Data, including malicious software originating from public networks. Data Beyond Boundaries - Microsoft encrypts, or enables Customer to encrypt, Customer Data and Professional Services Data that is transmitted over public networks. - Microsoft restricts access to Customer Data and Professional Services Data in media leaving its facilities. Event Logging. Microsoft logs, or enables Customer to log, access and use of information systems containing Customer Data or Professional Services Data, registering the access ID, time, authorization granted or denied, and relevant activity.
Access Control	Access Policy. Microsoft maintains a record of security privileges of individuals having access to Customer Data or Professional Services Data. Access Authorization - Microsoft maintains and updates a record of personnel authorized to access Microsoft systems that contain Customer Data or Professional Services Data. - Microsoft deactivates authentication credentials that have not been used for a period of time not to exceed six months. - Microsoft identifies those personnel who may grant, alter or cancel authorized access to data and resources. - Microsoft ensures that where more than one individual has access to systems containing Customer Data or Professional Services Data, the individuals have separate identifiers/log-ins. Least Privilege - Technical support personnel are only permitted to have access to Customer Data and Professional Services Data when needed. - Microsoft restricts access to Customer Data and Professional Services Data to only those individuals who require such access to perform their job function. Integrity and Confidentiality - Microsoft instructs Microsoft personnel to disable administrative sessions when leaving premises Microsoft controls or when computers are otherwise left unattended. - Microsoft stores passwords in a way that makes them unintelligible while they are in force. Authentication - Microsoft uses industry standard practices to identify and authenticate users who attempt to access information systems. - Where authentication mechanisms are based on passwords, Microsoft requires that the passwords are renewed regularly. - Where authentication mechanisms are based on passwords, Microsoft requires the password to be at least eight characters long. - Microsoft ensures that de-activated or expired identifiers are not granted to other individuals. - Microsoft monitors, or enables Customer to monitor, repeated attempts to gain access to the information system using an invalid password. - Microsoft maintains industry standard procedures to deactivate passwords that have been corrupted or inadvertently disclosed. - Microsoft uses industry standard password protection practices, including practices designed to maintain the confidentiality and integrity of passwords when they are assigned and distributed, and during storage. Network Design. Microsoft has controls to avoid individuals assuming access rights they have not been assigned to gain access to Customer Data or Professional Services Data they are not authorized to access.
Information Security Incident Management	Incident Response Process - Microsoft maintains a record of security breaches with a description of the breach, the time period, the consequences of the breach, the name of the reporter, and to whom the breach was reported, and the procedure for recovering data. - For each security breach that is a Security Incident, notification by Microsoft (as described in the “Security Incident Notification” section above) will be made without undue delay and, in any event, within 72 hours. - Microsoft tracks, or enables Customer to track, disclosures of Customer Data and Professional Services Data, including what data has been disclosed, to whom, and at what time. Service Monitoring. Microsoft security personnel verify logs at least every six months to propose remediation efforts if necessary.
Business Continuity Management	- Microsoft maintains emergency and contingency plans for the facilities in which Microsoft information systems that process Customer Data or Professional Services Data are located. - Microsoft’s redundant storage and its procedures for recovering data are designed to attempt to reconstruct Customer Data and Professional Services Data in its original or last-replicated state from before the time it was lost or destroyed.

 

4 List of processors

The list of realworld one sub-processors can be found in annex 2 of the Data Processing Agreement.