Technical & Organizational Measures of absence.io GmbH
Annex 2 to the Data Processing Agreement pursuant to Article 28 GDPR
| Technical and organizational measures |
The technical and organizational measures described below are to be treated confidentially. They may not be reproduced in whole or in part or passed on to unauthorized persons.
The document describes the technical and organizational measures defined as binding in connection with order processing operations carried out between the controller and the processor. The measures presented thus represent a reflection of the data protection and data security concept of the location.
The following catalogue of measures describes the individual technical and organisational measures to be taken in the context of order processing in accordance with Art. 28 (3) (c ) and (e ) , Art. 32 GDPR. The GDPR obliges companies to secure the data processing of personal data through appropriate, technical and organizational measures and to pseudonymize personal data as far as possible. The measures taken must take into account the risk of the respective data processing operation and correspond to the current state of the art. The processor meets these requirements through an effective interaction of data protection management and information security management and has taken appropriate measures to secure the data processing operations. In particular, the protection values: availability, confidentiality, integrity and resilience.
Confidentiality: Data, information and programs must be protected against unauthorized access and disclosure.
Integrity: The term integrity refers to the accuracy of the information and data processed.
Availability: The term availability refers to information, data, applications and systems and refers to their functionality or retrievability.
Load capacity: As a special aspect of availability, resilience requires systems to be as resistant as possible even in the event of a malfunction, fault or high load.
Definitions & Abbreviations
- Data center: Data Center Limtec GmbH Augsburg / rented external servers
- B: absence.io Berlin Office
- M: absence.io Munich Office
- ISMS
Confidentiality
Physical access control
absence.io ensures that unauthorized persons do not have access to the data processing equipment with which personal data is processed or used (office, server and archive rooms). This is done by:
| Measures | DC | M | B | Notes |
|---|---|---|---|---|
| Lockable, separate premises for servers and offices in which personal data can be processed. | X | – | – | No servers are used on the company premises. |
| Central reception area. | X | X | X | |
| Alarm system with activated security guard. | X | X | X | Access to offices and servers is secured by alarm systems. |
| Central access control system electronically managed. | X | X | X | |
| Coded keys (tokens/transponders) and key issue only to authorized persons with access control system. | X | X | X | |
| Logging of closures. | X | X | X | |
| In the company, access to the server rooms is limited to the minimum required group of people. | X | – | – | No servers in corporate premises. |
| Definition and documentation of access authorizations. | X | X | X | |
| Documentation Access to external visitors in the visitor protocoll (e.g. maintenance personnel, customers, service providers, partners, visitors …). | X | X | X | |
| Entry of the premises by external company only in the company accompanied by an employee. | X | X | X | |
| Legitimation of authorized persons (key, PIN code). | X | X | X | |
| Two-factor authentication on access. | X | – | – | |
| Withdrawal of means of access after expiry of the authorisation. | X | X | X | |
| CCTV surveillance to secure the premises indoors and outdoors | X | – | – |
Access control hardware and systems
absence.io prevents computer systems (data processing equipment with which personal data can be processed or used) from being used or accessible by unauthorised persons. This is done by:
| Measures | DC | M | B | Notes |
|---|---|---|---|---|
| The company ensures that personal data is not freely accessible in areas with public access. | X | X | X | |
| In the company, portable devices have access locks (password, PIN, pattern, etc.). | X | X | X | |
| Setting up one user account per user (logging) | X | X | X | Access data is only accessible to authorized employees.Automated logging of access (profiles) in the admin area (super admin) as well as when accessing the servers. |
| Two-factor authentication when accessing user accounts (policy/work instructions). | X | X | X | |
| Authentication of the persons authorized with the data processing by means of a password procedure (single sign-on procedure). | X | X | X | |
| In the company, sufficiently complex passwords and PINs are required for the use of portable devices. | X | X | X | Password manager (Enpass, Logpass). |
| Encrypted storage of passwords. | X | X | X | |
| Automatic blocking of the user account in case of multiple incorrect entry of access data. | X | X | X | |
| Automatic locking of the workstation in case of inactivity. | X | X | X | |
| Immediate blocking of authorizations when employees leave the company (directive/work instruction). | X | X | X | |
| Regular check of the validity of authorizations (at the beginning of a work relationship). | X | X | X | |
| Use of lockable cabinets for storing paper files. | – | – | X | no paper file storage in data centers and M. |
| Secure transmission of data (credentials) in the network via SSL, TLS/HTTPS, SSH, S/MIME, VPN (IPSec, openVPN). | X | X | X | Encryption at rest. |
| Operation of an office guest WLAN for mobile devices and visitors. | – | X | X | |
| Regulations and controls regarding remote maintenance have been defined in the company. | X | X | X | According to our authorization concept, remote maintenance is only possible for a closed group of people with authentication and secure access (VPN, encryption). |
| Remote maintenance/remote access is logged by automated logging. | X | X | X | |
| Ability to remotely detach devices through mobile device management. A guideline on the handling of data carriers is communicated to employees as part of data protection training. | X | X | X | |
| In the company, employees have been obliged to store personal data locked when leaving the workplace (so-called clean desk policy). | X | X | X |
Access control to data processing
absence.io ensures that those authorized to use a data processing system can only access the data subject to their access authorisation and that personal data cannot be read, copied, modified or removed without authorisation during processing, use and after storage. This is done by:
| Measures | DC | M | B | Notes |
|---|---|---|---|---|
| Definition of access authorizations for access to data (creation of an authorization concept). | X | X | X | |
| Access and access authorizations are temporarily blocked in the event of longer absences. | X | X | X | |
| Deactivation of user accounts when employees leave the company. | X | X | X | When an employee leaves the company, the accesses of all employees are reviewed. |
| Storage of data on encrypted data carriers (directive/work instructions). | X | X | X | No mobile data carriers are used (such as USBs, CDs)AES-XTS, AES-128; ESET Endpoint Security. |
| Definition of authorizations to know, enter, modify and delete data processed by the processor in the context of order fulfillment. | X | X | X | |
| Regular control of access, permitted users, created user groups and rights profiles. | X | X | X | Regularly and triggered by e.g. the start of a new employment in the team. |
| In order to make employees aware of the importance of data protection and to oblige them according to the requirements, training courses are carried out for all employees with access rights. | X | X | X | Regular training every year. |
| Disposal of data carriers that are no longer required by external service providers (guideline/work instructions). | X | – | – | Service provider has the certification DIN 66399. |
| Written regulation for copying data (IT security guideline / work instructions). | X | X | X | |
| Assignment of minimal authorizations (need-to-know principle). | X | X | X | |
| Block and delete personal data upon request. | X | X | X | |
| No assignment of generic passwords, group identifiers. | X | – | – | Use of test accounts, access data are only accessible to authorized employees. |
| Avoidance of concentration of functions/separation of duties of administrator activities on different qualified persons. | X | X | X | It is ensured that IT administrators are sufficiently qualified to perform their duties. |
| In the company, administrators and their deputies were appointed for all IT systems and IT networks. | X | X | X | Administrator accounts at levels (database, operating system, application, network). |
| There is no unencrypted password list. | X | X | X | |
| Maintain a history of administrative changes made. The assignment and withdrawal of access and access authorizations for IT systems is digitally documented. | X | X | – | |
| Documentation of approved users, user groups and rights is protected from unauthorized access. | X | X | X | |
| Access to the production infrastructure via VPN for remote maintenance. | X | X | X | VPN tunnel endpoint is placed in the firewall. |
| One or more firewalls are used against unwanted networks. | X | X | X | UniFi |
Separation control
absence.io ensures that data collected for different purposes can be processed separately. There is no need for physical separation; a logical separation of the data is sufficient. This is done by:
| Measures | DC | M | B | Notes |
|---|---|---|---|---|
| Identification of the collected data (file number, ID, customer/transaction number). | X | X | X | |
| Logical separation of data processed for different controllers Separation of functions/ production/ test. | X | X | X | Separation between production, test and development environments including databases. |
| Logical separation of the personal data of the respective controllers by assignment to the respective user accounts. | X | X | X | Software-side separation of controllers. |
| Separate workstations for the processing of special categories of personal data spatially from other workplaces. | X | X | X |
Integrity
Transfer Control & Disk Control
absence.io shall ensure that personal data cannot be read, copied, altered or removed without authorisation during electronic transmission or during transport or storage on data carriers, and that it is possible to verify and establish the places to which personal data may be transmitted by means of a data transmission device. This is done by:
| Measures | DC | M | B | Notes |
|---|---|---|---|---|
| An inventory is kept for the electronic data carriers (laptops, mobile phones, tablet computers). | X | X | X | |
| Determination of the persons authorised to transmit or transport (electronically, manually). | X | X | X | |
| Digital signatures are used to send emails. | X | X | X | |
| Checking the completeness of the data after data transport, transmission and data transmission or storage. | X | X | X | Manual reconciliation with checksums. |
| Data is transferred using SSL/TLS; S/MIME encrypted. | X | X | X | |
| Implementation of security gateways at the network transfer points. | X | X | X | |
| Incoming and outgoing data streams are filtered by a modern, cascaded firewall solution (UniFi). | X | X | X | |
| All relevant systems have sufficient protection and detection mechanisms for malware. | X | X | X | ESET endpoint security malware protection. |
| Insofar as data carriers are transmitted by transport companies, the data carriers will only be passed on after prior authentication by the transport company. | X | X | X | |
| Paper and data carriers with personal data are disposed of by a qualified disposal company in accordance with data protection regulations (hard disks, files). | X | X | X | |
| The complete, data protection-compliant and permanent deletion of data carriers with personal data is logged. The logs are kept audit-proof for at least 12 months. | X | X | X | |
| Lockable containers are available at workstations to store documents and data carriers safely. | X | X | X | |
| Portable devices are secured against theft outside the hours of use. | X | X | X | |
| Users of portable terminals are obliged to comply with appropriate storage. | X | X | X | |
| There is a current usage-and a security policy for portable terminals, which describes all the security mechanisms to be implemented. | X | X | X | |
| All company-owned items related to personal data will be reclaimed from a retiring person. | X | X | X | |
| Prevent unauthorized persons from gaining access to operating systems through endpoint passwords. | X | X | X | Passwords that have already been used in the past will not be used again. Length of at least 8 characters. |
| A regular DSL/fiber optic connection is used to connect to the telecommunications provider. | X | X |
Input control
absence.io ensures that it can be subsequently checked and determined whether and by whom personal data have been entered, changed or removed in data processing systems. This is done by:
| Measures | DC | M | B | Notes |
|---|---|---|---|---|
| There is an IT security concept (ISMS), which represents the basic technical and organizational measures taken in the company to ensure data protection and data security. | X | X | X | See definition of information security management system “ISMS” |
| Processing of personal data is logged. | X | X | X | |
| Documentation of access authorizations (work instruction access groups and access authorization). | X | X | X | |
| Recording of activities within the scope of the contract. | X | X | X | |
| Maintaining a history for all users who use the corresponding application programs to process personal data, which records which user performed which action and when, provided that this action modifies personal data. | X | X | X | Recording the history in the “Just Hire” application |
Availability and resilience
Availability control
absence.io ensures that personal data is protected against accidental or intentional destruction or loss. This is done by:
| Measures | DC | M | B | Notes |
|---|---|---|---|---|
| Uninterruptible power supply (UPS). | X | – | – | The uninterruptible power supply can bridge 2 hours. |
| Virus protection (on the workstations). | X | X | X | Virus protection on Windows & Mac workstations. |
| Virus protection (on the servers). | X | X | X | |
| Encrypted data is also scanned for malware. | X | X | X | |
| A TLS/SSL scanner is used to check encrypted data packets for malware. | X | X | X | TLS Scanner (Eset) |
| Firewall | X | X | X | One or more firewalls are used against unwanted network access: cisco, meraki MX400 (internal); via AWS (external). ESET endpoint security firewall. |
| Contingency plan | X | X | X | |
| Critical systems and, if necessary, the infrastructure designed redundantly. | X | X | X | |
| Geo-redundant data centers. | X | – | – | No servers in M, B |
| Central fire alarm system. | X | X | X | Hazard protection for overheating, server rack, fire. |
| Availability monitoring (Monitoring). | X | X | X | 24/7 monitoring of all critical systems through automated monitoring procedures by software (cisco, meraki MX400 (internal) for the network). |
| An archiving concept is defined, which regulates how and for how long documents are archived. | X | X | X | There is a legal obligation to retain the archived documents. |
Recoverability
absence.io ensures the ability to quickly restore the availability of and access to personal data in the event of a physical or technical incident by:
| Measures | DC | M | B | Notes |
|---|---|---|---|---|
| Backup procedure according to backup concept (daily, weekly, monthly). | X | – | – | No servers performed in M, B. Backups: Standalone backups (e.g. by NAS system) service providers, cloud providers. |
| Storage of backup data in backup cabinets, safes, in other fire compartments. | X | – | – | No servers in M, B.Backup types used: Image Backup, Incremental Backup, Full/Full Backup. |
| An Incident Response Pland and Disaster Recovery Plan are defined in order to be able to quickly restore business operations in the event of an emergency with suitable, described measures. | X | X | X | The company has an authorization concept for emergency situations. |
| RAID level deployed – RAID 5, RAID 10 | X | X | ||
| Recovery of the data is possible. | X | X | X | The following areas can be restored: user data, system files and data containers, log data, user accounts, configurations (settings and shares). |
Resilience
absence.io ensures the availability and resilience of business-critical systems and the systems for processing personal data through the following technical and organizational measures:
| Measures | DC | M | B | Notes |
|---|---|---|---|---|
| Virtualization and operation in container infrastructure with load balancers. | X | – | – | |
| Regular penetration testing of absence.io products for security vulnerabilities. | X | – | – | The absence.io products are tested in the vicinity of the data centers. Not applicable in the vicinity of the offices. Penetration tests by customers can and are carried out after consultation with absence.io. |
Procedures for regular review, assessment and evaluation
To ensure the maintenance and continuous improvement of the level of data protection and information security, absence.io undergoes regular (at least annually) internal and external audits.
The absence.io Data Center (RZ) is certified according to
- SAY IN ISO 9001
- DIN EN ISO/IEC 27001
Data protection and information security management
absence.io ensures a process for regularly reviewing and evaluating the effectiveness of the technical and organisational protective measures and service providers. This is done by:
| Measures | DC | M | B | Notes |
|---|---|---|---|---|
| Regular assessment of the level of data protection by a data protection team | X | X | X | |
| Informing and obliging employees to comply with the data protection requirements of the GDPR. Regular training of all employees with access rights. | X | X | X | Informing employees about innovations on the subject of data protectionEmployees’ obligation to comply with rules of conductCorporate Privacy PolicyObligation of employees to maintain data secrecy. |
| Third parties must submit a confidentiality agreement. | X | X | X | |
| If, for organizational reasons, there are functional overlaps, the four-eyes principle is applied and documented. | – | X | X | |
| There is a defined representative regulation within the function groups. | – | X | X | |
| Regular review of the data protection and information security management system (timeliness of technical and organizational measures) through internal and external audits. | X | X | X |
Assessment of the adequate level of protection (Art. 32 (2) GDPR)
absence.io ensures a documented assessment of an adequate level of protection with regard to the risks associated with the processing, in particular through destruction, loss, alteration, unauthorised disclosure or access, of the personal data processed on behalf of the contract. This is done by:
| Measures | DC | M | B | Notes |
|---|---|---|---|---|
| Carrying out a risk analysis for the processing of personal data. | X | X | X | |
| Creation of protection requirement categories. | X | X | X | |
| Alignment of processes according to Privacy by Design and Privacy Default. | – | X | X | |
| Carrying out data protection impact assessments (where required by law). | X | X | X |
Order control (Art. 32 (3) and (4) GDPR)
absence.io ensures that personal data processed on behalf of the controller will only be processed in accordance with the instructions of the controller and to fulfil the contractually defined purpose. The processor can prove this by means of a certification procedure approved in accordance with Art. 40 or an approved certification procedure in accordance with Art. 42 GDPR. If no certification is available, proof is provided by:
| Measures | DC | M | B | Notes |
|---|---|---|---|---|
| Clear contract design with subprocessors, conclusion with all service providers via a data processing agreement. | X | X | X | |
| Regular monitoring of activities. | X | X | X | Monitoring of absence.io processes through internal audits. |
| The persons authorized to issue instructions to the controller and the persons authorized to receive instructions are contractually defined, instructions are always given in text form (e.g. by e-mail or ticket system). | X | X | X | |
| Instructions for the processing of personal data are given exclusively in writing to processors. | X | X | X | |
| Formalization of the order placement (forms). | X | X | X | |
| Carrying out safety assessments of suppliers. | X | X | X | Defined assessment criteria for selecting external service providers (e.g. certifications, references, commitment to SLAs, ownership and responsibilities, scope, locations, subcontractors) |
| absence.io shall inform the controller immediately of cases of serious operational disruptions, suspicion of data breaches, errors being detected or other irregularities in the handling of the controller’s data. | X | X | X | |
| Orders are recorded as a support ticket (minimum information: controller/customer, action/partial order, exact specification of processing steps/parameters, processors, deadlines, recipients if applicable), where the work carried out is documented. There is a clear mapping between the support ticket number and the sales order. | X | X | X |
User control
The unauthorized entry into the memory as well as the unauthorized inspection, modification or deletion of stored personal data are prevented. This is done by:
| Measures | DC | M | B | Notes |
|---|---|---|---|---|
| Administrators and their deputies have been designated for all IT systems and IT networks. | X | X | X | |
| The administrator accounts are used at the database, application and network level. | X | X | X | Authorization concept (release to applications, regular review of releases). |
| Special administrator accounts are used. | X | X | X | |
| It is ensured that all company-owned items relating to personal data are reclaimed from a departing person. | X | X | X | |
| In order to make employees aware of the importance of data protection and to oblige them according to the requirements, the following measures are taken: – Training of all employees entitled to access. | X | X | X | |
| The company regularly holds training courses on the subject of data protection. | X | X | X | |
| Teleworker were advised to comply with relevant data protection regulations. | X | X | X |
Storage control
The unauthorized entry into the memory as well as the unauthorized inspection, modification or deletion of stored personal data are prevented. This is done by:
| Measures | DC | M | B | Notes |
|---|---|---|---|---|
| It is possible to block and delete personal data upon request. | X | X | X | |
| An automatic screen lock is used. | X | X | X | (this is activated after a maximum of 10 minutes) |
| Employees are required to dispose of personal data properly. | X | X | X | |
| There is no unencrypted password list. | X | X | X |
Reliability
It is ensured that personal data is protected against accidental destruction or loss. This is done by:
| Measures | DC | M | B | Notes |
|---|---|---|---|---|
| Critical systems and, if necessary, the infrastructure are designed redundantly. | X | X | X | |
| Software is used to monitor the network or applications. | X | X | X | Papertrail, Newrelic |
Changes to technical and organizational measures
absence.io strives to continuously develop the technical and organizational measures for the protection of personal data. It is ensured that changes to the TOM do not lead to a reduction in the level of security. absence.io will inform customers of significant changes to the TOM.
*For reasons of better readability, the generic masculine is used for personal designations and personal expressions. All personal designations apply equally to all gender identities in the sense of equal treatment. The shortened language form does not include any evaluation.