Technical and organizational measures (TOM)
Version: 29.09.2023
These technical and organizational measures apply to Netstream AG and Netstream Cloud AG.
Person responsible
The controller pursuant to Art. 5 lit. j of the Federal Act on Data Protection (FADP) is Netstream AG, Richtistrasse 2, 8304 Wallisellen, Switzerland, and Netstream Cloud AG, Auenstrasse 10, 8600 Dübendorf, e-mail:netstream We are legally represented by Alexis Caceda.
Data protection consultant
Our data protection advisor can be contacted via heyData GmbH, Schützenstrasse 5, 10117 Berlin, www.heydata.eu, e-mail: datenschutz@heydata.eu.
Subject of the document
This document summarizes the technical and organizational measures taken by the controller within the meaning of Art. 8 para. 1 FADP. These are measures with which the controller protects personal data.
1. confidentiality
1.1 Access control
Measures office space:
● Protection of building shafts
● Automatic access control system
● Chip card/transponder locking system
● Security locks
● Doorbell system with camera
● Key regulation / key book
● Careful selection of security personnel
● Visitors must be accompanied by employees
● Careful selection of cleaning staff and contractual policy
● Doors with knob on the outside
● Working from home: Policy in place
Measures Data Centers:
● Video surveillance
● Automatic access control system
● Electronic locking system with authorization management
● Biometric access locks
● Restrictive access guidelines
● Security staff
● Visitor accompaniment exclusively by authorized employees
● Alarm system inputs
● Contractual protection with service providers (maintenance)
● Security locks
1.2 Access control
Measures:
● Authentication with user and password
● Use of anti-virus software
● Use of firewalls
● Use of VPN technology for remote access
● Encryption of data carriers
● Automatic desktop lock
● Encryption of notebooks / tablets
● Administration of user authorizations
● Creating user profiles
● Central password rules
● Use of 2-factor authentication
● Key regulation / key book
● General company policy on data protection and security
● Company policy for secure passwords
● Company policy "Delete/Destroy"
● Company guideline "Cleandesk"
● Company policy on the use of mobile devices
● General instruction to lock the desktop manually when leaving the workstation
1.3 Access control
Measures:
● Professional, external destruction of data carriers and files
● Physical deletion of data carriers before they are reused
● Logging of access to applications (in particular when entering, changing and deleting data)
● Use of an authorization concept
● The number of administrators is kept as small as possible
● Secure storage of data carriers
● Management of user rights by system administrators
1.4 Separation control
Measures:
● Separation of production and test system
● Logical client separation (on the software side)
● Authorization concept
● Definition of database rights
● Multi-client capability of relevant applications
1.5 Pseudonymization
Measures:
● Internal instruction to delete personal data as far as possible in the event of disclosure or even after expiry of the statutory deletion period.
● anonymize / pseudonymize
● Pseudonymization of personal data for analytical purposes in cooperation with third parties
2. integrity
2.1 Transfer control
Measures:
● Setting up VPN tunnels
● WLAN encryption (WPA2 with strong password)
● Logging of accesses and retrievals
● Provision of data via encrypted connections such as SFTP or HTTPS
● Documentation of the data recipients and the duration of the planned transfer or deletion periods
● Supplier management according to ISO 27001
2.2 Input conrole
Measures:
● Logging the entry, modification and deletion of data
● Manual or automatic control of the logs
● Storage of forms whose data has been transferred to automated processing
● Create an overview of which applications can be used to enter, change and delete which data
● Traceability of data entry, modification and deletion through individual user names (not user groups)
● Assignment of rights to enter, change and delete data on the basis of an authorization concept
3. availability and resilience
3.1 Availability control
Measures:
● Data Center according to Tier 4 standard
● Fire and smoke detection systems and extinguishing systems
● Devices for monitoring temperature and humidity in server rooms
● Air conditioning in server rooms
● Protective socket strips in server rooms
● Uninterruptible power supply (UPS) and emergency power system
● RAID system / hard disk mirroring
● Video surveillance in server rooms
● Alarm message for unauthorized access to server rooms
● Regular backups
● Backup & recovery concept (business continuity policy)
● Control of the backup process
● Storage of data backups in a secure, off-site location
● Monitoring systems
● Existence of an emergency plan
● Redundant mains cable
● Regular review and testing of emergency plans
● Incident management policy
4. procedures for regular review, assessment and evaluation.
4.1 Data protection measures
Measures:
● Use of the heyData platform for data protection management
● Position of the data protection advisor through heyData
● Obligation of data secrecy on the part of the bidders
● Regular data protection training for employees
● Keeping a record of processing activities (Art. 12 FADP)
● Security certification in accordance with ISO 27001
● Regular review of the effectiveness of the technical protective measures
● CISO / internal information security officer
● Audits (internal and external)
● The organization complies with the information obligations under Art. 13 and 14 GDPR
4.2 Incident response management
Measures:
● Reporting process for data protection violations in accordance with Art. 5 lit. h FADP to the FDPIC (Art. 24 para. 1 FADP)
● Notification process for data breaches in accordance with Art. 5 lit. h FADP to data subjects (Art. 24 para. 4 FADP)
● Involvement of the data protection advisor in security incidents and data breaches
● Use of anti-virus software
● Use of firewalls
● regular update
● Regular checks for security vulnerabilities
● Risk management
● Spam filter
● Virus scanner
● Documented procedure for dealing with security incidents
● Incident management policy
4.3 Privacy-friendly default settings
Measures:
The following implemented measures take into account the requirements of the principles of "privacy by design" and "privacy by default":
● Training of employees in "privacy by design" and "privacy by default"
● No more personal data is collected than is necessary for the respective purpose.
4.4 Order control
Measures:
The following measures ensure that personal data can only be processed in accordance with the instructions:
● Written instructions to the contractor or instructions in text form (e.g. through an order processing contract)
● Ensuring the destruction of data after completion of the order, e.g. by requesting corresponding confirmations
● Confirmation from contractors that they commit their own employees to data secrecy (typically in the order processing contract)
● Careful selection of contractors (especially with regard to data security)
● Ongoing review of contractors and their activities