INTRODUCING Welo Data's Model Assessment Suite| Learn More
To supplement the Data Processing Agreement (DPA) between Client and Contractor pursuant to Art 28 GDPR (EU General Data Protection Regulation), our organization has authored a Technical & Organizational Measures document. The technical and organizational measures are implemented by Welocalize in accordance with Art 32. They are continuously improved by Welocalize according to feasibility and state of the art and brought to a higher level of security and protection.
Introduction
The present document supplements the Data Processing Agreement (DPA) between Client and Contractor pursuant to Art 28 GDPR (EU General Data Protection Regulation). The technical and organizational measures are implemented by Welocalize in accordance with Art 32. They are continuously improved by Welocalize according to feasibility and state of the art and brought to a higher level of security and protection.
SCOPE
Confidentiality, integrity, availability and resilience, procedures for regular review, assessment and evaluation, organization and data protection at Welocalize.
Description
Confidentiality
PHYSICAL ACCESS CONTROL
Measures suitable for preventing unauthorized persons from gaining access to data processing systems with which personal data are processed or used.
Technical Measures
Organizational Measures
Alarm System
Key Regulation / List
Automatic Access Control System
Reception / Receptionist / Gatekeeper
Biometric Access Barriers
Visitors’ Book / Visitors’ Protocol
Smart Cards / Transponder Systems
Employee / Visitor Badges
Manual Locking System
Visitors Accompanied by Employee
Doors with Knob Outside
Care in Selection of Security Guard Personnel
Doorbell System with Camera
Care in Selection of Cleaning Services
Video Surveillance of Entrances
Information Security Policy
Biometric Access Control Data Center
Work Instructions for Operational Safety
Work Instruction Access Control
LOGICAL ACCESS CONTROL
Measures suitable for preventing data processing systems from being used by unauthorized persons.
Technical Measures
Organizational Measures
Login With Username + Strong Password
User Access Control
Anti-Virus Software Servers
Creating User Profiles
Anti-Virus Software Clients
Central Password Assignment
Anti-Virus Software Mobile Devices
Information Security Policy
Firewall
Mobile Device Policy
Intrusion Detection Systems
Use of VPN for Remote Access
Encryption of Company Smartphones
Automatic Desktop Lock
Encryption of Notebooks / Tablets
Multi-Factor Authentication
AUTHORIZATION CONTROL
Measures to ensure that those authorized to use a data processing system can only access the data subject to their access authorization and that personal data cannot be read, copied, modified or removed without authorization during processing, use and after storage.
Technical Measures
Organizational Measures
Physical deletion of data carriers
Use of authorization concepts
Logging of accesses to applications, specifically when entering, changing, and deleting data
Minimum number of administrators
SSH encrypted access
Management of user rights by administrators
Certified SSL encryption
Information Security Policy
Mobile Device Policy
Communication security policy
SEPARATION CONTROL
Measures that ensure that data collected for different purposes can be processed separately. This can be ensured, for example, by logical and physical separation of the data.
Technical Measures
Organizational Measures
Separation of productive and test environment
Control via authorization concept
Multi-tenancy of relevant applications
Determination of database rights
VLAN segmentation
Information Security Policy
Client systems logically separated
Data Protection Policy
Staging of development, test and production environment
Work instruction operational security
Work instruction security in software development
PSEUDONYMIZATION
The processing of personal data in such a way that the data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to appropriate technical and organizational measures.
Technical Measures
Organizational Measures
log files are pseudonymized at the request of the client
Internal instruction to anonymize/pseudonymize personal data as far as possible in the event of disclosure or even after the statutory deletion period has expired
Information Security Policy
Data Protection Policy
Specific internal regulations on cryptography
Integrity
TRANSFER CONTROL
Measures to ensure that personal data cannot be read, copied, altered or removed by unauthorized persons during electronic transmission or while being transported or stored on data media, and that it is possible to verify and establish to which entities personal data are intended to be transmitted by data transmission equipment.
Technical Measures
Organizational Measures
Use of VPN where applicable
Survey of regular retrieval and transmission processes
Logging of accesses and retrievals
Transmission in anonymized or pseudonymized form
Provision via encrypted connections such as SFTP, HTTPS and secure cloud stores
Careful selection of transport personnel and vehicles
Use of signature procedures (case-dependent)
Personal handover with protocol
Encryption at rest using AES 256-bit encryption in addition to unique per-file keys
Information Security Policy
Encryption in transit utilizing HTTPS (TLS 1.2+) for web services, and TLS encryption for email transport
Data Protection Policy
INPUT CONTROL
Measures that ensure that it is possible to check and establish retrospectively whether and by whom personal data has been entered into, modified or removed from data processing systems. Input control is achieved through logging, which can take place at various levels (e.g., operating system, network, firewall, database, application).
Technical Measures
Organizational Measures
Technical logging of the entry, modification and deletion of data
Survey of which programs can be used to enter, change or delete which data
Manual or automated control of the logs (according to strict internal specifications)
Traceability of data entry, modification and deletion through individual usernames (not user groups)
Assignment of rights to enter, change and delete data on the basis of an authorization concept
Clear responsibilities for deletions
Information Security Policy
Work instruction IT user regulations
Availability and Resilience
AVAILABILITY CONTROL
Measures to ensure that personal data is protected against accidental destruction or loss (UPS, air conditioning, fire protection, data backups, secure storage of data media, virus protection, raid systems, disk mirroring, etc.)
Technical Measures
Organizational Measures
Fire and smoke detection systems
Backup concept
Fire extinguisher server room
No sanitary connections in the server room
Server room monitoring temperature and humidity
Existence of an emergency plan
Server room air-conditioning
Storage of backup media in a secure location outside the server room
UPS system and emergency diesel generators
Separate partitions for operating systems and data where necessary
Protective socket strips server room
Information Security Policy
RAID system / hard disk mirroring
Work instruction operational security
Video surveillance server room
Alarm message in case of unauthorized access to server room
RECOVERABILITY CONTROL
Measures capable of rapidly restoring the availability of and access to personal data in the event of a physical or technical incident.
Technical Measures
Organizational Measures
Backup monitoring and reporting
Recovery concept
Restorability from automation tools
Control of the backup process
Backup concept according to criticality and customer specifications
Regular testing of data recovery and logging of results
Existence of an emergency plan
Information Security Policy
Work instruction operational security
Procedures for regular Review, Assessment and Evaluation
DATA PROTECTION MANAGEMENT
Technical Measures
Organizational Measures
Central documentation of all data protection regulations with access for employees
Internal data protection officer appointed: Group Data Protection Officer, DPO
Security certification according to ISO 27001
Staff trained and obliged to confidentiality/data secrecy
A review of the effectiveness of the TOMs is carried out at least annually and TOMs are updated
Regular awareness trainings at least annually
Data protection checkpoints consistently implemented in tool-supported risk assessment
Internal Information Security Officer appointed: Group Information Security Officer, ISO
Data Protection Impact Assessment (DPIA) is carried out as required
Processes regarding information obligations according to Art 13 and 14 GDPR established
Formalized process for requests for information from data subjects is in place
Data protection aspects established as part of corporate risk management
ISO 27001 certification of key parts of the company including data center operations and annual monitoring audits
INCIDENT RESPONSE MANAGEMENT
Support for security breach response and data breach process
Technical Measures
Organizational Measures
Central documentation of all data protection regulations with access for employees
Internal data protection officer appointed: Group Data Protection Officer, DPO
Security certification according to ISO 27001
Staff trained and obliged to confidentiality/data secrecy
A review of the effectiveness of the TOMs is carried out at least annually and TOMs are updated
Regular awareness trainings at least annually
Data protection checkpoints consistently implemented in tool-supported risk assessment
Internal Information Security Officer appointed: Group Information Security Officer, ISO
Data Protection Impact Assessment (DPIA) is carried out as required
Processes regarding information obligations according to Art 13 and 14 GDPR established
Formalized process for requests for information from data subjects is in place
Data protection aspects established as part of corporate risk management
ISO 27001 certification of key parts of the company including data center operations and annual monitoring audits
DATA PROTECTION BY DESIGN AND BY DEFAULT
Measures pursuant to Art 25 GDPR that comply with the principles of data protection by design and by default.
Technical Measures
Organizational Measures
No more personal data is collected than is necessary for the respective purpose
Data Protection Policy (includes principles “privacy by design / by default”)
Use of data protection-friendly default settings in standard and individual software
OWASP Secure Mobile Development Security Checks are performed
Perimeter analysis for web applications
ORDER CONTROL (OUTSOURCING, SUBCONTRACTORS AND ORDER PROCESSING)
Measures to ensure that personal data processed on behalf of the client can only be processed in accordance with the client’s instructions.
Technical Measures
Organizational Measures
Monitoring of remote access by external parties, e.g. in the context of remote support
Work instruction supplier management and supplier evaluation
Monitoring of subcontractors according to the principles and with the technologies according to the preceding chapters 1, 2
Prior review of the security measures taken by the contractor and their documentation where applicable
Selection of the contractor under due diligence aspects (especially with regard to data protection and data security) where applicable
Conclusion of the necessary data processing agreement on commissioned processing or EU standard contractual clauses
Framework agreement on contractual data processing within the group of companies
Written instructions to the contractor
Obligation of the contractor’s employees to maintain data secrecy
Ensuring the destruction of data after termination of the contract
In the case of longer collaboration: ongoing review of the contractor and its level of protection
Organization and Data Protection at Welo Data
Welo Data has set itself the goal, among other things, of providing its customers with the products and services to be delivered at the highest possible level of information security in compliance with the law.
In this context, Welo Data has established a distinctive cross-sectional security organization to ensure comprehensive protection of its own corporate information and data as well as protection of the data of its customers and clients. The functions of Information Security Officer (ISO), Data Protection Officer (DPO), Quality Officer (QO), Risk Officer (RO) and Legal Compliance Officer (LCO) with group-wide responsibility and direct authority in these areas of activity have been established.
Employees are continuously informed and trained in the area of data protection. In addition, all employees are contractually bound to data secrecy and confidentiality. External parties who may come into contact with personal data in the course of their work for Welocalize are obligated to maintain secrecy and confidentiality as well as to comply with data protection and data secrecy by means of a so-called NDA (Non-Disclosure Agreement) before they begin their work.
Any subcontractors entrusted with further processing (as “other processors”) are only used after approval by the Client as the “controller” and after conclusion of a Data Processing Agreement (DPA) in accordance with Art 28 GDPR, with which they are fully bound by all data protection obligations to which Welocalize itself is subject.
All of these organizational measures are flanked by Welocalize’s current, high technical security standards, and both dimensions are periodically reviewed.