To supplement the Data Processing Agreement (DPA) between Client and Contractor pursuant to Art 28 GDPR (EU General Data Protection Regulation), our organization has authored a Technical & Organizational Measures document. The technical and organizational measures are implemented by Welocalize in accordance with Art 32. They are continuously improved by Welocalize according to feasibility and state of the art and brought to a higher level of security and protection.


Introduction

The present document supplements the Data Processing Agreement (DPA) between Client and Contractor pursuant to Art 28 GDPR (EU General Data Protection Regulation). The technical and organizational measures are implemented by Welocalize in accordance with Art 32. They are continuously improved by Welocalize according to feasibility and state of the art and brought to a higher level of security and protection.

SCOPE

Confidentiality, integrity, availability and resilience, procedures for regular review, assessment and evaluation, organization and data protection at Welocalize.

Description

PHYSICAL ACCESS CONTROL

Measures suitable for preventing unauthorized persons from gaining access to data processing systems with which personal data are processed or used.

Technical MeasuresOrganizational Measures
Alarm SystemKey Regulation / List
Automatic Access Control SystemReception / Receptionist / Gatekeeper
Biometric Access BarriersVisitors’ Book / Visitors’ Protocol
Smart Cards / Transponder SystemsEmployee / Visitor Badges
Manual Locking SystemVisitors Accompanied by Employee
Doors with Knob OutsideCare in Selection of Security Guard Personnel
Doorbell System with CameraCare in Selection of Cleaning Services
Video Surveillance of EntrancesInformation Security Policy
Biometric Access Control Data CenterWork Instructions for Operational Safety
Work Instruction Access Control

LOGICAL ACCESS CONTROL

Measures suitable for preventing data processing systems from being used by unauthorized persons.

Technical MeasuresOrganizational Measures
Login With Username + Strong PasswordUser Access Control
Anti-Virus Software ServersCreating User Profiles
Anti-Virus Software ClientsCentral Password Assignment
Anti-Virus Software Mobile DevicesInformation Security Policy
FirewallMobile Device Policy
Intrusion Detection Systems
Use of VPN for Remote Access
Encryption of Company Smartphones
Automatic Desktop Lock
Encryption of Notebooks / Tablets
Multi-Factor Authentication

AUTHORIZATION CONTROL

Measures to ensure that those authorized to use a data processing system can only access the data subject to their access authorization and that personal data cannot be read, copied, modified or removed without authorization during processing, use and after storage.

Technical MeasuresOrganizational Measures
Physical deletion of data carriersUse of authorization concepts
Logging of accesses to applications, specifically when entering, changing, and deleting dataMinimum number of administrators
SSH encrypted accessManagement of user rights by administrators
Certified SSL encryptionInformation Security Policy
Mobile Device Policy
Communication security policy

SEPARATION CONTROL

Measures that ensure that data collected for different purposes can be processed separately. This can be ensured, for example, by logical and physical separation of the data.

Technical MeasuresOrganizational Measures
Separation of productive and test environmentControl via authorization concept
Multi-tenancy of relevant applicationsDetermination of database rights
VLAN segmentationInformation Security Policy
Client systems logically separatedData Protection Policy
Staging of development, test and production environmentWork instruction operational security
Work instruction security in software development

PSEUDONYMIZATION

The processing of personal data in such a way that the data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to appropriate technical and organizational measures.

Technical MeasuresOrganizational Measures
log files are pseudonymized at the request of the clientInternal instruction to anonymize/pseudonymize personal data as far as possible in the event of disclosure or even after the statutory deletion period has expired
Information Security Policy
Data Protection Policy
Specific internal regulations on cryptography

Integrity

TRANSFER CONTROL

Measures to ensure that personal data cannot be read, copied, altered or removed by unauthorized persons during electronic transmission or while being transported or stored on data media, and that it is possible to verify and establish to which entities personal data are intended to be transmitted by data transmission equipment.

Technical MeasuresOrganizational Measures
Use of VPN where applicableSurvey of regular retrieval and transmission processes
Logging of accesses and retrievalsTransmission in anonymized or pseudonymized form
Provision via encrypted connections such as SFTP, HTTPS and secure cloud storesCareful selection of transport personnel and vehicles
Use of signature procedures (case-dependent)Personal handover with protocol
Encryption at rest using AES 256-bit encryption in addition to unique per-file keysInformation Security Policy
Encryption in transit utilizing HTTPS (TLS 1.2+) for web services, and TLS encryption for email transportData Protection Policy

INPUT CONTROL

Measures that ensure that it is possible to check and establish retrospectively whether and by whom personal data has been entered into, modified or removed from data processing systems. Input control is achieved through logging, which can take place at various levels (e.g., operating system, network, firewall, database, application).

Technical MeasuresOrganizational Measures
Technical logging of the entry, modification and deletion of dataSurvey of which programs can be used to enter, change or delete which data
Manual or automated control of the logs (according to strict internal specifications)Traceability of data entry, modification and deletion through individual usernames (not user groups)
Assignment of rights to enter, change and delete data on the basis of an authorization concept
Clear responsibilities for deletions
Information Security Policy
Work instruction IT user regulations

Availability and Resilience

AVAILABILITY CONTROL

Measures to ensure that personal data is protected against accidental destruction or loss (UPS, air conditioning, fire protection, data backups, secure storage of data media, virus protection, raid systems, disk mirroring, etc.)

Technical MeasuresOrganizational Measures
Fire and smoke detection systemsBackup concept
Fire extinguisher server roomNo sanitary connections in the server room
Server room monitoring temperature and humidityExistence of an emergency plan
Server room air-conditioningStorage of backup media in a secure location outside the server room
UPS system and emergency diesel generatorsSeparate partitions for operating systems and data where necessary
Protective socket strips server roomInformation Security Policy
RAID system / hard disk mirroringWork instruction operational security
 Video surveillance server room
Alarm message in case of unauthorized access to server room

RECOVERABILITY CONTROL

Measures capable of rapidly restoring the availability of and access to personal data in the event of a physical or technical incident.

Technical MeasuresOrganizational Measures
Backup monitoring and reportingRecovery concept
Restorability from automation toolsControl of the backup process
Backup concept according to criticality and customer specificationsRegular testing of data recovery and logging of results
Existence of an emergency plan
Information Security Policy
Work instruction operational security

Procedures for regular Review, Assessment and Evaluation

DATA PROTECTION MANAGEMENT

Technical MeasuresOrganizational Measures
Central documentation of all data protection regulations with access for employeesInternal data protection officer appointed: Group Data Protection Officer, DPO
Security certification according to ISO 27001Staff trained and obliged to confidentiality/data secrecy
A review of the effectiveness of the TOMs is carried out at least annually and TOMs are updatedRegular awareness trainings at least annually
Data protection checkpoints consistently implemented in tool-supported risk assessmentInternal Information Security Officer appointed: Group Information Security Officer, ISO
Data Protection Impact Assessment (DPIA) is carried out as required
Processes regarding information obligations according to Art 13 and 14 GDPR established
Formalized process for requests for information from data subjects is in place
Data protection aspects established as part of corporate risk management

ISO 27001 certification of key parts of the company including data center operations and annual monitoring audits

INCIDENT RESPONSE MANAGEMENT

Support for security breach response and data breach process

Technical MeasuresOrganizational Measures
Central documentation of all data protection regulations with access for employeesInternal data protection officer appointed: Group Data Protection Officer, DPO
Security certification according to ISO 27001Staff trained and obliged to confidentiality/data secrecy
A review of the effectiveness of the TOMs is carried out at least annually and TOMs are updatedRegular awareness trainings at least annually
Data protection checkpoints consistently implemented in tool-supported risk assessmentInternal Information Security Officer appointed: Group Information Security Officer, ISO
Data Protection Impact Assessment (DPIA) is carried out as required
Processes regarding information obligations according to Art 13 and 14 GDPR established
Formalized process for requests for information from data subjects is in place
Data protection aspects established as part of corporate risk management
ISO 27001 certification of key parts of the company including data center operations and annual monitoring audits

DATA PROTECTION BY DESIGN AND BY DEFAULT

Measures pursuant to Art 25 GDPR that comply with the principles of data protection by design and by default.

Technical MeasuresOrganizational Measures
No more personal data is collected than is necessary for the respective purposeData Protection Policy (includes principles “privacy by design / by default”)
Use of data protection-friendly default settings in standard and individual softwareOWASP Secure Mobile Development Security Checks are performed
Perimeter analysis for web applications

ORDER CONTROL (OUTSOURCING, SUBCONTRACTORS AND ORDER PROCESSING)

Measures to ensure that personal data processed on behalf of the client can only be processed in accordance with the client’s instructions.

Technical MeasuresOrganizational Measures
Monitoring of remote access by external parties, e.g. in the context of remote supportWork instruction supplier management and supplier evaluation
Monitoring of subcontractors according to the principles and with the technologies according to the preceding chapters 1, 2Prior review of the security measures taken by the contractor and their documentation where applicable
Selection of the contractor under due diligence aspects (especially with regard to data protection and data security) where applicable
Conclusion of the necessary data processing agreement on commissioned processing or EU standard contractual clauses
Framework agreement on contractual data processing within the group of companies
Written instructions to the contractor
Obligation of the contractor’s employees to maintain data secrecy
Ensuring the destruction of data after termination of the contract
In the case of longer collaboration: ongoing review of the contractor and its level of protection

Organization and Data Protection at Welo
Data

Welo Data has set itself the goal, among other things, of providing its customers with the products and services to be delivered at the highest possible level of information security in compliance with the law.

In this context, Welo Data has established a distinctive cross-sectional security organization to ensure comprehensive protection of its own corporate information and data as well as protection of the data of its customers and clients. The functions of Information Security Officer (ISO), Data Protection Officer (DPO), Quality Officer (QO), Risk Officer (RO) and Legal Compliance Officer (LCO) with group-wide responsibility and direct authority in these areas of activity have been established.

Employees are continuously informed and trained in the area of data protection. In addition, all employees are contractually bound to data secrecy and confidentiality. External parties who may come into contact with personal data in the course of their work for Welocalize are obligated to maintain secrecy and confidentiality as well as to comply with data protection and data secrecy by means of a so-called NDA (Non-Disclosure Agreement) before they begin their work.

Any subcontractors entrusted with further processing (as “other processors”) are only used after approval by the Client as the “controller” and after conclusion of a Data Processing Agreement (DPA) in accordance with Art 28 GDPR, with which they are fully bound by all data protection obligations to which Welocalize itself is subject.

All of these organizational measures are flanked by Welocalize’s current, high technical security standards, and both dimensions are periodically reviewed.

Certifications

Technical MeasuresGDPR ComplianceComments
Physical Access Control
Logical Access Control
Authorization Control
Separation Control
Pseudonymization
Transfer Control
Input Control
Availability Control
Recoverability Control
Data Protection Management
Incident Response Management
Privacy by Design and Default
Order Control
Organization