This post is also available in: German
Preamble
When performing the services in accordance with the main contract, we – the Conceptboard Cloud Service GmbH, Mansfelder Str. 56, 06108 Halle (Saale), Germany – meet with the customer – hereinafter referred to as the “client” – taking into account the state of the art, the implementation costs and the type, scope, circumstances and purposes of the processing, as well as the different probability and severity of the risk for the rights and freedoms of natural persons, the following technical and organizational measures (TOM) to ensure a level of protection appropriate to the risk.
The selection of measures is divided into the following areas:
- Pseudonymization
- Encryption
- Confidentiality and Integrity
- Availability and Resilience
- Effectiveness Test
Pseudonymization
Measures for pseudonymization have the purpose of excluding or significantly complicating the determination of the person concerned.
- Personal data is stored and merged using a pseudonymized user identification number (user ID).
Encryption
Encryption measures have the purpose of preventing the use and misuse of the data by unauthorized third parties – in the absence of a key.
- Communication between servers and connected clients is continuously encrypted using the latest technologies and accepted industry standards. Depending on the client of the user, TLS1.2, 256-bit AES in GCM with elliptic curve cryptography and forward secrecy are used. For more information on transmission security, see the Qualys SSL Report for Conceptboard.
- Stored customer data is encrypted with symmetrical AES256 keys.
- User passwords are not saved. Instead, a secure method based on cryptographic hash functions is used (“Salted Cryptographic Hash”).
Confidentiality and Integrity
Confidentiality and integrity measures serve to protect personal data from unauthorized disclosure, as well as to ensure that the systems function correctly and the data remains intact, i.e. complete and unchanged by external influences.
- The data centers used – unless otherwise agreed or otherwise documented, the data centers of IONOS and Amazon Web Services (AWS) in the Frankfurt, Germany region – have extensive and modern access controls (e.g. electronic access control systems, camera surveillance, intrusion detection systems, security guards) and implement processes that protect sustainably against unauthorized access (e.g. defined security areas, individual access authorization, role-based authorization concept). More information about the protective measures taken can be found in the respective portals of IONOS and AWS on the subject of cloud security.
- The offices used have electronic access control systems and camera surveillance of the entrance areas. Processes for individual access authorization, documentation of access authorizations and visitor regulations have been implemented. The offices are locked outside of working hours.
- The publicly provided server systems, the dedicated enterprise systems per client and the development systems, as well as their respective data storage and backup storage locations, are completely separated from each other by separate networks and network segments. Networks and network segments are protected by restrictive firewall rules. System components are reinforced in accordance with generally established and accepted industry standards (e.g. blocking unnecessary ports, regular software updates).
- Administrative access is only possible via secure connections (VPN with end-to-end encryption, separate management networks, 2FA) and is logged in log files. Access to administration and maintenance are clearly assigned to natural persons.
- The granting of access rights takes place in compliance with specific approval regulations and is documented. The principle of the lowest allocation of rights (“need-to-know principle”), after users only receive the access that is necessary for the fulfillment of their tasks, is used. Access rights to IT systems are regularly checked and withdrawn as soon as the business need for access no longer exists. Critical administrative combinations of rights are monitored (“separation-of-duty principle”).
- All employees are familiar with the handling of confidential data and are obliged in writing to maintain confidentiality. There are binding rules for inspecting and disclosing sensitive data, as well as written guidelines for the transfer and transmission of data. The processing of personal data takes place exclusively in accordance with the instructions of the client.
- Work devices are equipped with security software such as firewalls, antivirus software and malware detection. Written regulations exist for handling mobile devices and data carriers, for secure data deletion, for the destruction of data carriers, and for remote work (home office). Unattended IT systems are automatically blocked.
- Passwords require a defined minimum complexity. Initial passwords must be changed after the first login.
Availability and Resilience
The measures for availability and resilience have the purpose of guaranteeing the services and internal operational processes, as well as their information security, even in the event of operational disruptions and unforeseen events.
- The data centers used – unless otherwise agreed or otherwise documented, the data centers of IONOS and Amazon Web Services (AWS) in the Frankfurt, Germany region – have extensive and modern fire alarm and extinguishing devices, climate and temperature controls, as well as measures for surge protection and uninterruptible power supply (UPS). For more information, see the respective portals of IONOS and AWS on the subject of cloud security.
- The commissioning of the productive systems provided, their configuration and the import of changes are carried out traceably and transparently via an automated deployment infrastructure (“infrastructure-as-code principle”).
- Productive data is backed up daily as a full backup. All backups are kept redundant in cold standby mode, have automated fail over and in encrypted form (AES256) – unless otherwise agreed or otherwise documented, 2 availability zones, German region-. Technical access restrictions, automatic historization and deletion policies, as well as strict organizational requirements for handling backups are implemented.
- Disaster recovery processes to restore data and processes for randomly checking the recoverability are defined.
- Capacity management measures to monitor the resource consumption of the systems as well as the planning of future resource requirements are implemented.
- Procedures for handling and reporting incidents (incident management) including the detection and reaction to possible security incidents are defined.
Effectiveness Test
The measures for effectiveness testing serve to regularly check and evaluate the effectiveness of all the technical and organizational measures described above.
- Data protection coordinators are defined and commissioned to accompany changes in internal work processes from a data protection perspective, to point out data protection aspects and to coordinate with the data protection officer. There are regular meetings between the data protection officer and the data protection coordinators, including the review of the operating processes that affect the processing of personal data and the revision of the associated technical and organizational measures.
- Conceptboard provides information security awareness training to its employees to ensure that they understand their obligations not to collect, process or use customer information without authorization and to maintain the confidentiality of customer information, even after the cessation of any function involving customer information. Employees are instructed to immediately report any identified violations of data protection regulations, suspected possible violations, or other incidents related to information security to the data protection coordinators. Disciplinary measures exist in the event of non-compliance with confidentiality obligations.
- Conceptboard performs employment verification, including validation of proof of identity, for new hires in positions that require access to systems and applications that store customer information. Upon employee termination, whether voluntary or involuntary, Conceptboard immediately disables all access to the systems.
- Conceptboard permanently assesses risks related to processing of Personal Data and creates an action plan to mitigate identified risks.
- Constant security audits of the service are carried out by independent IT security experts as part of a Bug Bounty Program. These tests include automated and manual penetration tests. Upon customer’s request, Conceptboard will provide customer with a summary of the most recent report, subject to appropriate confidentiality protections.
- Third parties perform audits and attest to ISO 27001 ISO/IEC:2017 compliance standard annually.
- Conceptboard maintains measures meant to identify, manage, mitigate and/or remediate vulnerabilities within the Conceptboard computing environments. Security measures include: anti-virus / anti-malware, vulnerability scanning, threat notification advisories, patch management.