wellkauf logo

TECHNICAL AND ORGANIZATIONAL SECURITY MEASURES (“TOMS”)

Contents

implemented by WELLKAUF EURO LTD
to ensure an appropriate level of security, taking into account the nature, scope, context and purpose of the processing, as well as the risks for the rights and freedoms of natural persons.

  • Physical access control
    • 1.1. Physical and technical access control measures:
      • Documentation of implemented entrance control measures
        Access to areas of the buildings is defined and documented. The implementation of the entrance control measures will be checked based on the documentation.
        Entrance controls fulfill the following requirements:
        • Areas in scope of the entrance control regime are clearly defined and documented.
        • The number of persons with access to restricted areas is reduced to the necessary minimum.
        • Persons outside the company will be granted access only after it has been determined that the access is necessary.
        • The documentation includes a list of persons who are authorized to access the different areas.
      • Logging of entries and/or exits
        Each physical entry and exit to the location is being logged.
      • Evaluation of logs recorded by physical entry control systems
        Log files are checked on a regular basis and after any incidents.
      • Purpose limitation of the stored access event data
        Personal data regarding a data subject's accesses to and exists from a building are processed only for the purpose of data protection controls.
      • Supply and mail delivery security system
        Physical access is prevented of those who deliver mail or goods to the organization.
      • Scope of building security policy
        The physical access and security policy for the premises address physical access threats.
      • Physical security of facility rooms
        Facility rooms are protected with technical and/or sensitive infrastructure installations (i.e. cable rooms and wiring closets) from unauthorized access.
      • Retention time of physical access
        Physical access entry logs are stored only for as long as necessary to achieve the legitimate purposes for which the information in those protocols have been collected.
      • Check of the entry control log files
        Entry control log files are evaluated in a timely, consistent, and compliant manner.
    • 1.2. Administrative/ Organizational measures implementing Physical Access Controls:
      • Physical key management policies
        Implementation of necessary key management policies and procedures, addressing a) keys to rooms containing sensitive or critical information, b) key-replacements, c) key usage and sharing, and d) key tracking/auditing of outstanding keys. This measure should also consider the implementation of new locks during lost-key replacements.
      • Visitors' log
        We manage the personal data obligations that arise from documenting a visitor log according to the relevant legal requirements. Where the log contains personal data, we ensure this information is documented.
    • 1.3. Technical Rooms
      • Physical entries to the server room
        Entrance to the server room and organization's servers is limited to the authorized staff, locked, controlled, and secured.
        The persons authorized to access the server rooms are clearly identified.
      • Network components access protected
        All network components located outside the locked server rooms are otherwise secured with similar physical controls, where applicable.
      • Access by visitors/third parties
        Process is in place to manage the physical access to server rooms by third parties (e.g. if necessary for hardware maintenance).
      • Periodic Verifications
        All applicable security measures are verified on a regular basis.
  • System access control
    • 2.1. Network Access Control
      • Network Access and Usage Policy
        We ensure that registered users only have access to authorized information and services. Document the technology and administrative controls that ensure this access is limited to the specified or pre-approved services.
      • Logical Access to Network Services
        We ensure that only authorized users have logical access to the network or its sub-parts.
        Additionally, and as a minimal control, default passwords must be changed to prevent unauthorized users from altering configuration settings of network components.
      • Network Access Control - Wired Networks
        We manage all network access points (either by removing or otherwise closing the network access points) so that only authorized devices have logical access to the network and its resources.
      • Network Access Control - Wireless Network
        We ensure that the wireless network is appropriately secured. State of the art encryption protocols are utilized.
      • Penetration and Security Tests
        Systematic, wholistic process of testing all elements of our environment. This testing should include penetration tests, network scans, social engineering, and phishing exercises.
    • 2.2. Third Party Access
      • Password Management
        Procedure that creates random passwords to third parties for maintenance access.
      • Remote Maintenance Access
        Maintenance network connections are established by designated employees within the company These connections are stateful to manage data flows unless risk tolerances determine otherwise.
      • Software Modifications Via Maintenance Activities
        All software modifications are authorized and approved prior to its release into the production environment. The IT Manager is responsible for approving software changes and the process for releasing/rolling the changes out into the production system.
      • Computer Hardware Removal
        All hardware remains under the physical control of the organization. Maintenance of hardware is performed under IT control of the company.
  • User access control
    • 3.1. Data Access Protection measures
      • Unattended User Equipment
        Procedures that detail when users may leave their equipment unattended and how users should secure their equipment from unauthorized access during those permitted instances.
      • Usage of encryption on file / folder level
        Encryption protocols to prevent unauthorized logical access at both the file and folder level.
      • Usage of encryption on mobile devices
        Mobile devices are encrypted to protect the information on those devices.
      • Usage of digital signatures
        Digital signature algorithms to detect the altering (manipulation) of files and/or information.
      • Usage of secure encryption algorithms
        To ensure that the encryption algorithms used are still valid, secure, and capable of protecting the information and files encrypted.
    • 3.2. Re-use or secure deletion of data carriers / Secure disposal of documents
      • Secure disposal of paper documents, data carriers and devices equipped with storage media
        Policy how to handle data carriers and devices with storage media (and stored data)., which are no longer in use (hard drives, USB sticks, but also paper).
      • Retention period for business documents
        Storage media and documents are deleted or destroyed (securely) after their retention periods have expired.
  • Data transfer control
    • 4.1. Obligation of employees to data privacy
    • The organization’s employees are obligated to maintain data secrecy.
      • Obligation
        We ensure that all employees who process personal data sign confidentiality and non-disclosure agreements, and that they are sufficiently informed about data security and data protection.
      • Information material
        We provide all new employees information about data protection requirements when processing personal data.
      • Termination of employment
        We clearly define and document employees’ termination procedures. Duties and responsibilities are clearly defined to manage employment termination issues from a data protection standpoint.
    • 4.2. Physical Data Transfer
      • Data Carrier exchange procedures
        We track all procedures of physical data transfers.
      • We ensuring information security during physical transport
      • Handing over of data carriers for maintenance / failure-analysis purposes
        Appropriate measures for the handing over of devices or media, that process or store data, for maintenance or failure-analysis purposes.
      • Provision of data storage media
        Our company only releases data storage/processing media (incl. paper) when the third party service provider signs appropriate data processing contracts.
        We ensure that data storage media are delivered only to the correct recipient.
    • 4.3. Electronic Data Transfer
      • Overview about automated data exchange procedures
        We document all electronic data transfer interfaces which may require or result in an automated transfer of personal data.
      • Data encryption
        We encrypt (using 256-bit encryption) personal data prior to transfer. Alternatively, we use transport encryption protocols (industry-standard AES-256 encryption algorithm) that ensure secure communications.
        API and application endpoints are TLS/SSL only and score an "A" rating on SSL Labs' tests.
    • 4.4. Anonymization and Pseudonymization of data
      • Anonymization / Pseudonymization
        ANONYMISATION: modification of personal related data in such a way that it is either impossible or requires disproportionate efforts to trace information back to a single individual.
        PSEUDONYMISATION: hiding of real identities behind aliases. An individual’s identity can be revealed by a list showing the relation between real identity and alias. Example: Public announcement of test results in universities by using lists with registration numbers (instead of the students’ real names).
        Where applicable, prior to the transfer of personal data, we anonymize or pseudonymize the data sets.
      • Ensuring confidentiality of aliases used for pseudonymization
        We ensure that when pseudonymized personal data is transmitted, the receiver is not able to re-identify the data.
    • 4.5. Data Storage
    • The digital data collected or generated via our website are stored in clouds and servers in Germany that are controlled and maintained by the companies
      • OVHCloud (https://www.ovhcloud.com/en/): for the data from the website (e.g. User’s Content) except photos, pictures and images,
      • «Cloud flare» R2 storage (https://www.cloudflare.com): for photos, pictures (incl. profile pictures, publications, pictures inside the chats), images from the website
        which are WELLKAUF EURO LTD’s (sub)processor.

      The digital data collected or generated outside of the website (e.g. via email, messengers, digitation of documents) are stored in our computers in United Kingdom offices and connected clouds (e.g. OneDrive, sharepoint) via Windows Active Directory accounts.

      The physical data (hardcopies) are stored in the locked cupboards in United Kingdom offices. Secret and sensitive data (hardcopies) are stored in the safes in United Kingdom offices, with restricted access only by the authorized representatives of the management.

  • Input control
    • 5.1. Log Files
      • Logging Processes
        We document the logging of user activities and relevant application activities.
      • Analysis of log files
        We deploy and then document all software and audit tools to check and parse log files.
      • Protection of log information
        We ensure that logging facilities and log files are protected against tampering and unauthorized access.
      • Storage of logging information
        We define and document retention periods for log files and data recorded by the log files.
      • Purpose limitation of logging information
        The information included in the log files is limited in use for the purpose of ensuring data security and data protection.
  • Contract control
    • 6.1. Agreements and auditing activities
      • Contractual agreements with data processors
        We set up appropriate contracts (with data protection and security provisions) with all data processors.
      • Requirements regarding Article 28 para. 3 GDPR
        • Explanation:
          According to Article 28 para. 3 (a) through (h) GDPR the contract shall stipulate, that the processor:
          (a) processes the personal data only on documented instructions from the controller, including regarding transfers of personal data to a third country or an international organization, unless required to do so by Union or Member State law to which the processor is subject; in such a case, the processor shall inform the controller of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest.
          (b) ensures that persons authorized to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
        • TOM:
          Where necessary, we verify that contractual provisions required by Article 28 para. 3 (a) through (h) GDPR are included in the data processing agreements.
    • 6.2. Selection of data processors
      • Available information concerning the data processor
        We verify the data processor's contact information as well as its privacy policy and technical and organizational measures.
      • Documentation of selection procedure
        We document the process for selecting the data processor, the requirements for selecting a data processor and how the data processor meets those requirements.
    • 6.3. Instructions/Orders
      • Persons authorized to issue an instruction (controller-side)
        We set up a list of all personnel and representatives who are authorized to determine data processing operations.
      • Instruction recipients (processor-side)
        We obtain (and verify where applicable) a list of employees of the data processor who are responsible for receiving data processing instructions from the data controller.
      • Instructions documented
        We document all data protection and data processing instructions.
  • Availability control

    • The availability control minimizes the risk of unwanted deletion of data or the unwanted "loss" of data. An effective availability control ensures that personal data which shall be available is in fact available.

    Availability control has become more important since companies tend to outsource their data processing procedures to third parties (e.g. using cloud services).

    • 7.1. Analysis of risks and weakest points

      • Analyzing the risks and weakest points helps the company to design a security concept to eliminate known weaknesses an minimize known risks.

      • Has a risk analysis (and weaknesses analysis) been conducted?
        We identify and document any potential risks that could hinder the operational availability of the organization's IT. Identify and document the vulnerabilities identified by the risk analysis.
      • Corresponding elimination of weaknesses
        We define and document a plan to eliminate risks and weaknesses identified during the risk analysis.
    • 7.2. Planning

      • Has the controller taken measures concerning availability control into account when planning?

      • Technical infrastructure
        We ensure sufficiency of the infrastructure (e.g. communication lines, electrical power lines, etc.).
      • Separation of electric circuits
        We deploy IT-systems, air conditioning systems and other electricity-requiring systems on separate, segregated circuits where possible.
      • Distribution of network components
        We deploy network components in different, protected areas to minimize risk and failure.
      • Size and equipment of Printer Room(s)
        We organize space/rooms that are appropriately large enough to house printers and equipment.
        We organize business resources sufficient to ensure business continuity.
    • 7.3. Technical quality and equipment IT area
      • Size and location of IT rooms
        We ensure that server and central IT rooms are sufficient in size and located in the inner parts of the building.
      • Server room designed as a separate fire compartment
        To the extent possible, we design the server room as a segregated fire compartment.
      • Water pipes in the IT area
        Water pipes are removed from IT server room, if present.
    • 7.4. UPS, and overvoltage protection
      • Uninterruptable Power Supply (UPS)
        We document how long each UPS-supported device will be supplied with power in the case of power failure.
      • Active ventilation in case of larger UPS installations
        We ensure that the room containing the UPS system is sufficiently aerated.
      • UPS installation according to VDE 0100, 0510
        • Explanation:
          The standard DIN VDE 0100 describes the requirements of the operation of low voltage systems. The VDE 0510 includes regulations for batteries and battery installations, which are used for operating so-called UPSs (uninterruptible power supply) and others.
        • TOM:
          We install UPS devises according to specified requirements.
      • Monitoring of UPS output voltage(s)
        We monitor the UPS output voltage.
      • Internal overvoltage protection UPS system
        We verify that the UPS system is equipped with internal overvoltage protection mechanism.
      • Overvoltage protection devices
        We deploy surge protectors (or other overvoltage mechanisms) to avoid peaks of the power supply damaging IT equipment.
    • 7.5. Disaster prevention and IT emergency concept
      • Examination disaster possibilities
        We evaluate all possible disaster possibilities (like strike, staff drop out, property damage, fire, explosion, earthquake, flooding etc.).
      • Alternative rooms available
        • Explanation:
          We ensure business continuity by having alternate rooms available.
      • Existence backup data center
        We ensure, and periodically verify, that backup data center resources are available.
      • Visibility of aid organization’s telephone numbers
        We display telephone numbers and help line numbers so that all employees can inform the rescue organizations in case of an emergency.
      • IT restart planning
        We document the "Re-boot"/"Re-start" procedure for IT.
      • Publication emergency concept
        We communicate the emergency and restarting procedures and responsibilities to all relevant parties.
    • 7.6. Backup concept (policy)

      • Data must be protected from loss and be quickly restored, if lost.

      • Documentation of requirements
        We have the backup concept (including all potential scenarios, designating the required space for the backups). We define roles and responsibilities of all employees who are responsible for the backups.
      • Protection against theft or destruction
        We protect backup media from damage or theft.
      • Functionality testing
        We regularly test backups for integrity and restoration.
    • 7.7. Archiving of Business documents
      • Existence of externally located disaster archive
        We ensure a security archive (disaster archive) in a different fire compartment.
      • Planning of the archive room
        We plan the deployment of an archive room; consider all necessary materials and data that need to be archived, destruction processes, etc.
        We ensure that physical access to the archive rooms is restricted to authorized persons only.
      • Storage and retrieval of data carriers and documents
        We ensure that storage of, and granting access to, archived documents is carried out by authorized archive personnel only.
      • Fire-resistant safes
        We store the important documents and storage media in fire- and theft-resistant containers.
      • Retention period
        We destroy all documents and storage media and data when the applicable privacy requirements, and retention period have ended.
  • Separation rule

    • The separation rule guarantees that data which have been collected for different purposes can be processed separately.

    • Security measures that ensure that in each case only authorized users have access to the data.
    • Modules in the processor’s database differentiate which data is used for what purpose, e.g., distinction based on functionality.
    • Data is stored in the database in separate standardized directories and organized according to the modules or functions it supports; and
    • Interfaces, batch processing and reports are each designed only for a certain purpose and function, so that data created for a certain purpose can be processed separately.

    Customer data is stored in multi-tenant datastores; we do not have individual datastores for each customer. However strict privacy controls exist in our application code that are designed to ensure data privacy and to prevent one customer from accessing another customer’s data (i.e., logical separation).

  • Guarantee

    • Processor pledges that the technical and organizational measures from this Exhibit 3 (Technical and organizational Measures) are observed and implemented.

  • Data processing location

    • Personal data are processed at the following locations:

    Country: GERMANY (storage servers and clouds), United Kingdom (IT support), United Kingdom (storage and maintenance control), United Kingdom (processing control, software and maintenance services for marketing and communication with Customer)