1. Information Security Program
Alemira currently implements and maintains information security and compliance program (“Information Security Program”) that includes administrative, physical, and technical controls to protect Customer Data. Alemira will maintain the Information Security Program as necessary for compliance with applicable law, contractual requirements and industry data security standards.
Alemira conducts periodic risk assessments and reviews and, as appropriate, revises its Information Security Program at least annually or whenever a material change in Alemira’s business practices affects the security, confidentiality or integrity of Customer Data. Alemira will not modify its information security practices in a manner that will weaken or compromise the confidentiality, availability or integrity of Customer Data.
As part of the Information Security Program, Alemira has a process to assess no less than annually these Technical and Organizational Measures to determine that they comply with applicable law and the relevant Agreement and adjust them as appropriate based on the assessment.
2. Alemira Personnel
Alemira clearly defines roles and responsibilities for Alemira Personnel. Alemira conducts screening and background check for all Alemira Personnel before employment or engagement.
Alemira has and maintains a security and privacy awareness training program to train Alemira Personnel no less than annually about their data protection obligations. This training program includes training about data classification liabilities, security controls and practices and security incident and data breaches. Prior to providing access to Customer Data, Alemira requires that Alemira Personnel understand their obligation to comply with the Information Security Program and documents the same.
Alemira has a disciplinary process for Alemira Personnel who fail to strictly comply with the Information Security Program or other established security policies or procedures. Alemira has a process in place to ensure that the confidentiality and non-disclosure obligations agreed and acknowledged by Alemira Personnel remain in effect after the termination of the Alemira Personnel’s relationship with Customer.
3. Physical Security
Alemira maintains commercially reasonable security systems at all Alemira locations at which an information system that processes Customer Data is located. Alemira reasonably restricts access to Customer Data. Unauthorized persons are denied access to locations and equipment where Customer Data are Processed.
Alemira deploys the following physical access control measures at locations where Customer Data are processed. Access to Customer Data outside of these locations is not permitted:
- Documented process for determining, changing and withdrawing access authorization.
- Physical access to the buildings and data processing facilities is restricted.
- Measures for the prevention and detection of unauthorized access and access attempts (e.g., regular review of burglary protection of the doors, gates and windows, alarm systems, video surveillance, security guards, security patrol) are deployed and monitored.
- Periodic and documented review of access authorizations is conducted.
4. Logical Access Control to Systems
Alemira ensures that unauthorized persons do not have access to data processing systems for Customer Data.
5. Access Control to Customer Data
Only persons authorized to use a data processing system are allowed to access Customer Data, subject to their access authorization. Customer Data cannot be read, copied, changed or removed without authorization during processing, use and after storage.
Alemira will take the following measures for access control, insofar as they themselves are responsible for the access authorization to order data:
- A documented process for authorizing access, changing, copying and withdrawal of data is in place.
- Effective controls of access authorization through adequate rights and roles concept is in place.
- Regular and documented review of data access authorizations and role assignment is periodically conducted.
- Reasonable measures for the protection of terminal equipment, servers and other infrastructure elements against unauthorized access are in place.
- Data media encryption - aligned to the current state of the art technology - algorithms are enforced for the protection of mobile devices (laptops, tablet PCs, smartphones, etc.) and data media (external hard drives, USB sticks, memory cards, etc.)
- Data access and data operations are subject to audit logging.
- Audit logs are periodically reviewed.
6. Data Entry and Data Processing Control
Alemira has controls to verify whether, when and by whom Customer Data are accessed, modified or removed from data processing systems. Alemira ensures that Customer Data are handled in accordance with Customer’ instructions.
Alemira will take the following measures for data entry and processing control:
- Security policies and procedures classify Customer Data and classifications are verified and maintained as up to date.
- Handling of Customer Data is documented and includes appropriate instructions for how Customer Data are entered, accessed, modified and removed.
- Persons entrusted with the processing of Customer Data are given timely advice on relevant provisions on data protection, data protection regulations, related internal procedures and data controller-specific instructions.
- Data entry and processing operations are logged in auditable logs.
- When applicable, Alemira has measures to anonymize or pseudonymize Customer Data.
7. Data Transfer Control
Alemira will take the following measures for transmission control:
- Appropriate measures to secure the network infrastructure (e.g., network port security IEEE 802.1X, Intrusion Detection Systems, use of two-factor authentication for remote and privileged access, separation of networks,encryption network protocols, etc.) are applied;
- Formal security procedures for employees regarding handling of mobile devices and data carriers are documented and enforced.
- Data media encryption with - according to the current state of the art technology - algorithms to be classified as safe for protection of mobile devices (laptops, tablet PCs, smartphones, etc.) and data media (external hard drives, USB sticks, memory cards, etc.);
- Customer Data is transmitted using secure channels;
- Encrypted communication protocols (such as TLS-based protocols, SSH, IPsec, or etc.) are used for Customer Data;
8. Availability Control
Alemira ensures that all Customer Data are protected against accidental or unauthorized unavailability, destruction or loss.
Alemira implements the following measures to ensure availability of Customer Data:
- Alemira has and maintains a documented, formally implemented and tested Business Continuity (BCP) and Disaster Recovery (DRP) programs for systems with Customer Data.
- Processes for backups and recovery of systems and data are documented.
- Alemira conducts regular (at least annual) review and testing of backup integrity for systems housing Customer Data.
- Alemira has a system for ensuring the immediate installation of critical security updates and patches.
- Alemira deploys an anti-virus software on all systems commonly affected by malware to protect systems from current and evolving malicious software threats.
- Alemira has and maintains fire alarm systems in server rooms, data centers and other critical infrastructures.
- Alemira does not process Customer Data by unsupported systems and applications.
Alemira implements a Security Incident Response Plan (SIRP). The SIRP outlines the procedures, protocols, and responsibilities to effectively detect, respond to, and mitigate security incidents that may impact the confidentiality, integrity, or availability of the Customer’s data.
The SIRP includes, but is not limited to:
- Clear escalation and notification procedures for reporting security incidents as required by applicable laws and regulations.
- Procedures for assessing the severity and scope of a security incident.
- Steps to contain and mitigate security incidents, including coordination with third-party providers.
- Procedures for preserving evidence, conducting forensic investigations, and collaborating with law enforcement, if applicable.
- Communication protocols for notifying affected parties, including Customer’s customers or employees, in the event of a security breach.
- Actionable steps for restoring services, systems, or data affected by security incidents and preventing further breaches.
9. Separation Control
Alemira will take the following measures for the separation of data:
- Alemira has and maintains logical, physical or encryption separation of Customer Data collected for different purposes.
- Alemira maintains logical and/or physical separation of test, development and production systems environments.
10. Website and application security (Penetration testing, vulnerability scanning)
The design of Alemira’s networks, systems, and applications are in alignment with Alemira’s Information Security Program. Applicable security standards and policies are addressed in system development life cycle and during ongoing operations.
Alemira takes the following measures to ensure security of applications and websites:
- Alemira reviewes the security of applications and websites including testing for common vulnerabilities such as those identified by OWASP and this security requirements utilizing both automated and manual testing.
- Alemira performs periodical scanning of operating systems, databases, server applications and network devices for vulnerability and configuration compliance.
- Alemira performs at least annual penetration testing on applications and networks.
- Alemira develops applications that handle Personal Information using standard SDLC process, including web assessment, and using approved tools to ensure “Security by Design” and “Privacy by Default” principals are implemented.
- When applicable, Alemira uses approved measures to anonymize or pseudonymize personal data.
11. Measures for ensuring accountability
- Alemira maintains and requires processors and sub-processors contractors to maintain records of all Customer Data processing activities.
- Each applicable agreement between Alemira and (sub)processor contains a provision that requires (sub)processors to assist Customer and Alemira to demonstrate compliance with Applicable Data Protection Laws.
- Alemira maintains and requires processors and sub-processors contractors to maintain a process for analyzing the lawfulness of demands or orders received from government authorities or law enforcement about Customer Data and whether release of Customer Data is authorized or required by law.