1. Information security program
Constructor Technology currently implements and maintains information security and compliance program (“Information Security Program”) that includes administrative, physical, and technical controls to protect Customer Data. Constructor Technology will maintain the Information Security Program as necessary for compliance with applicable law, contractual requirements and industry data security standards.
Constructor Technology conducts periodic risk assessments and reviews and, as appropriate, revises its Information Security Program at least annually or whenever a material change in Constructor Technology’s business practices affects the security, confidentiality or integrity of Customer Data. Constructor Technology will not modify its information security practices in a manner that will weaken or compromise the confidentiality, availability or integrity of Customer Data.
As part of the Information Security Program, Constructor Technology has a process to assess no less than annually these Technical and Organizational Measures to determine that they comply with applicable law and the relevant Agreement and adjust them as appropriate based on the assessment.
2. Constructor Technology personnel
Constructor Technology clearly defines roles and responsibilities for Constructor Technology Personnel. Constructor Technology conducts screening and background check for all Constructor Technology Personnel before employment or engagement.
Constructor Technology has and maintains a security and privacy awareness training program to train Constructor Technology Personnel no less than annually about their data protection obligations. This training program includes training about data classification liabilities, security controls and practices and security incident and data breaches. Prior to providing access to Customer Data, Constructor Technology requires that Constructor Technology Personnel understand their obligation to comply with the Information Security Program and documents the same.
Constructor Technology has a disciplinary process for Constructor Technology Personnel who fail to strictly comply with the Information Security Program or other established security policies or procedures. Constructor Technology has a process in place to ensure that the confidentiality and non-disclosure obligations agreed and acknowledged by Constructor Technology Personnel remain in effect after the termination of the Constructor Technology Personnel’s relationship with Customer.
3. Physical security
Constructor Technology ensures that all Customer Data is processed in secure, cloud-based data centers that adhere to industry-leading security standards. While Constructor Technology does not manage physical locations where Customer Data is processed, we maintain oversight and collaboration with our cloud providers to ensure comprehensive physical security measures are in place.
Constructor Technology, in partnership with its cloud service providers, deploys the following physical access control measures at cloud data centers where Customer Data is processed. Access to Customer Data outside of these secure cloud environments is strictly prohibited:
a) Documented processes for determining, changing, and revoking access authorization to cloud infrastructure.
b) Physical access to cloud data centers is restricted to authorized personnel only.
c) Comprehensive measures for the prevention and detection of unauthorized access and access attempts are employed by cloud providers, including but not limited to: multi-factor authentication, video surveillance, intrusion detection systems, and strict security protocols.
d) Periodic and documented reviews of access authorizations, conducted by both Constructor Technology and its cloud service providers, ensure that only authorized personnel have access to critical systems.
4. Logical access control to systems
Constructor Technology ensures that unauthorized persons do not have access to data processing systems for Customer Data. Constructor Technology deploys the following measures to control access to systems and networks in which Customer Data are processed:
a) Documented processes for authorizing, changing and revoking of access to the data processing systems and non-public networks for Customer Data are in place.
b) Access rights are granted on "Need to Know" and "Least Privilege” bases.
c) Effective control of authentication, authorization and accounting through personalized and unique user identifications and secure authentication process are implemented.
d) Documented review of logical access authorizations are periodically conducted.
e) Documented review of the system access authorizations and role assignment are periodically conducted.
f) Appropriate measures to secure the network infrastructure are documented and monitored.
5. Access control to customer data
Only persons authorized to use a data processing system are allowed to access Customer Data, subject to their access authorization. Customer Data cannot be read, copied, changed or removed without authorization during processing, use and after storage.
Constructor Technology will take the following measures for access control, insofar as they themselves are responsible for the access authorization to order data:
a) A documented process for authorizing access, changing, copying and withdrawal of data is in place.
b) Effective controls of access authorization through adequate rights and roles concept is in place.
c) Regular and documented review of data access authorizations and role assignment is periodically conducted.
d) Reasonable measures for the protection of terminal equipment, servers and other infrastructure elements against unauthorized access are in place.
e) Data media encryption - aligned to the current state of the art technology - algorithms are enforced for the protection of mobile devices (laptops, tablet PCs, smartphones, etc.) and data media (external hard drives, USB sticks, memory cards, etc.)
f) Data access and data operations are subject to audit logging.
g) Audit logs are periodically reviewed.
6. Data entry and data processing control
Constructor Technology has controls to verify whether, when and by whom Customer Data are accessed, modified or removed from data processing systems. Constructor Technology ensures that Customer Data are handled in accordance with Customer’ instructions.
Constructor Technology will take the following measures for data entry and processing control:
a) Security policies and procedures classify Customer Data and classifications are verified and maintained as up to date.
b) Handling of Customer Data is documented and includes appropriate instructions for how Customer Data are entered, accessed, modified and removed.
c) Persons entrusted with the processing of Customer Data are given timely advice on relevant provisions on data protection, data protection regulations, related internal procedures and data controller-specific instructions.
d) Data entry and processing operations are logged in auditable logs.
e) When applicable, Constructor Technology has measures to anonymize or pseudonymize Customer Data.
7. Data transfer control
Constructor Technology will take the following measures for transmission control:
a) Appropriate measures to secure the network infrastructure (e.g. Intrusion Detection Systems, use of two-factor authentication for remote and privileged access, separation of networks, encryption network protocols, etc.) are applied.
b) Data media encryption with - according to the current state of the art technology - algorithms to be classified as safe for protection of mobile devices (laptops, tablet PCs, smartphones, etc.) and data media (external hard drives, USB sticks, memory cards, etc.)
c) Customer Data is transmitted using secure channels.
d) Encrypted communication protocols (such as TLS-based protocols, SSH, IPsec, or etc.) are used for Customer Data.
8. Availability control
Constructor Technology ensures that all Customer Data are protected against accidental or unauthorized unavailability, destruction or loss.
Constructor Technology implements the following measures to ensure availability of Customer Data:
a) Constructor Technology has and maintains a documented, formally implemented and tested Business Continuity (BCP) and Disaster Recovery (DRP) programs for systems with Customer Data.
b) Processes for backups and recovery of systems and data are documented.
c) Constructor Technology conducts regular (at least annual) review and testing of backup integrity for systems housing Customer Data.
d) Constructor Technology has a system for ensuring the necessary installation of critical security updates and patches.
e) Constructor Technology deploys an anti-virus software on systems commonly affected by malware to protect systems from current and evolving malicious software threats.
Constructor Technology implements a Security Incident Response Plan (SIRP). The SIRP outlines the procedures, protocols, and responsibilities to effectively detect, respond to, and mitigate security incidents that may impact the confidentiality, integrity, or availability of the Customer’s data.
The SIRP includes, but is not limited to:
- Clear escalation and notification procedures for reporting security incidents as required by applicable laws and regulations.
- Procedures for assessing the severity and scope of a security incident.
- Steps to contain and mitigate security incidents, including coordination with third-party providers.
- Procedures for preserving evidence, conducting forensic investigations, and collaborating with law enforcement, if applicable.
- Communication protocols for notifying affected parties, including Customer’s customers or employees, in the event of a security breach.
Actionable steps for restoring services, systems, or data affected by security incidents and preventing further breaches.
9. Separation control
Constructor Technology will take the following measures for the separation of data:
a) Constructor Technology has and maintains logical, physical or encryption separation of Customer Data collected for different purposes.
b) Constructor Technology maintains logical and/or physical separation of test, development and production systems environments.
10. Website and application security (penetration testing, vulnerability scanning)
The design of Constructor Technology’s networks, systems, and applications are in alignment with Constructor Technology’s Information Security Program. Applicable security standards and policies are addressed in system development life cycle and during ongoing operations.
Constructor Technology takes the following measures to ensure security of applications and websites:
a) Constructor Technology reviews the security of applications and websites including testing for common vulnerabilities such as those identified by OWASP and this security requirements utilizing both automated and manual testing.
b) Constructor Technology performs periodical scanning of operating systems, databases, server applications and network devices for vulnerability and configuration compliance.
c) Constructor Technology performs at least annual penetration testing on applications and networks.
d) Constructor Technology develops applications that handle Personal Information using standard SDLC process, including web assessment, and using approved tools to ensure “Security by Design” and “Privacy by Default” principals are implemented.
e) When applicable, Constructor Technology uses approved measures to anonymize or pseudonymize personal data.
11. Measures for ensuring accountability
a) Constructor Technology maintains and requires processors and sub-processors contractors to maintain records of all Customer Data processing activities.
b) Each applicable agreement between Constructor Technology and (sub)processor contains a provision that requires (sub)processors to assist Customer and Constructor Technology to demonstrate compliance with Applicable Data Protection Laws.
c) Constructor Technology maintains and requires processors and sub-processors contractors to maintain a process for analysing the lawfulness of demands or orders received from government authorities or law enforcement about Customer Data and whether release of Customer Data is authorized or required by law.
