Technical and Organizational Measures (TOMs)

  • Version: 1.0
  • Valid from: 06 November 2022

This document describes the technical and organizational measures implemented by GObugfree AG to meet legal and contractual requirements when processing personal data.

It describes the minimum security standards that GObugfree AG applies to the GObugfree AG Services under the Service Agreement.

Data Access

Objectives

  • Physical access to Personal Data is protected.
  • Data processing systems are used only by approved, authenticated users.

Measures Include

  • GObugfree AG maintains proper controls for requesting, approving, granting, modifying, revoking and revalidating user access to systems and applications containing Personal Data.
  • GObugfree AG follows Least Privilege principle: Only employees with clear business need have access to Personal Data located on servers, within applications, databases and/or ability to access data.
  • Procedures for revoking access rights are in place.
  • A second factor of authentication is required for access systems
  • All users access GObugfree AG systems with a unique identifier (user ID)
  • GObugfree AG uses well-configured firewalls for all services
  • The production environment for services is separate from the development and testing environment, and development Personnel do not access to the production environment other than under troubleshooting scenarios
  • Office premises are always locked and only authorized personnel have access. Procedures for revoking access rights are in place

Data Life cycle

Objectives

  • Personal Data remains confidential throughout processing and remains intact, complete and current during processing activities (Pseudonymization and anonymization).
  • Personal Data is protected from accidental destruction or loss, and there is timely access, restoration or availability to Personal Data in the event of an incident.

Measures Include

  • In order to support availability of the service, GObugfree AG utilises Microsoft Azure scaling, availability zones and extensive application and infrastructure monitoring.
  • GObugfree AG maintains backups of the data stores, including Customer Data, that support the core functionalities of the GObugfree AG application.
  • GObugfree AG maintains a security incident response capability that includes a documented Personal Data Incident Response Plan for security incidents involving Data. This defines how we contain, respond, assess, communicate incidents, as well as roles and responsibilities of GObugfree AG personnel and a requirement for post-incident reviews.
  • GObugfree AG trains and tests its software engineers and quality assurance Personnel in application security practices and secure coding practices.
  • Security testing includes code/security review, employing static code analysis tools and a Bug Bounty program DDoS protection are installed and protecting internet perimeters.
  • Patching, security upgrades, equipment replacements, capacity addons and other infrastructure changes are carefully planned and executed. Customer Data stored on GObugfree AG servers is encrypted. Personal data is stored separately from transactional data
  • GObugfree AG has an information security management system based on ISO27001 standard.

Data Exchange

Objectives

  • Prevent Personal Data from being read, copied, altered or deleted by unauthorized parties during transfer.

Measures Include

  • GObugfree AG encrypts Data transmitted between customers and the GObugfree AG application over public networks using TLS 1.2 or higher.
  • Personal Data stored outside the production data center is protected by encryption at rest
  • GObugfree AG does not access Customer Personal Data, except to provide services to the Customer which GObugfree AG is obligated to perform in support of the Customer experience including for general operation and monitoring of the services, troubleshooting and maintenance purposes, for security reasons, as required by law, or on request by the Customer

Right to information

Objectives

  • Users have a right to be informed about their data.
  • Users can demand that it be destroyed and, if the data is incorrect, for it to be corrected.

Measures Include

  • GObugfree AG has a process for deleting and releasing on request customer data upon request within 28 days.
  • Requests can be sent via the contact form or email [email protected]