GDPR

GDPR

Technical and organizational measures in accordance with Art. 32 GDPR

  1. Confidentiality in accordance with Art. 32 (1) (b) GDPR

    1. Access control:

      Protection against unauthorized access to data processing systems is ensured by:

      • Doorman, security personnel, and security gate with multi-level access control system
      • Video surveillance of the entrance area, all corridors, and data processing rooms
      • Manual locking systems (locked server cabinets)
      • Third parties are only permitted to work on assignments/projects accompanied by employees
      • Visitor logging

    2. Access control:

      Measures to prevent unauthorized use of data processing systems:

      • Exclusively cable-based networks (no WLAN)
      • Activity monitoring (including alarms) of unused network interfaces
      • Unused interfaces of server systems (e.g., USB ports) are deactivated
      • Operation and ongoing development of firewalls
      • Documented allocation policy for user IDs and keys/passwords
      • Access to data processing systems with a personal user ID and private key or secure password
      • Industry-standard password policies
      • Logging of logins and failed logins
      • Automatic blocking of users

    3. Access Control:

      Measures to ensure that every user authorized to use the data processing systems can only access the data they are authorized to access and that personal data cannot be read, copied, modified, or removed without authorization:

      • Use of standard authorization profiles (user groups/roles)
      • Dedicated access for applications
      • Regular, random review and updating of authorizations
      • Individual reviews and updates when necessary (e.g. An employee's change of department)
      • Standard procedure for employee departures

    4. Separation:

      Measures to ensure that data collected for different purposes is stored separately:

      • Logical customer separation (software-side)
      • Separation through separate system/FTP users
      • Separation of data from different customers in separate directories (shared web hosting/server and shared email hosting services) and on separate partitions (virtual servers)


  2. Integration according toäß Art. 32 Para. 1 Letter B GDPR

    1. Disclosure control:

      Measures to ensure that personal data cannot be read, copied, altered, or removed by unauthorized persons during electronic transmission or storage, as well as during transport of the data carriers, and that it can be checked and determined at which points a transmission of personal data is intended by data transmission facilities (depending on the project):

      • Access via VPN or other certificate-based or HTTPS-encrypted remote connection
      • Use of Connection encryption during system transitions
      • Maintaining an inventory of external storage media and controlled data storage destruction

    2. Input control:

      Measures to ensure that it can be subsequently checked and determined whether and by whom personal data has been entered, edited, and removed:

      • Logging of connection data/access for shared web hosting/server and shared email server services
      • Logging of work for system operating and support services (transfer of data from third-party systems)
      • Regulations regarding access to logs and Deletion of logs

    3. System security:

      • Operation of n virus scanners and other software for malware detection
      • Use of firewalls and intrusion detection systems
      • Regular security checks at the infrastructure and application level

    4. Software security:

      • For shared web hosting services and managed servers, the contractor assumes ongoing Maintenance of the operating system and the associated basic software (e.g., system libraries)
      • For dedicated systems, the client is responsible for the ongoing maintenance of the systems


  3. Availability, Resilience, and Recoverability

    1. Availability:

      Measures to ensure that personal data is protected from accidental or deliberate destruction and loss:

      • Server operation in the Interxion data center, 1210 Vienna
      • Protective measures in the data center:

        • UPS (uninterruptible power supply)
        • Surge protection
        • Ideal temperature air conditioning and air humidification/dehumidification
        • Protection against fire and water ingress

      • Redundant network and server infrastructure
      • Hard disk mirroring (hard disk storage in RAID arrays)
      • Monitoring of all server systems through internal and external monitoring
      • Spare parts for components with a high and very high probability of failure stored on site

    2. Load capacity:

      Maintaining reserve capacity to compensate for hardware damage (operation of mirrored systems):

      • Maintaining spare hardware to ensure emergency operation in the event of hardware damage
      • Robust emergency plans with ongoing evaluation

    3. Recoverability (backup and recovery concept):

      • Regular creation of backups
      • Regular testing of the recoverability of backups
      • Definition of deletion periods for backup data


  4. Procedures for regular review, assessment, and evaluation

    1. Order control:

      Measures to ensure that personal data can only be processed on the instructions of the client:

      • If necessary, contract data processing agreements will be concluded between the contractor and any subcontractors

    2. Data Protection Management:

      • A data protection coordinator has been appointed
      • The contact details of the data protection coordinators are publicly accessible
      • Employees are regularly trained

    3. Incident Response Management:

      An organizational and technical procedure in the event of a security incident has been defined and implemented. In such cases, follow-up and monitoring are carried out in the sense of a Continuous improvement process:

      • The contractor will notify the client immediately
      • All incidents are documented and regularly evaluated

    4. Data protection-friendly default settings:

      It is ensured that technical and organizational measures have been taken that comply with data protection through technical design and through data protection-friendly default settings within the meaning of Art. 25 (2) GDPR:

      • Log recordings are recorded exclusively in anonymized form. A change in the log format to record personalized data is not planned
      • Directory contents are not listed by web servers by default (DirectoryListing). The client can change the configuration
      • Shared server and vServer services have the most current available software versions at the time of setup
      • Connection encryption (SSL/TLS) is available free of charge for shared services
      • The Access to mailbox contents with shared email server and shared web hosting services is only possible with active transmission encryption

    5. Regular evaluation:

      • The data protection agendas are regularly reviewed, evaluated, and adjusted by those responsible
      • Technical and organizational measures are continuously being developed


  5. Subcontractors

    1. Currently, no subcontractors are active for the processor to directly process personal data.
    2. For the fulfillment of support requests, the software manufacturers and their support are considered vicarious agents.
    3. The following is responsible for providing the technical infrastructure of Unlimit-Media Services:

      Cyber-Atelier Bahnstrasse 38 A-2222 Bad Pirawarth
      Tel.: +43 1 272 92 51 - 0 Fax.: +43 1 272 92 51 – 9 Email: office@cat.at UID: ATU49901502