Processing safety. (1) The Technical and Organizational Measures described in Appendix 1 are defined as binding. They define the minimum owed by the Contractor. The description of the measures must be made in such detail that a knowledgeable third party can at any time undoubtedly recognize from the description alone what the minimum owed is to be. A reference to information which cannot be taken directly from this agreement or its appendices is not permissible.
Processing safety. (a) The processor implements at least the technical and organizational measures to ensure the security of personal data. These measures include the protection of data against any breach of security resulting in the accidental or unlawful destruct ion, loss, alteration, unauthorized disclosure of or access to personal data (personal data breach). In assessing the appropriate level of security, the parties shall take due account of the state of the art, the costs of implementation and the nature, scope, context and purposes of the processing, as well as the risks to data subjects.
Processing safety. 6.1 The contractor is responsible, according to article. 32 DSGVO, to take all necessary and suitable technical and organizational measures–taking into account the state of technology, the cost of implementation, the scope, circumstance and the purpose of processing client data, as well as the various likelihood and risks to the rights and freedoms of the affected persons–to guarantee an adequate level of protection against any risks to any client data.
Processing safety. The level of security must reflect: The processing of personal data relates entirely to personal data of a general nature, cf. GDPR Art 6. Accordingly, no personal data are processed, cf. GDPR Art 9. However, the processing involves a large amount of personal data of users, including children under 16 years of age. The data processor is then entitled and required to decide on the technical and organizational security measures to be implemented to establish the necessary (and agreed) level of security. However, the data processor must - in any case and as a minimum - apply the following measures agreed with the data controller: • Access to all data processor systems is secured with MFA and all data processor employees with access to operational environments have signed an enhanced privacy statement. • The primary operating environment is AWS in Ireland, where data is hosted and where AWS's built-in CloudTrail is enabled. This means that all data processor employee logins and actions performed in operational environments are logged for 90 days. Audit logs are continuously monitored. • The products use both "in transit" and "at rest" encryption. This means, among other things, that all connections to the backend are encrypted with TLS v1.3 "in transit". Encryption "at rest" depends on the media, but AES256 is most used. • Encryption keys and certificates are issued via Let's Encrypt, AWS KMS or ACM. • The data processor carries out continuous operational monitoring of the IT systems. • Access to the data processor's network is secured, among other things, by using a firewall, VPN client and protected WiFi.
