Technical and Organisational Security Measures

The Processor has the following general security measures in place.

  • Strong unique passwords on all accounts.
  • Stores encrypted passwords and never allows plain password in the database.
  • Makes sure each user has a separate login. No shared accounts!
  • Removes accounts immediately when a user leaves the Company.
  • Limits the number of people with access to admin areas.
  • Ensures that the application is using up to date libraries/packages/plugins.
  • Ensures that the application is running with the latest versions of servers and operating systems.
  • Makes regular, secure backups of the data.
  • Uses SSL certificate for browsing and secured connections with the database.
  • Uses up to date firewall and server level protections.
  • Performs regular security checks and scans using dedicated software.

The following descriptions provide an overview of the technical and organisational security measures implemented. It should be noted however that, in some circumstances, in order to protect the integrity of the security measures and in the context of data security, detailed descriptions may not be available, however additional information regarding technical and organisational measures may be found in the Security Policy. It’s acknowledged and agreed that the Security Policy and the technical and organisational measures described therein will be updated and amended from time to time, at the sole discretion of the Processor. Notwithstanding the foregoing, the technical and organisational measures will not fall short of those measures described in the Security Policy in any material, detrimental way. 

1. Data Access Control

Technical and organisational measures regarding the on-demand structure of the authorisation concept, data access rights and monitoring and recording of the same:

Measures regarding data access control are targeted on the basis that only such data can be accessed for which an access authorisation exists and that data cannot be read, copied, changed or deleted in an unauthorised manner during the processing and after the saving of such data.

Access to data necessary for the performance of the particular task is ensured within the systems and applications by a corresponding role and authorisation concept. In accordance with the “least privilege” and “need-to-know” principles, each role has only those rights which are necessary for the fulfilment of the task to be performed by the individual person.

To maintain data access control, state of the art encryption technology is applied to the Personal Data itself where deemed appropriate to protect sensitive data based on risk.

2. Transmission Control

Technical and organisational measures regarding the transport, transfer, transmission, storage and subsequent review of Personal Data on data media (manually or electronically).

Transmission control is implemented so that Personal Data cannot be read, copied, changed or deleted without authorisation, during transfer or while stored on data media, and so that it can be monitored and determined as to which recipients a transfer of Personal Data is intended.

The measures necessary to ensure data security during transport, transfer and transmission of Personal Data as well as any other company or Customer Data are detailed in the Security Policy. This standard includes a description of the protection required during the processing of data, from the creation of such data to deletion, including the protection of such data in accordance with the data classification level.

For the purpose of transfer control, an encryption technology is used (e.g. remote access to the company network via two factor VPN tunnel and full disk encryption). The suitability of an encryption technology is measured against the protective purpose.

The transfer of Personal Data to a third party (e.g. customers, sub-contractors, service providers) is only made if a corresponding contract exists, and only for the specific purposes. If Personal Data is transferred to companies located outside the EEA, the Processor provides that an adequate level of data protection exists at the target location or organisation in accordance with the European Union’s data protection requirements, e.g. by employing contracts based on the Standard Contractual Clauses.

3. Data Entry Control

Technical and organisational measures regarding recording and monitoring of the circumstances of data entry to enable retroactive review.

System inputs are recorded in the form of log files, therefore, it is possible to review retroactively whether and by whom Personal Data was entered, altered or deleted.

4. Data Processing Control

Technical and organisational measures to differentiate between the competences of principal and contractor:

The aim of the data processing control is to provide that Personal Data is processed by a commissioned data processor in accordance with the Instructions of the principal.

Details regarding data processing control are set forth in the Agreement and DPA.

5. Availability Control

 Technical and organisational measures regarding data backup (physical/logical):

Data is stored in triplicate across 2 data centres, with 2 separate cross connections. The data centres can be switched in the event of flooding, earthquake, fire or other physical destruction or power outage protects Personal Data against accidental destruction and loss.

If Personal Data is no longer required for the purposes for which it was processed, it is deleted promptly. It should be noted that with each deletion, the Personal Data is only locked in the first instance and is then deleted for good with a certain delay. This is done in order to prevent accidental deletions or possible intentional damage.

6. Separation Control

Technical and organisational measures regarding purposes of collection and separated processing:

Personal Data used for internal purposes only e.g. as part of the respective customer relationship, may be transferred to a third party such as a subcontractor, solely under consideration of contractual arrangements and appropriate data protection regulatory requirements.

Employees are instructed to collect, process and use Personal Data only within the framework and for the purposes of their duties (e.g. service provision). At a technical level, multi-client capability includes separation of functions as well as appropriate separation of testing and production systems.

Customer Data is stored in a way that logically separates it from other customer data.

The Controller is assigned a unique encryption key, generated using a FIPS 140-2 compliant crypto library, which is used to encrypt and decrypt all of the Controller’s archived data. In addition to the unique encryption keys, all data being written to the storage grid includes the Controller’s unique account code. The Processor’s systems that write data to the storage grid retrieve the encryption key from one system and the customer code from another, which serves as a cross-check against two independent systems. The Controller’s encryption key is further encrypted with a Processor key stored within a centralised and restricted key management system. In order for the Processor to access Customer Data via the master key, the key management system provisions individual keys following a strict process of approval that includes multiple levels of executive authorisation. Use of these master encryption keys is limited to senior production engineers and all access is logged, monitored, and configured for alerting by security via a centralised Security Incident and Event Management (“SIEM”) system. The Controller’s archived data is encrypted at rest using AES256 bit encryption and data in transit is protected by Transport Layer Security (“TLS”).

The following security measures apply in particular to each Solution or Service.

MyShop:

MyShop is committed to grantee the maximum security of data by the following measures:

  • Store encrypted passwords and never allow plain password in the database.
  • Requiring strong, unique passwords on all accounts.
  • Making sure each user has a separate login. No shared accounts!
  • Removing accounts immediately when a user leaves your company.
  • Limiting the number of people with access to the admin dashboard.
  • Ensuring that your site is always using the latest version of WordPress.
  • Ensuring that your site is always using the latest versions of WooCommerce and any other plugins.
  • Deactivating and removing unneeded plugins or themes.
  • Making regular, secure backups of your site data.
  • Using SSL certificate for your site and secured connections with the database.
  • Using up to date firewall and server level protections.
  • Performing regular security checks and scans using dedicated plugins.

MyPress:

MyPress is committed to grantee the maximum security of data by the following measures:

  • Store encrypted passwords and never allow plain password in the database.
  • Requiring strong, unique passwords on all accounts.
  • Making sure each user has a separate login. No shared accounts!
  • Removing accounts immediately when a user leaves your company.
  • Limiting the number of people with access to the admin dashboard.
  • Ensuring that your site is always using the latest version of WordPress.
  • Ensuring that your site is always using the latest version of WordPress and any other plugins.
  • Deactivating and removing unneeded plugins or themes.
  • Making regular, secure backups of your site data.
  • Using SSL certificate for your site and secured connections with the database.
  • Using up to date firewall and server level protections.
  • Performing regular security checks and scans using dedicated plugins.

My Suite

MySuite is committed to grantee the maximum security of data by the following measures:

  • Store encrypted passwords and never allow plain password in the database.
  • Requiring strong, unique passwords on all accounts.
  • Making sure each user has a separate login. No shared accounts!
  • Removing accounts immediately when a user leaves your company.
  • Limiting the number of people with access to the admin dashboard.
  • Ensuring that your site is always using the latest version of WordPress.
  • Ensuring that your site is always using the latest versions of WP ERP and any other plugins.
  • Deactivating and removing unneeded plugins or themes.
  • Making regular, secure backups of your site data.
  • Using SSL certificate for your site and secured connections with the database.
  • Using up to date firewall and server level protections.
  • Performing regular security checks and scans using dedicated plugins.

MySTATS:

MySTATS is committed to grantee the maximum security of data by the following measures:

  • Store encrypted passwords and never allow plain password in the database.
  • Requiring strong, unique passwords on all accounts.
  • Making sure each user has a separate login. No shared accounts!
  • Removing accounts immediately when a user leaves your company.
  • Using SSL certificate for your site and secured connections with the database.
  • Using up to date firewall and server level protections.
  • Performing regular security checks and scans.

 

MyBrand:

MyBrand is committed to grantee the maximum security of data by the following measures:

  • Store encrypted passwords and never allow plain password in the database.
  • Requiring strong, unique passwords on all accounts.
  • Making sure each user has a separate login. No shared accounts!
  • Removing accounts immediately when a user leaves your company.
  • Making regular, secure backups of your site data.
  • Using SSL certificate for your site and secured connections with the database.
  • Using up to date firewall and server level protections.
  • Performing regular security checks and scans.