Annex II to Standard Contractual Clauses — Technical and Organisational Measures

Including Technical and Organisational Measures to Ensure the Security of Data

Last Updated: 22 February 2023

  • MODULE ONE: Transfer Controller to Controller
  • MODULE TWO: Transfer Controller to Processor
  • MODULE THREE: Transfer Processor to Processor
Explanatory Note

The technical and organisational measures must be described in specific (and not generic) terms. See also the general comment on the first page of the Appendix, in particular on the need to clearly indicate which measures apply to each transfer/set of transfers.

Description of the technical and organisational measures implemented by the data importer(s) (including any relevant certifications) to ensure an appropriate level of security, taking into account the nature, scope, context and purpose of the processing, and the risks for the rights and freedoms of natural persons.

A description of the Technical and Organizational Measures that Keyfactor, Inc., will employ in its capacity as a Processor of EU data subjects’ personal data appears below:

1. Access Control (Premises/Equipment)

The term “Access” means physical access of persons to buildings and premises in which IT systems are operated and used. This may be data centers in which cryptographic materials, web servers, application servers, databases, mainframes, and storage systems are operated and work rooms in which employees use workplace computers. The premises in which network infrastructure components are located and placed are in scope.

General Requirements 

Specifications of Secured Areas

The requirement is met with the following measures:

(a) The areas are classified into different security levels based on data sensitivity.

(b) The areas to be protected have been specified.

(c) Areas with particularly high protection requirements have been identified.

Implementation of Access Protection

The requirement is met with the following measures:

(a) All possible points of entry have been secured against unauthorized access.

(b) There is an access authentication credential that is binding upon all persons (assigned proximity cards, lock combinations/PIN codes, physical lock keys).

(c) Access control systems have been implemented.

Specification of Persons with Access Authorization

The requirement is met with the following measures:

(a) There is role-based access control according to job functions and responsibilities.

(b) The roles are assigned to specific persons in writing and electronically.

(c) A person or organization responsible for the role-based access control process has been designated.

Management and Documentation of Personal Access Rights

The requirement is met with the following measures:

(a) Organizational rules on access rights to the business areas.

(b) Documentation of the assignments of proximity cards, lock combinations/PIN codes, and physical lock keys.

(c) Defined procedures for loss, compromise, and replacement of access credentials.

(d) Information Security Policies have been published, communicated, and made readily available to all staff.

Accompanying Visitors and External Staff

The requirement is met with the following measures:

(a) There is an access control policy in place that addresses access requirements for visitors and other third parties (non-employees).

(b) Visitor monitoring (accompaniment, visitor proximity cards, logging).

(c) Access profiles for maintenance, janitorial, and emergency services staff (accompanying, temporary registration, verification of identity).

Logging access

The requirement is met using electronic access control systems.  Hardcopy sign-in sheets are used for visitors.

2. Access Control (Use of System)

In contrast to access control (premises/equipment), the objective of access control (use of systems) is to prevent IT systems which save, process or use personal data from being accessed or used by unauthorized persons.

2.1 General Requirements

2.1.1 Access Protection (Authentication)

The requirement is met with the following measures:

(a) Access protection of all data processing systems by user authentication.

(b) Password complexity policies are enforced.  For more sensitive assets, multi-factor authentication is required.

2.1.2 Strong Authentication at Maximum Protection Level

The requirement is met with the following measures:

(a) Use of mechanisms that require possession and knowledge for authentication (e.g. multi-part smartcard and passphrase authentication).

(b) Network authentication requiring encryption (e.g. Kerberos).

2.1.3 Simple Authentication (Username/Password) at High Protection Level

The requirement is met with the following measures:

(a) There are specifications for the password length for Keyfactor’s customers and end users (minimally 8 characters).

(b) There are specifications for the password complexity (uppercase, lowercase, numeric, and special characters).

(c) There are specifications for multi-factor authentication when accessing internal resources.

2.1.4 Secured Transmission of Authentication Secrets (Credentials) in the Network

The requirement is met with the following measure:

(a) The authentication information is only transmitted over the network once encrypted.

2.1.5 Lockout for Unsuccessful Attempts/Inactivity and Process to Reset Locked Accounts

The requirement is met with the following measures:

(a) Keyfactor user access is locked following multiple incorrect attempts. End user and customer access is temporarily suspended following multiple incorrect attempts.

(b) For Keyfactor staff there is a safe procedure to reset (e.g. password resets by authorized administrators).

2.1.6 Specification of Authorized Persons

The requirement is met with the following measures:

(a) There is a role concept (pre-defined user profiles).

(b) Access rights are assigned individually (in relation to specific persons) where required and documented.

(c) The population of authorized persons has been limited to the operationally necessary minimum.

(d) There are no shared or reusable accounts (e.g. intern1, consultant1, etc.).

2.1.7 Management and Documentation of Personal Authentication Media and Access Rights

The requirement is met with the following measures:

(a) A process to apply for, approve, assign and retrieve authentication media and access rights has been established, documented and applied.

(b) A responsible organization has been designated for awarding access rights.

2.1.8 Logging access

The requirement is met with the following measures:

(a) All successful and unsuccessful network access attempts are logged (ID used, computer, IP address) and stored for auditing purposes for at least 180 days.

(b) Regular sample population evaluations on authentication logs must be performed for abuse recognition.

2.2 Measures at the User’s Workplace

2.2.1 Automatic Access Lock

The requirement is met with the following measure:

(a) In the case of more than 15 minutes’ inactivity of the workstation or terminal, a password-protected screensaver is activated automatically by operating system security policy.

2.2.2 Manual Access Lock

The requirement is met with the following measures:

(a) There is a policy for workstations to be protected against unauthorized use when leaving the workplace temporarily (e.g. by manual activation of the password-protected screensaver).

(b) Keyfactor personnel have been trained regarding the necessity to implement measure a).

3. Access Control (Specific Data)

The requirements for access control on specific data classifications shall ensure that only authorized persons have access to the data for which they have a legitimate business purpose and that the data cannot be manipulated or read by unauthorized persons.

3.1 General Requirements

3.1.1 Generation of an Authorization concept

The requirement is met with the following measures:

(a) There are rules and procedures to create, change, and delete authorization profiles or user roles.

(b) The areas of administrative responsibilities are established.

3.1.2 Implementation of Access Limitations

The requirement is met with the following measures:

(a) All Keyfactor personnel with access rights can only access the data that he or she specifically requires according to job responsibilities with appropriately assigned authorization profiles.

(b) Where data inventories of several controllers are saved in datastores or processed with a data processing system, logical access limitations are implemented that are aligned solely with data processing for the respective controller (multiple client capacity).

3.1.3 Awarding of Minimum Authorizations

The requirement is met with the following measure:

(a) The scope of authorizations must be limited to the minimum requirements for performing the respective tasks or functions.

3.1.4 Management and Documentation of Personal Access Rights

The requirement is met with the following measures:

(a) A process to apply for, approve, assign and revoke access rights, and how they are reviewed, has been implemented.

(b) Authorizations are attached to unique, person-specific accounts.

4. Transmisson Control

The requirements to ensure that personal data cannot be read, copied, modified or removed without authorization during electronic transmission or storage on data carriers, and associated means of audit, are implemented.

4.1 Transport Over Networks

4.1.1 Safe Data Transmission Between Servers and Clients

The requirement is met with the following measure:

(a) If wireless networks are set up within the Keyfactor network infrastructure, employ the WPA2 protocol or stronger with AES encryption mode. Guest wireless networks are separated from Keyfactor’s corporate network systems by means of network access controls (e.g., virtual LANs).

4.2 Logical Access to Systems

4.2.1 Risk Minimization by Network Separation

The requirement is met with the following measures:

(a) Network segmentation is performed, which is targeted at data transfer taking place via a minimum of network elements.

(b) The relevant systems are segregated via network access controls according to data classifications.

4.2.2 Safety Gateways at the Network Handover Points

The requirement is met with the following measures:

(a) There are network/hardware firewalls.

(b) There are personal/desktop firewalls.

(c) The firewalls are always active.

(d) The firewalls cannot be deactivated by end users.

4.2.3 Protecting Systems

The requirement is met with the following measure:

(a) All security patches are implemented within 30 days of release.

(b) Critical security patches are tested and implemented on an emergency basis depending on severity.

4.3 Safe Sending of Data

4.3.1 Shipping Provisions

If data is shipped, the requirement is met with the following measures:

(a) There are packaging and shipping provisions for the transport of personal data by data carriers.

(b) For personal data, encryption of the personal data before transmission is mandatory.

(c) The transport company must authorize before shipping.

4.4 Safe Deletion, Disposal and Destruction

4.4.1 Process for Collection and Disposal

The requirement is met with the following measure:

(a) There are rules for destruction of documents and data media in a manner which ensures data privacy.

4.4.2 Deletion/Destruction Procedure for Data Privacy

The requirement is met with the following measures:

(a) Endpoint devices are cleared of all data before reuse by other users to make recovery impossible or only possible with disproportional effort.

(b) Hardware components or documents are cleared of personal data to make recovery impossible or only possible with disproportional effort.

5. Input Control

Requirements to ensure that it is possible to check and establish whether and by whom personal data have been inputted into data processing systems, modified or removed (input control).

5.1 General Requirements

5.1.1 Documentation of the Input Rights

The requirement is met with the following measure:

(a) There is documentation of which persons are authorized due to their job responsibilities to make inputs into the data processing system.

6. Job Control

Requirements to ensure that in the case of commissioned processing of personal data, the data are processed strictly in accordance with the instructions of the controller.

The requirement is met with the following measure:

(a) Job control is implemented in the data processing agreement as well as by the organization control in section 9 of attachment 2.

7. Availability Control

Requirements to ensure that personal data are protected from accidental destruction or loss (availability control).

7.1 Backup Concept

The requirement is met with the following measures:

(a) There is a systems backup program implemented.

(b) There are regular backups according to return to operations (“RTO”) and recovery point objectives (“RPO”).

(c) An organization responsible for backup operations, and a representative, are designated.

7.2 Disaster Recovery

7.2.1 Emergency Plan

The requirement is met with the following measure:

(a) There is an emergency plan in which the steps to be initiated are listed and it is specified which persons are to be informed of the incident. Controller has indicated the relevant contacts in the Data Processing Agreement.

7.2.2 Storing the Backup

The requirement is met with the following measures:

(a) Data backups, both electronic and hardcopy, are stored in industry-standard secure storage facilities.

8. Review of Purpose

Requirements to ensure that data collected for different purposes can be processed separately.

8.1 General Requirements

8.1.1 Separate Processing

The requirement is met with the following measure:

(a) There are technical and organizational rules and measures to ensure separate processing (storage, modification, deletion, transfer, etc.) and/or storage of data and/or data carriers with different contractual purposes.

9. Organisation Control

9.1 Training/Obligation

The requirement is met with the following measures:

(a) Principles of data privacy, including the technical and organizational measures.

(b) Obligation to privacy regarding operating and business secrets, including the controller’s processes.

(c) Proper and careful handling of data, files, data carriers and other documents.

(d) Where required, special further confidentiality obligations.

(e) The training has been documented and is tracked for completion.

(f) The training is regularly repeated, annually at a minimum. Shorter intervals if required by applicable laws in specific territories.

9.2 Training/Obligation of External Persons

The requirement is met with the following measures:

(a) There are rules on the access to data processing facilities for external persons (guests, suppliers, etc.).

(b) These rules at least contain that external persons must only be given access to data processing systems when they have been committed to data secrecy and, if applicable, telecommunication secrecy or other confidentiality obligations and trained, before they may put any data processing systems into operation and use them.

9.3 Representative Rule

The requirement is met with the following measures:

(a) A representative has been specified for all operationally necessary functions.

(b) The representative must only receive the required access and admission rights in the event they are acting as representative.

10. Additonal Technical and Organisational Security Measures for Transfers from France

10.1 Managing Maintenance Activities

The requirement is met with the following measure:

(a) For remote assistance on client workstations, the remote administration tool must be configured to obtain user’s consent before any intervention on his/her workstation. User must be able to see that remote assistance is in progress.

10.2 Management of Sub-Processing

The requirement is met with the following measures:

(a) Draft a specific clause to be included in agreements with data processors/sub-contractors.

(b) Provide for conditions of destruction of data on the agreement’s expiry and termination.

10.3 Software Development

The requirement is met with the following measure:

(a) Carry out software development in a computing environment separate from that of production (for example, on appropriately defined network segments).

10.4 Encryption

The requirement is met with the following measures:

(a) Regarding symmetric encryption:

  1. Use state of the art algorithms (AES, triple DES).
  2. Key lengths of at least 256 bits.

(b) Regarding asymmetric encryption:

  1. Use state of the art algorithms (RSA, ECC).
  2. Key lengths advised to follow recommendations of appendix B1 of the French General Security Reference Framework http://www.ssi.gouv.fr/uploads/2014/11/RGS_v-2-0_B1.pdf (French only), i.e. 2048-bit key lengths

 

For transfers to (sub-) processors, also describe the specific technical and organisational measures to be taken by the (sub-) processor to be able to provide assistance to the controller and, for transfers from a processor to a sub-processor, to the data exporter

Microsoft Corporation – Technical and Organizational Measures – Microsoft maintains copies of its Professional Services Data Protection at the following link: https://www.microsoft.com/licensing/docs/view/Professional-Services-Data-Protection-Addendum-DPA. The document includes an overview of the company’s technical and organizational measures.

Salesforce.com, Inc. – Technical and Organizational Measures – Salesforce maintains an online Data Processing Addendum here that includes a brief overview of its technical and organizational measures: https://www.salesforce.com/content/dam/web/en_us/www/documents/legal/Agreements/data-processing-addendum.pdf. Salesforce states, “Data importer will maintain administrative, physical, and technical safeguards for protection of the security, confidentiality and integrity of Personal Data uploaded to the SCC Services, as described in the Security, Privacy and Architecture Documentation applicable to the specific SCC Services purchased by data exporter, and accessible via http://help.salesforce.com or otherwise made reasonably available by data importer. Data Importer will not materially decrease the overall security of the SCC Services during a subscription term.”

Rapid7 – Rapid7 provides a copy of its Data Processing Addendum, which includes an overview of the technical and organizational measures that the company implements, here: https://www.rapid7.com/legal/dpa/.

Mailgun / Sinch Email – Mailgun provides a copy of its Data Processing Addendum, which includes an overview the technical and organizational measures that the complements, here: https://www.mailgun.com/legal/dpa/.