The present document supplements Chapter 4 ‘Security’ of the Data Processing Agreement (the “DPA”) between Client-Party that has accepted the Master Agreement (the “Controller”) and HeroCoders Sp. z o. o. (the “Processor”) pursuant to the Article 28(1) GDPR (EU General Data Protection Regulation).
The technical and organizational measures (“TOMs”) are implemented by the Processor in accordance with the Article 32 GDPR. They are continuously improved by the Processor taking into account the feasibility, state of the art, the costs of implementation and the nature, scope, context and purposes of processing to ensure appropriate level of security.
This document should be read jointly with HeroCoders Security Statement and other Security and Trust related materials.
Introduction, Data Protection at HeroCoders
HeroCoders as an EU-based company has set itself the goal of providing its customers with the products and services delivered at the highest possible level of information security and data protection in compliance with applicable law.
HeroCoders staff is continuously informed and trained in the area of data protection. In addition, all staff members are contractually bound to data confidentiality. External parties that may come into contact with personal data in the course of their work for HeroCoders are also obligated to maintain data confidentiality as well as to comply with data protection by means of a so-called NDA (Non-Disclosure Agreement) before they begin their work.
Any subcontractors and affiliates of HeroCoders entrusted with further processing of Customer’s personal data (“sub-processors”) are only involved in data processing operations after conclusion of a Data Processing Agreement (DPA) in accordance with Art. 28 GDPR, through which they are fully bound by all relevant EU data protection obligations which HeroCoders itself is subject to.
1. Confidentiality
1.1 Physical Access Control
Measures preventing unauthorized physical access.
Technical Measures
✔ Locking of data processing equipment
Organizational Measures
✔ Employee access policies
✔ Care in selection of personnel
✔ Care in selection of external service providers
✔ Information security policies
✔ Work instructions for operational safety and for remote work
1.2 Logical Access Control, Authorization Control
Measures preventing data processing systems from being used by unauthorized persons.
Measures to ensure that those authorized to use a data processing system can only access the data subject to their access authorization.
Technical Measures
✔ Use of strong individual passwords
✔ Two-factor authentication enforcement for critical systems
✔ Monitoring of login attempts deviating from norm wherever technically feasible
Organizational Measures
✔ Users permissions management
✔ Information security policies
✔ Work instructions for operational safety and remote work
✔ Use of authorization concept
✔ Only commercially reasonable subset of staff has access to personal data
✔ Management of users rights by administrators and minimum number of administrators
✔ Process for granting rights for new staff joining the company and for withdrawing rights of staff leaving the company
1.3 Separation Control
Measures that ensure that data collected for different purposes is processed separately.
Technical Measures
✔ Separation of production and test environment
✔ Physical separation (systems/databases/data carriers)
✔ Customer data logically separated
Organizational Measures
✔ Security and remote work policies and instructions emphasizing access to and processing of Customer’s data on a need-to-know basis arising from legitimate business need and approved by management
✔ Authorization process that takes into account the separate processing of data for different Customers
✔ Personal Data Protection Policy
1.4 Pseudonymization & Encryption, Art. 32 (1)(a) GDPR
Technical Measures
✔ Data encrypted both in-transit and at-rest
Organizational Measures
✔ Internal instruction and procedures in place related to personal data being anonymized/pseudonymized as far as possible in the event of disclosure or even after the statutory deletion period has expired
✔ Information security policies
2. Availability, Resilience and Recoverability Art. 32 (1)(c) GDPR
Measures to ensure that personal data is protected against accidental destruction or loss, being capable of rapidly restoring the availability of and access to personal data in the event of a physical or technical incident.
Technical Measures
✔ Data backups created on a daily and weekly basis
✔ Restorability from automation tools
✔ Regular testing of data recovery
Organizational Measures
✔ Backup and Recovery concept and policies
✔ Information security policies
3. Review, Assessment and Evaluation Art. 32 (1)(d) GDPR, Art. 25 (1) GDPR
3.1 Data Protection Management, Incident Response Management
Technical Measures
✔ Centralized hub of all data protection reviews, assessments and evaluations with remote access for employees.
Organizational Measures
✔ A review of the effectiveness of the TOMs is carried out regularly and TOMs are updated if necessary
✔ Data Protection Officer appointed
✔ Staff trained and obliged to confidentiality
✔ Data Protection Impact Assessment (DPIA) is carried out as required
✔ Processes regarding information obligations according to Art 13 and 14 GDPR established
✔ Formalized process for requests for information from data subjects is in place
✔ Documented process for detecting and reporting security incidents / data breaches (also with regard to reporting obligation to supervisory authority)
✔ Management team is regularly informed about the status of data protection, information security and possible risks and consequences due to missing measures.
4. Measures to ensure that data processing on behalf of the client by sub-processors is carried out in compliance with EU GDPR Art. 28 GDPR
Technical Measures
✔ Monitoring of remote access by external parties
Organizational Measures
✔ Contract drafting according to legal requirements (Art. 28 GDPR) and conclusion of the necessary data processing agreement on commissioned processing
✔ Confidentiality obligations sub-processor's employees
✔ Records of existing sub-processors
✔ Reviews and inspections of sub-processors