Preamble
According to Article 32 of the General Data Protection Regulation ("GDPR") and taking into account the state of the art, the implementation costs and the type, the scope, the circumstances and purposes of the processing and the different likelihood and severity of the risk to the rights and freedoms of the data subjects, Aperia Compliance, LLC, 333 E Main St #396, Lehi, Utah 84043, United States (hereinafter, along with any affiliate, “Aperia Compliance” or “Company”). Aperia Compliance utilizes the cloud infrastructure services of industry-leading service providers set forth on our subprocessor website. Consequently, certain security measures regarding the production environment are managed by the cloud infrastructure service provider(s), while Aperia Compliance retains responsibility for logical security, configuration, and data access controls. These measures are designed to ensure, as a minimum, a level of protection for the personal data processed appropriate to the risk.
Depending on the specific processing under the applicable contract, the data security measures implemented on behalf of Company Customers can be reasonably extended, adapted and (in the future) modified or updated at Company’s discretion.
1. General Organizational Measures
Aperia Compliance has taken the following general measures:
Regular training of employees in data protection and/or security measures at least semi annually.
Prior to processing personal data, all employees and external contractors must commit themselves to confidentiality.
Subprocessors: Professional qualification and suitability is tested prior to engagement, including required documentation:
Data processing agreement
Adequate technical and organizational measures
Appropriate safeguards under Art 46 GDPR such as European Commission Standard Contractual Clauses, as required
Cloud Governance: Continuous monitoring of cloud infrastructure service provider compliance certifications (e.g., SOC 2, ISO 27001) to ensure the ongoing adequacy of the underlying infrastructure security.
2. Pseudonymisation and Encryption (Art 32 par 1 lit a GDPR)
Measures of pseudonymisation and encryption to protect personal data include:
Encryption of data carriers in laptops / notebooks.
Encryption of all backups.
Data-in-transit encryption for transmission over insecure networks (incl. TLS 1.2 or higher, VPN).
Encryption of data as mandated by Payment Card Industry Standards.
3. Confidentiality & Integrity (Art 32 par 1 lit b GDPR)
Measures to ensure appropriate security of the personal data, such as protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, include:
Physical Security:
Production Environment – Azure: Hosting in Microsoft Azure data centers, which are ISO 27001, SOC 2 Type II, and PCI DSS certified. Physical security measures are managed entirely by the cloud provider, as detailed in their documentation https://learn.microsoft.com/en-us/azure/security/fundamentals/physical-security (as amended from time to time)
Office Locations:
Access control system.
Manual locking system including security locks.
Chip card/transponder locking system includingProtocol of all issued keys/chip cards.
Video surveillance.
Alarm system.
Access of visitors is documented and supervised.
Definition and protection of security zones by chip card system.
Careful selection of personnel and cleaning staff.
Logical Access Control
Authorization with individual logical access authorization system and password protection.
Password policy including password length, complexity.
Multi-Factor Authentication for all administrative and remote access.
Dual control principle for creating access.
Assignment of individual user rights based on the Least Privilege Principle.
Use of Azure Security Groups and Virtual Networks (VNETs) to isolate compute resources.
Authentication with individual user name / password.
Automatic logging of all accesses to track down unauthorized access attempts.
Administration of access rights by the system administrator.
Number of administrators reduced to the bare minimum.
Latest firewall, virus and malware protection including use of up-to-date
anti-virus software,
software firewall,
hardware firewall.
Secure network access is based on individual user permissions.
Real-time monitoring of servers and other IT systems (e.g., Azure Monitor).
Integrity
Logical client separation.
Separation of production and test system.
Allocation of rights to enter, modify and delete data only where strictly necessary.
Traceability of data entries, modifications and deletions.
4. Availability and Resilience of Processing (Art 32 par 1 lit b, c GDPR)
Measures to ensure ongoing availability and resilience of processing systems and services, and to restore availability and access to personal data in a timely manner in the event of a physical or technical incident include:
All processing in redundant data centers (“hot/warm setup”).
To mitigate against natural disasters, connections are 2 way redundant and geographically divided.
Redundant internet connectivity and power supply managed by the cloud infrastructure service provider..
Redundant hardware setup at each data center location.
Redundant power supply at each data center location.
Reliance on provider-managed environmental controls (air conditioning, fire suppression, smoke detection)
Uninterruptible power supply (UPS) managed by the cloud infrastructure service provider.
All systems and networks monitored by dedicated 24/7 on-call staff.
Change management in place for all systems and networks (changes require prior testing, documentation & authorisation).
Backup & recovery process includes automated, redundant daily backups of all systems.
Storage of the backup data in a secure location with access authorization for a limited group of persons.
Back-to-back service level agreements with Subprocessors.
5. Testing, Assessing, and Evaluating (Art 32 par 1 lit d GDPR)
Processes for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing include:
Records of all incidents affecting the confidentiality, availability or integrity of systems.
Evaluation and potential improvement of system architecture based on documentation to prevent similar incidents.
Regular tests performed by external auditors to confirm and enhance security of processing.
Disaster Recovery and Business Continuity Plans routinely tested for functionality and effectiveness.