Preamble
According to Article 32 of the General Data Protection Regulation ("GDPR") and taking into account the state of the art, the implementation costs and the type, the scope, the circumstances and purposes of the processing and the different likelihood and severity of the risk to the rights and freedoms of the data subjects, IXOPAY GmbH, Vorgartenstraße 206, 1020 Vienna, Austria and IXOPAY, Inc., 333 E Main St #396, Lehi, Utah 84043, United States (“IXOPAY” or the "Processor") has inter alia implemented the following technical and organisational data security measures with regard to the processing operations carried out on behalf of IXOPAY clients (acting as Controllers) in order to ensure, as a minimum, a level of protection for the personal data processed appropriate to the risk.
Depending on the specific processing under the applicable contract, the data security measures implemented on behalf of Controller can be reasonably extended, adapted and (in the future) modified or updated at IXOPAY’s discretion.
1. General Organisational Measures
IXOPAY has taken the following general measures:
Regular training of employees in data protection and/or security measures at least semi annually.
Prior to processing personal data, all employees and external contractors must commit themselves to confidentiality.
Subprocessors: Professional qualification and suitability is tested prior to engagement, including required documentation:
Data processing agreement
Adequate technical and organizational measures
Appropriate safeguards under Art 46 GDPR such as European Commission Standard Contractual Clauses, as required
2. Pseudonymisation and Encryption (Art 32 par 1 lit a GDPR)
Measures of pseudonymisation and encryption to protect personal data include:
Encryption of data carriers in laptops / notebooks.
Encryption of all backups.
Data-in-transit encryption for transmission over insecure networks (incl. TLS, VPN).
Encryption of data as mandated by Payment Card Industry Standards.
3. Confidentiality & Integrity (Art 32 par 1 lit b GDPR)
Measures to ensure appropriate security of the personal data, such as protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, include:
Physical Security (NB: the below measures apply in the office and in data centers, save as otherwise stated):
Access control system.
Manual locking system including security locks.
Chip card/transponder locking system.
Protocol of all issued keys/chip cards.
Video surveillance.
Alarm system, including automated alarm message in case of unauthorized access to server rooms in data centers.
Access of visitors is documented and supervised.
Obligation to wear authorization cards in the data centers.
Definition and protection of security zones by chip card system.
Careful selection of personnel and cleaning staff.
Careful selection of security personnel in the data centers.
Logical Access Control
Authorization with individual logical access authorization system and password protection.
Password policy including password length, complexity.
2-Factor-Authentication where technically feasible.
Dual control principle for creating access.
Assignment of individual user rights limited to the required extent.
Creation of individual user profiles with respective access rights limited to the required extent.
Authentication with individual user name / password.
Automatic logging of all accesses to track down unauthorized access attempts.
Administration of access rights by the system administrator.
Number of administrators reduced to the bare minimum.
Latest firewall, virus and malware protection including use of up-to-date
anti-virus software,
software firewall,
hardware firewall.
Secure network access is based on individual user permissions.
Real-time monitoring of servers and other IT systems.
Integrity
Logical client separation.
Separation of production and test system.
Allocation of rights to enter, modify and delete data only where strictly necessary.
Traceability of data entries, modifications and deletions.
4. Availability and Resilience of Processing (Art 32 par 1 lit b, c GDPR)
Measures to ensure ongoing availability and resilience of processing systems and services, and to restore availability and access to personal data in a timely manner in the event of a physical or technical incident include:
All processing in redundant data centers (“hot/warm setup”).
To mitigate against natural disasters, connections are 2 way redundant and geographically divided.
Redundant internet connectivity (“dual-connection-setup”) at each data center location.
Redundant hardware setup at each data center location.
Redundant power supply at each data center location.
Air conditioning and fire extinguishers as well as fire and smoke detection systems in server rooms.
Devices for monitoring temperature and humidity in server rooms in data centers.
Uninterruptible power supply (UPS).
All systems and networks monitored by dedicated 24/7 on-call staff.
Change management in place for all systems and networks (changes require prior testing, documentation & authorisation).
Backup & recovery process includes automated, redundant daily backups of all systems.
Storage of the backup data in a secure location with access authorization for a limited group of persons.
Back-to-back service level agreements with Subprocessors.
5. Testing, Assessing and Evaluating (Art 32 par 1 lit d GDPR)
Processes for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing include:
Records of all incidents affecting the confidentiality, availability or integrity of systems.
Evaluation and potential improvement of system architecture based on documentation to prevent similar incidents.
Regular tests performed by external auditors to confirm and enhance security of processing.
Disaster Recovery and Business Continuity Plans routinely tested for functionality and effectiveness.