Security Standards
Technical and organizational measures (TOMS) acc. Art. 32 Para. 1 GDPR

Rich Returns will abide by the security standards set forth below (“Security Standards”), which detail the various actions taken by Rich Returns to provide the Rich Returns Services (“Information Security”). During the Subscription Term, these Security Standards may change without notice, as standards evolve or as additional controls are implemented or existing controls are modified as deemed reasonably necessary by Rich Returns, provided that such changes will not bring the Security Standards below industry standard security measures.

 

1. Access Control (Premise Level)

Target: to prevent unauthorized persons from gaining access to data processing systems with which Personal Data are processed or used.

Measures:

  • Access solely for authorized employees
  • Documented key administration
  • Revoking of access rights after expiry of authorization
  • Door security
  • Security locks 

2. Access Control (Computer Level)


Target: to prevent data processing systems from being used without authorization. 

Measures:

  • Password policy
  • Clean Desk Policy obliges every employee to dispose of documents appropriately and to lock their computer when leaving the desk
  • Encryption of data storage devices
  • Firewall / Virus scanners
  • Revoking of access rights after expiry of authorization
  • Backup encryption
  • Logging and analysis of software incidents being a potential threat
  • Technical and organizational actions ensure that authorizations which are not required are being withdrawn in a timely manner 

3. Access Control (Authorization Level)


Target: to ensure that persons entitled to use a data processing system have access only to data to which they have a right of access.

Measures:

  • Differentiated authorization (e.g. profiles, responsibilities)
  • Mechanism for authorizations to enable exact differentiation of level when accessing the backend of software
  • Binding authorization process for employees
  • Existing administration concept in place ensuring transparent application and distribution of access
  • Employee authorizations are documented
  • Distribution of minimum access authorizations to employees (Need­to­know)

4. Transmission Control

Target: to ensure that Personal Data cannot be read, copied, modified or removed without authorization during electronic transmission or transport, and that it is possible to check and establish to which bodies the transfer of Personal Data by means of data transmission facilities is envisaged.

Measures:

  • Secured transfer protocols (SSL, TSL, SFTP)
  • The private use of data storage devices at the workplace is not permitted
  • Instruction for use of mobile data storage devices
  • Process for appropriate deletion / disposal of data storage devices and documents
  • Hosting on ISO 27001 certified server centers 

5. Input Control


Target: to ensure that it is possible to check and establish whether and by whom Personal Data have been input into data processing systems, modified or removed.

Measures:

  • Access Authorization Concept in Place
  • Organizational regulation of authorization of users allowed to make changes is recorded
  • Each employee has the appropriate access according to their responsibilities / role
  • Distribution of authorizations for employees are distributed by an authorized individual 

6. Job Control


Target: to ensure that, in the case of commissioned processing of Personal Data, the data are processed strictly in accordance with the instructions of the principal.

Measures:

  • Control over data processing agreements (DPA)
  • DPAs contain detailed information about the appropriation of user of data related to
    individuals of the contracting authority as well as the prohibition of use of service providers not set in written contract
  • The contract contains detailed information of the kind and quantity of the ordered processing and use of data related to individuals of the contracting authority
  • DPAs with all relevant processors are in place
  • A clear layout and procedure for issuing DPAs to Controllers is in place
  • A security concept is in place
  • All employees with access are committed to data security by contract
  • Each employee has received work orders and guides informing them on how to apply to actions securing data and ensuring IT security
  • The Controller will be notified immediately about a data security breach

7. Availability Control

Target: to ensure that Personal Data is protected from accidental destruction or loss. 

Measures:

  • Backup processes / regular security copies
  • A fire detection system is in place
  • Use of data protection programs and software (e.g. anti­virus protection, firewall)
  • Automated standard routines for regular updates of security software
  • Automated and permanent monitoring for detection of errors
  • Automated workflow for distribution of notifications regarding maintenance and errors 

8. Organizational Control

Target: to design the in­house organization in such a way that it meets the requirements of data protection.

Measures:

  • All employees are informed about and legally committed to data security and privacy
  • All employees are issued with work instructions on data privacy
  • All employees are regularly trained on data privacy at the workplace
  • A procedure for regular tests, analysis and evaluation acc. Art. 32 Para. 1 GDPR is in place

Data Privacy by Design acc. Art. 25 Para. 2 GDPR is realized according to these technical and organizational measures.