Technical and organisational measures
The measures mentioned in this page are implemented to ensure compliance to the applicable data protection laws
Article 1. Confidentiality (Article 32 para. 1 item b GDPR)
1.1. Entry controls
No unauthorised entry into data processing facilities, buildings, rooms, entry controls (physical entry), such as: Magnetic or chip cards, keys, electric door openers, company security personnel/gatekeepers, alarm systems, video systems, clear desk policy, i.e. concrete information security and data protection management measures.
In particular:
Optimy shall implement physical security control as part of an Information Security Management System (ISMS).
These controls include:
- Defining and documenting a security perimeter
- Implementing physical entry controls
At the time of redaction:
- Optimy’s office does not host any part of its product infrastructure (reliance on Infrastructure as a Service (IaaS).
- The building hosting Optimy's office is protected by an SaS, cameras and an alarm (The building is also hosting bank offices).
- Badges are used to restrict access to the office.
- The office is located on the second floor of the building.
- A visitor register is maintained. All visitors are accompanied.
- Protecting against external and environmental threats.
At the time of redaction:
- The company managing the building that is hosting Optimy’s office is complying with Belgian regulations with regard to fire protection, which includes regular training and drill tests.
- Defining, documenting and communicating a clear and screen desk policy.
- Defining, documenting and communicating a teleworking policy addressing physical security.
At the time of redaction:
- Working in public areas is discouraged.
- Removable media and paper documents containing confidential information shall be locked when not in use in accordance with an Asset Management Policy and Information Classification Policy.
1.2. Access control
No unauthorised system usage, e.g. no unauthorised reading, copying, editing or deletion within the system, such as: Authorisation schemes and needs-based access rights, access logging, secure passwords, automated locking mechanisms, two-factor authentication, data carrier encryption.
In particular:
Optimy shall implement access security control as part of an Information Security Management System (ISMS).
These controls include:
- Following the least privilege principle
- This includes minimising Optimy’s employees having access to production data.
At the time of redaction, customer data are only accessible to:
- The Customer Success team
- The IT Operations team
- Implementing Role Based Access Control within Optimy
At the time of redaction:
- Role based access is provided to users based on the principles of “least privilege” or “need-to-know” or “need-to-perform” based on business justification.
- Privileged access rights are logged.
- Privileged actions logs are stored in secure environments, as are all of our logs.
- Emergency access refers to the use of an ID with elevated access rights to resolve a validated system problem. The use of these IDs must be explicitly approved by the relevant management and monitored accordingly.
- Reviewing access rights yearly (at minimum)
- Letting the clients manage their employees' access to the solution.
At the time of redaction:
- We can implement SMAL2 SSO
- Otherwise, users will log-in using email and passwords.
- Password complexity can be configured by the client through the administrative settings of the solution.
- MFA can be added/enforced by the client through the administrative settings of the solution.
- Enforcing strong authentication internally.
At the time of redaction:
- 2FA and the use of Google SSO is enforced.
- A password manager is provided to cover exceptions.
1.3. Segregation control
Separate processing of data collected for different purposes, e.g. client-specific segregation, sandboxing.
In particular, at the time of redaction:
- Customers' data is logically separated from each other. We have a very low-level implementation for this security in our application code, ensuring that all the code stacks built rely on it. The only way to access data from "customer A" is to have a valid login created within "customer A".
- For customers having higher security standards, we propose an additional paid option to dedicate & isolate the hosting of the solution and the data.
- Customer data never leave the production environment. The sole exception is for debugging purposes where a strict process takes place.
- Databases are not accessible by the development teams.
- A snapshot of the production database(s) is taken and automatically anonymized. (Customers' data are randomised)
- The anonymized database is then made available to the developer(s).
- The above process is fully automated.
1.4. Data processing (as a contractor)
Refers to all forms of handling of personal data. This includes, among other things, the obtaining, changing, usage, disclosure, saving and deletion of data. It makes no difference whether the data is processed by analogue or electronic means, manually or via software automation.
1.5. Anonymisation
Processing of personal data in such a manner that the data subject is not or no longer identifiable
At the time of redaction, anonymization is used in the context of testing as explained in the chapter on “segregation”.
Article 2. Integrity (Article 32 para. 1 item b GDPR)
Optimy shall assess risks to confidentiality, integrity and availability yearly then define and implement a treatment plan.
2.1. Disclosure controls
No unauthorised reading, copying, modification or deletion during electronic transmission or transport, e.g.: Encryption, virtual private networks (VPN), electronic signature.
In particular, at the time of writing:
- Classification and labelling
Optimy has defined and implemented a classification scale. Employees and contractors are labelled with information throughout the organisation.
- Asset ownership
All assets are inventoried and attributed to an owner, responsible for the security and access to the asset.
- Electronic signature
We make the distinction between production and non-production environments.
- Production environments
- Front-facing endpoints are protected by Cloudflare’s SSL for SaaS solution(https://www.cloudflare.com/ssl-for-saas-providers/)
- This service is owned by ITOperations Team and is responsible for creating and managing the certificate base.
- Our infrastructure’s internal certificates and keys are stored and protected in AWS KMS. This service is owned by Optimy and managed by our third-party infrastructure partner, Skyscrapers.
- Non-production environments (tests, staging, etc.)
- Front-facing endpoints are protected by auto-generated Let’s Encrypt certificates.
- Internal infrastructure components are using AWS KMS - the same as for production environments.
- KMS namespace differs for non-production environments and keys/certificates must be different
- Encryption:
- Transport: All data is transferred encrypted using HTTPS (HTTP over TLS 1.2/TLS 1.3) for both the public interface and your administration interface. To ensure that a non-secure channel cannot be used to transport your data, we have also implemented the HTTP Strict Transport Security (HSTS) policy.
- Storage: All data that is stored (data at rest) is encrypted using the AES-256 algorithm. Keys used to encrypt data are managed by AWS and stored in a Hardware Security Module (HSM) for state-of-the-art security.
2.2. Data entry controls
Logging of entering, editing or deletion of personal data in data processing systems and of the users performing such, e.g.: Logging, document management
At the time of writing:
- Amazon AWS audit logs are kept in Cloudwatch/S3 and are shipped in near real-time to a second secured AWS account for duplication.
- System logs (docker containers) are shipped to an Elasticsearch service in order to be easily searchable.
- Application logs are shipped to an Elasticsearch service in order to be easily searchable.
- Logs generated upon user (customer) activity are stored in the application database.
- We are using Google’s services for a wide range of applications (Drive, Mail, etc.). These logs are stored within Google.
Article 3. Availability and reliability (Article 32 para. 1 item b GDPR)
3.1. Availability controls
Protection against accidental or willful destruction and loss, e.g.: Backup strategy (online/offline; on-site/off-site), uninterruptible power supply (UPS), antivirus, firewall, reporting chain and contingency plans; rapid recoverability (Article 32 para. 1 item c GDPR)
Optimy has a business continuity plan in place. At the time of writing:
Cloud | Infrastructure
Our partner Skyscrapers is responsible to conduct backups, here's the agreed policy.
Retention period:
- AWS RDS: Daily snapshots, which also allows for point-in-time recovery. Retention on database snapshots is one year.
- AWS ElasticSearch Service: AWS-provided hourly snapshot, with a retention of 14 days.
- Skyscrapers-provided snapshot every 6 hours, with a 14 day retention. Snapshots are stored on an encrypted S3 bucket.
- AWS ElastiCache for Redis: by default snapshots are disabled but is configurable
- Kubernetes state and Statefulset volumes are backed up daily through Velero with a default 14 day retention.
- Kubernetes state: all objects are backed up to S3 (encrypted)
- EBS volumes: uses AWS snapshots, encrypted if the original volume is encrypted
Tests
The BCPs and the DRP are tested yearly at minimum.
Article 4. Procedures for regular review, assessment and evaluation (Article 32 para. 1 item d GDPR), Article 25 para. 1 GDPR)
- Data protection management
- Incident response management
- Data protection-friendly default settings (Article 25 para. 2 GDPR)
- Commissioned processing controls
No commissioned processing per Article 28 GDPR without corresponding instructions from the Client, e.g.: Clear contract structuring, formalised commissioning order management, stringent service provider selection, compulsory advance evaluation, follow-up checks.
Optimy has defined & implemented:
- An incident response process
- An asset management process
- Vulnerability assessment processes and associated patching process
- Incorporated security in its change management processes at all levels
- All employees and contractors are to sign an NDA following the onboarding process.
- A media handling policy and hardware disposal process (including shredding and wiping)
- A teleworking security policy