Security Policy
Technical and Organisational Security Measures
(Including Technical and Organisational Measures to Ensure the Security of Data)
Below is a description of the technical and organisational measures implemented by the Processor (including any relevant certifications) to ensure an appropriate level of security, taking into account the nature, scope, context and purpose of the processing, and the risks for the rights and freedoms of natural persons.
Where applicable this Security Policy will serve as Annex II to the SCCs.
Measure | Description |
---|---|
Measures of pseudonymisation and encryption of Personal Data | TestDome follows industry standard practices for storage of passwords, keys and secrets. TestDome uses TLS ("Transport Layer Security") to encrypt and protect against data tampering when data is in transit. Data at rest is encrypted using FIPS 140-2 compliant keys and algorithms. |
Measures for ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and services | Security Program TestDome maintains a security management program that includes but is not limited to:
Staff training and policies TestDome maintains policies and practices that include the following controls and safeguards applied to TestDome staff who have access to data and/or provide support and services to customers:
|
Measures for ensuring the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident | The required infrastructure that ensures the TestDome application's availability is covered by the Microsoft Azure SLA, with a minimum availability of 99.9% of the time. All data is stored in a redundant manner to ensure its availability in case of data center failures. Backups of the application database are created periodically and kept for up to 35 days. The process to deploy the TestDome application is semi-automated and, in the event of an incident, the TestDome application can be restored within a reasonable timeframe. |
Processes for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures in order to ensure the security of the processing | TestDome employs automated vulnerability scanning tools and comprehensive testing methodology to ensure data is processed in a secure and reliable way. TestDome seeks external security audits whenever major changes are implemented to the infrastructure or application. TestDome employs a comprehensive testing methodology that includes automated and manual testing on a separate testing environment before deploying changes to customers. |
Measures for user identification and authorisation | TestDome maintains a list of users and passwords in the TestDome application's database (which is encrypted at rest). All users go through an email verification process when they first sign up for TestDome. Passwords are stored according to NIST guidance on "memorized secrets". Users are encouraged to use strong passwords whenever they're signing up or changing their passwords. All failed sign-in attempts are logged and the application detects and blocks brute-force attacks by locking out users with an unusual amount of failed sign-in attempts within a short time period. |
Measures for the protection of data during transmission | Data in transit is protected by Transport Layer Security ("TLS"). |
Measures for the protection of data during storage | All data storage infrastructure is provided by Microsoft Azure and the security of such data is covered by Azure's certifications. All data at rest is encrypted using FIPS 140-2 compliant encryption All data in transit is protected by Transport Layer Security ("TLS"). |
Measures for ensuring physical security of locations at which Personal Data are processed | All infrastructure for TestDome's application, including all the infrastructure used to store data, is hosted on Microsoft Azure data centers. Azure data centers have strict security policies to control physical access to them. These security policies include, but are not limited to, formal access requests and approval, professional security staff, biometric access control mechanisms. More information about data center physical security can be found here. |
Measures for ensuring events logging | Application HTTP requests, database queries, and errors are logged and kept for 90 days to allow reviewing the logs retroactively. |
Measures for ensuring system configuration, including default configuration | Non-sensitive software configuration is maintained as code and managed by our SCM tool. All changes are recorded and can be traced back to the person responsible for making the change. Sensitive software configuration (such as passwords, secrets, and digital certificates) are stored encrypted on Microsoft Azure KeyVault and access to this information is granted on a need-to-know basis. All the infrastructure used by TestDome's application is provided by Microsoft Azure and all changes to the infrastructure are logged and can be traced back to whoever made it. |
Measures for internal IT and IT security governance and management | At a technical level TestDome stores data in a way that logically separates data of one customer from another. TestDome also maintains appropriate separation of production and testing environments. For staff training and policies see the item above titled "Measures for ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and services". |
Measures for certification/assurance of processes and products | See the item above titled "Processes for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures in order to ensure the security of the processing". |
Measures for ensuring data minimisation | See the item below titled "Measures for ensuring limited data retention". |
Measures for ensuring data quality | TestDome does not assess the quality of the data provided by its users, however TestDome does provide tools and support channels to help users validate and fix data that is stored. |
Measures for ensuring limited data retention | TestDome's users can decide on how long TestDome will keep their data stored in its servers. Automated procedures are in place to anonymise data that is older than the period chosen by users. In addition, users can contact TestDome support channels to request data to be anonymized immediately. Data may be kept in TestDome backups/logs for an extended period of time, but it is permanently deleted/anonymised once older backups are rotated out by newer ones. |
Measures for ensuring accountability | TestDome internally reviews its information security policies to ensure they are still relevant and are being followed. All employees must acknowledge the information security policies and are required to sign an NDA upon joining the company. A disciplinary policy is in place for employees that do not adhere to information security policies. |
Measures for allowing data portability and ensuring erasure | The TestDome application has built-in tools that allows users to export some of their data. For any data that is not covered by the built-in application tools, TestDome provides support channels where users can request their data to be exported and/or anonymized. |
Measures to be taken by the (Sub-) processor to be able to provide assistance to the Controller (and, for transfers from a Processor to a Sub-processor, to the Data Exporter). | The transfer of data to third parties (e.g. sub-contractors, sub-processors, service providers) is only made if a corresponding contract exists, and only for the specific purposes. If data is transferred outside the EEA, TestDome provides that an adequate level of data protection exists at the target location or organization in accordance with the European Union's data protection requirements, e.g. by employing contracts based on the EU SCCs. |