This is version 3, last updated the 02.06.2022.
Vitec Aloc A/S
5000 Odense C
(hereafter 'the Company', 'us', 'we' or 'our')
Please note that this is the applicable Security description for Vitec Aloc A/S, unless you have specific agreement(s) with us which differs from this description.
This description of the technical and organizational security measures (hereinafter the 'Security Description') has been prepared to document the security measures implemented by the Company pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on protection by physical persons in connection with the processing of personal data and on the free movement of such information, which entered into force on 24 May 2016 and applied on 25 May 2018 (the 'GDPR'), article 32.
The security measures have been implemented to ensure a level of security appropriate to the risks by taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons.
The security description shall apply to the entire Company and all of its systems and business process.
2. General control
In general, the Company conducts continuous assessments of the security measures implemented by the Company and its data processors and the compliance with the GDPR. This includes regular testing, assessments or evaluation of the Company’s and the data processors’ implemented security measures. In addition, the Company will prepare new versions of the Security Description to ensure that it is updated and always meet any agreed security measures in applicable data processing agreement(s) with data controller(s).
Control with the security measures implemented by the Company
In order to control the Company's implemented security measures, the Company assesses the following points:
- Records of processing activities are reviewed and updated at least annually.
- New or changed procedures for processing personal data are communicated to the Company's GDPR-responsible person.
- Implemented security measures are subject to regular internal audits and are being updated when necessary.
Control with the security measures implemented by the data processors
In order to control the data processors’ implemented security measures, the Company assesses the following points:
- Data processing agreements are reviewed to ensure that they meet the requirements in article 28 of the GDPR.
- The organizational and technical security measures implemented by the data processor(s) are regularly monitored, at least annually.
- It is ensured that the data processor erases or destroys the personal data when the data processing agreement is terminated (in addition to the data processor having returned the personal data).
- Assignment of authorizations to systems are monitored (eg. no direct access for the data processor to IT systems and databases with administrator privileges).
- Controls are made of the data processor's conclusion of data processing agreement with sub-data processors by collecting the sub-data processing agreements and the document of the data processor's control of said sub-data processor.
The data processing-constructions are very different and depends on the customer specific solution, why the measures under section 11.1 above might not be applicable for you. If you have any questions regarding your specific setup/solution, we kindly ask you to contact your contact person or send us an e-mail on email@example.com.
3. Physical security
The Company has implemented the following physical security measures:
- The Company's office rooms are lockable.
- The Company uses alarm system(s) to prevent break-ins, burglary, etc.
- The Company has fire alarm(s) and smoke detector(s) to prevent fires, accidental destruction or loss of data, etc.
- The Company has safety-tested emergency- and evacuation plan for emergencies.
- The Company's equipment (including PCs, servers, etc.) is secured behind locked doors.
- Employees are identified when entering the building by using personal access cards.
- The Company uses key management, i.e. issue of keys to the relevant and necessary employees, etc.
- Hardware containing customer data and personal data are located in a different access zone to which specific personal access card is required.
Additional information about our datacenter, where personal data under the GDPR is stored and from where it is processed - Physical entry controls (ref. ISO 27001, A.11.1.2):
- The entrance to the datacenter is protected by a lock, that can only be opened with the use of unique identity-cards. The use of an identity card to access the datacenter is logged in an IT-system, from where you can see the owner of the identity card used to access the datacenter.
- Furthermore, the entrance is video surveilled from the inside, meaning that the person entering the room will be recorded when entering. This is a preventive security measure, as well as we can verify, that only authorized personnel enter the room and that the authorized personnel are using their own unique identity card and not lending out or borrowing identity cards.
- The use of identity cards to access the datacenter requires use of personal 4-digit password related to the identity card.
- The entrance/door is equipped with automatic shut-off and lock, meaning that when you release the door, the door shuts and locks after a few seconds.
4. Organizational security
The Company has implemented the following organisational security measures:
- All employees are subject to confidentiality regarding all personal data processed.
- Employee access to premises and personal data in the Company IT systems is limited, so employees only have access to the relevant and necessary personal data.
- Employees with access to special categories of personal data (so-called 'sensitive' personal data) or critical IT systems are security-cleared before they are hired.
- Employees' processing of personal data are being logged wholly or partially and can be checked as needed.
- The Company has a documented description of procedure for personal data breaches, which is revised at least annually.
- The company has an IT security policy.
- The Company has a documented process to ensure erasure or continued confidentiality with regards to personal data when hardware is repaired, discarded or at service.
- The Company has the opportunity to respond in terms of employment to employee breaches of company data security or noncompliance with instructions for personal data processing.
- Employees document and report any risks as a result of security breaches when necessary.
5. Technical and logical security
Access control to systems
In order to ensure confidentiality and integrity of the Company’s IT systems, the Company has implemented the following security measures:
- The Company has logical access control by using username(s) and password(s) or other authorization(s).
- The Company uses antivirus software that is updated regularly.
- The Company logs and controls unauthorized or repeated failed attempts to log in to some company systems.
- The Company requires its employees to use individual passwords.
- Company PC's are automatically locked after inactivity, i.e. computers are password protected in the case of inactivity.
- The Company has a password policy, including minimum requirements for the composition of passwords.
- The Company has procedures for revoking authorizations when an employee changes department or stops working at the Company.
- The Company has procedures for assigning authorizations to IT systems when a new employee starts at the Company.
- The Organization uses firewall to prevent access and protect network ressources.
Access control to personal data
In order to ensure confidentiality and integrity of the personal data, the Company has implemented the following security measures:
- The technical security measures implemented are regularly reviewed by using an automated annual cycle of work at ComplyCloud.
- The Company assigns individuals or groups of users authorizations to access, modify, and delete personal data.
- The Company has procedures for recovering and restoring data from backups.
- Regular reviews and controls of user authorizations are performed to ensure that only the relevant and necessary users can access, change and erase personal data.
- Unauthorized or repeated attempts to access data are logged and monitored.
- The company has traceability of access, modification and erasure of data by individual users.
The Company uses pseudonymization. When using pseudonymization, information that can help identify the data subject is separated and stored in a separate, protected IT system.
Pseudonymization is used when we are not able to fulfil a purpose with anonymized data. If we are able to fulfil a purpose with anonymized data, data will be anonymized instead of pseudonymized cf. guidelines on preparation of data dumps.
In order to ensure confidentiality and integrity, the Company has implemented the following security measures:
- Passwords stored on company computers are encrypted.
- Content of external hard drives and USB keys etc. is encrypted when such content contain personal data.
- Encryption of network is used.
- Company computers have encrypted hard disks.
- Personal data is encrypted in relevant systems and/or on storage media.
- Special categories of personal data are encrypted in systems and/or on storage media.
- The Company uses Hyper Text Transfer Protocol Secure (HTTPS).
Availability and resilience
In order to ensure that the Company’s IT systems and processing services are protected against accidental destruction or loss and that the Company is able to cope with risks, the Company has implemented the following security measures:
- The temperature and humidity in server rooms are monitored.
- Uninterrupted power supply (UPS) is used.
- Active alerts when unauthorized access attempts are made to server rooms and/ or processing systems and data.
- Backups are regularly made.
- The Company has guidelines and rules concerning the recovery of data from backups.
- The Company has guidelines and rules concerning backup.
- Server rooms have air conditioning system(s).
- Server rooms have smoke alarm(s) and fire extinguisher(s).
- Only authorized employees have access to Company servers.
- The availability and resilience of company systems and servers are secured by third parties with whom the Company has an agreement.
Additional information about our datacenter, where personal data under the GDPR is stored and from where it is processed - Protection against external and environmental threats (ref. ISO 27001, A.11.1.4):
- Flood: The datacenter floor is raised approximately 30cm above the ground. The datacenter is located 10 meter above sea level, meaning that it is protected against flooding due to raised water levels and raised another 30cm above ground level to protect against flooding due to heavy rain.
All cabling is made just below the ceiling.
- Overheating and moisture damage:The servers containing information are in the datacenter with approximately 10 square meters of free space in front of the servers and 6 square meters behind the servers. A cooler is placed in front of the servers, providing the servers with cold air, meaning that the servers only suck in cold air. In the free space behind the servers, hot air comes out, why an air-extractor is placed in the ceiling to extract hot air and prevent the servers to suck in hot air, securing that the servers are only provided with cold air.
A sensor is placed in the datacenter, constantly monitoring temperature and humidity. If temperature and/or humidity changes, our CEO and Technical Service Manager will immediately be notified automatically. The system sends a weekly notification to our CEO and Technical Service Manager to show that it is working properly.
- Fire: The datacenter is equipped with fire- and smoke alarm, which in case this senses fire or smoke, the fire system in the whole building will be activated and fire fighters will be called automatically. The fire system is maintained twice a year and are tested 2-4 times a year. Furthermore, the fire system is monitored, to secure that it is always functioning.
- Uninterruptible Power Supply (UPS): The datacenter is equipped with an UPS in case of power failure. At maximum capacity, the UPS can supply the datacenter with power for approximately 60 minutes. At maximum capacity and in case of power failure, the UPS will supply the servers with power for 30 min and turn off if the power comes back to supply the servers with power. In case the power failure continues for more than 30 min, the UPS will spend the last 30 min to securely shut down the servers to protect information, so that no information will get lost or damaged in any way. The UPS will automatically make sure, that it always has the possibility to wait for power to get back and 30 minutes to securely shut the down the servers in case of power failure. The UPS is maintained at least 1 time yearly and monitored to make sure that it is functioning.
- Network: The datacenter is equipped with 4G network backup, which will be activated in case the established network line loses connection.
Control of transmission
In order to ensure that unautorized persons cannot read, copy, modify or erase personal data upon transmission, the Company has established the following security measures:
- The Company uses and has guidelines for secure email.
- Outgoing emails containing special categories of personal data or data of purely private matters are encrypted.
- The Company has guidelines for the use of company/employee email accounts, including matters of private matters, appropriate use, encryption, secure email, etc.
6. Delivery of third party security
The Company gets part of the technical security measures delivered from the following: Vitec Software Group, group IT.
There might be technicalities in your specific setup/solution, that might involve an additional third party. If you need further information about your specific setup/solution, we kindly ask you to contact your contact person or send us an email on firstname.lastname@example.org.