🦺 Technical and Operational Measures

Measures of pseudonymization and encryption of personal data

For the purpose of transfer control, an encryption technology is used (e.g. remote access to the company network via two factor VPN tunnel and full disk encryption). The suitability of an encryption technology is measured against the protective purpose. The Controller’s data is encrypted at rest using AES256 bit encryption. Data in transit is protected by Transport Layer Security (“TLS”).

Measures for ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and services

Access to data necessary for the performance of the particular task is ensured within the systems and applications by a corresponding role and authorization concept. In accordance with the “least privilege” and “need-to-know” principles, each role has only those rights which are necessary for the fulfillment of the task to be performed by the individual person. To maintain data access control, state of the art encryption technology is applied to the Personal Data itself where deemed appropriate to protect sensitive data based on risk.

Measures for ensuring the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident

All our applications are built stateless by using Terraform templates and can be easily recreated in different geographical regions. Data is stored in multiple AWS availability zones. The data centers can be switched in the event of natural disaster or other physical destruction or power outage to protect Personal Data against accidental destruction and loss. We maintain redundancy throughout our IT infrastructure in order to minimize the lack of availability to or loss of data. Backups are maintained regularly in accordance with our backup procedures.

Processes for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures in order to ensure the security of the processing

We strive to automate audits hence the majority of our monitoring of our infrastructure is automated and running 24/7 and based on various frameworks.

Measures for user identification and authorization

We strive to minimize any need for remote access. Most operational services are performed through automated tooling and managed services reducing the necessity to remotely access.  These mechanism allow for proper accounting and auditing of users. In break-glass scendarios, remote access to the data processing systems is only possible through our secure VPN tunnel. The users first authenticate to the secure VPN tunnel, after successful authentication, authorization is executed by providing a unique username and password to a centralized directory service. All access attempts, successful and unsuccessful are logged.

For transfers to (sub-) processors, also describe the specific technical and organizational measures to be taken by the (sub-) processor to be able to provide assistance to the controller and, for transfers from a processor to a sub-processor, to the data exporter

The transfer of Personal Data to a third party (e.g. customers, sub-contractors, service providers) is only made if a corresponding contract exists, and only for the specific purposes. If Personal Data is transferred outside the EEA, the Processor provides that an adequate level of data protection exists at the target location or organization in accordance with the European Union’s data protection requirements, e.g. by employing agreements based on the EU SCCs.

Measures for the protection of data during transmission

Data in transit is protected by Transport Layer Security (“TLS”).

Measures for the protection of data during storage

Personal Data is retained internally, on the third party data center servers, which are covered by Google’s security certifications. The Controller’s data is encrypted at rest using AES256 bit encryption and data in transit is protected by Transport Layer Security (“TLS”).

Measures for ensuring physical security of locations at which personal data are processed

Dreamdata.io utilizes third party data centers that maintain current ISO 27001 certifications and/or SSAE 16 SOC 1 Type II and/or SOC 2 Attestation Reports. We will not utilize third party data centers that do not maintain the aforementioned certifications and/or attestations, or other substantially similar or equivalent certifications and/or attestations. Dreamdata.io’s main office is secured with keypad entry. The keypad entry requires access to a secure PIN. When it is not occupied, it is locked securely and covered by a remotely monitored alarm. A central log of keyholders is maintained and access is revoked when an employee is terminated. Dreamdata.io employees that work from home are expected to comply with our security policy in full at all times. Our disciplinary procedure covers failure to meet these standards.

Measures for ensuring events logging

System inputs are recorded in the form of log files therefore it is possible to review retroactively whether and by whom Personal Data was entered, altered or deleted.

Measures for ensuring system configuration, including default configuration

System configuration is applied and maintained by software tools that ensure the system configurations do not deviate from the specifications.

Measures for internal IT and IT security governance and management

Employees are instructed to collect, process and use Personal Data only within the framework and for the purposes of their duties (e.g. service provision). At a technical level, multi-client capability includes separation of duties as well as appropriate separation of testing and production systems. The Controller’s Personal Data is stored in a way that logically separates it from other customer data.

Measures for certification/assurance of processes and products

We utilize third party data centers that maintain current ISO 27001 certifications and/or SSAE 16 SOC 1 Type II or SOC 2 Attestation Reports. The Processor will not utilize third party data centers that do not maintain the aforementioned certifications and/or attestations, or other substantially similar or equivalent certifications and/or attestations.

Measures for ensuring data minimization

If Personal Data is no longer required for the purposes for which it was processed, it is deleted promptly. It should be noted that with each deletion, the Personal Data is only locked in the first instance and is then deleted for good with a certain delay. This is done in order to prevent accidental deletions or possible intentional damage.

Measures for ensuring data quality

All of the data that we possess is provided by the Controller. The Processor does not assess the quality of the data provided by the Controller. The Processor provides reporting tools within its product to help the Controller understand and validate the data that is stored.

Measures for ensuring limited data retention

The Processor uses a data classification scheme for all data that it stores and our retention policy specifies how each type of data is retained. When a record with Personal Data is deleted then it will be permanently evicted from the Processor’s active databases. The data is retained in the Processor’s backups until they are rotated out by more recent backups per the data retention policy.

Measures for ensuring accountability

All employees that handle sensitive data must acknowledge the information security policies. A disciplinary policy is in place for employees that do not adhere to information security policies.

Measures for allowing data portability and ensuring erasure

Dreamdata.io has the ability to export Controller’s data in a machine-readable format to a cloud storage location (ie BigQuery, AWS S3 Bucket, or Google Cloud Storage) for portability and/or the ability to permanently delete.