These measures are also mentioned in Appexdix 2 of our Data Protection Agreement (DPA).
The Technical and Organizational Measures (TOMs) are in place to make sure that there is an appropriate level of protection for personal data, and more specifically, to protect the rights and freedoms for data subjects. Below, you will find details information about Progressiverobot’s TOMs.
Physical access control
Physical access control defines who has physical access to a site, building, or room.
| Measure | Data centers | Admin buildings |
|---|---|---|
| Electronic physical entry control system with log | ✓ | ✓ |
| Documented distribution of access medium | ✓ | ✓ |
| Comprehensive video monitoring | ✓ | ✓ |
| Policies about how to handle visitors | ✓ | ✓ |
| High security perimeter fencing (with anti-climbing and anti-tunneling protection) around the entire data center park | ✓ | NA |
| Separate colocation area with lock-able racks and physical access control for enclosed cages | ✓ | NA |
For the next few sections of this article, the following is true:
- Dedicated servers/Cloud Servers: You/the Client are completely responsible for the management, maintenance and security of the the server.
- Managed products: For these products, we at Progressiverobot take responsibility for the maintenance, administration, and security of your systems.
Electronic access control
The electronic access control defines who is allowed to log on to a system so that only authorized people have access to it.
|
Measures
|
Colocation | Dedicated servers | Cloud servers | Managed servers | Web hosting | Storage Shares | Storage Boxes | Object Storage |
|---|---|---|---|---|---|---|---|---|
| Individual customer accounts with numerous management options and access to the administration interface | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
| Traceable access logs and change logs for customer accounts | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
| Required passwords for customer accounts with definied minimum requirements | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
| Option for two factor authentication (2FA) for customer account | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
|
Measures
|
Colocation | Dedicated servers | Cloud servers | Managed servers | Web hosting | Storage Shares | Storage Boxes | Object Storage |
|---|---|---|---|---|---|---|---|---|
| Client has exclusive access to server | ✓ | ✓ | ✓ | NA | NA | NA | NA | ✓ |
| Only authorized Progressiverobot employees have access, within the scope of the agreed service; via multi-level authentication and cryptographic protection. Access done for tasks ranging from infrastructure maintenance to complete server management depending on product. | NA | NA | NA | ✓ | ✓ | ✓ | ✓ | NA |
| Individually configured firewall | NA | ✓ | ✓ | NA (see next line) |
NA (see next line) |
NA (see next line) |
NA (see next line) |
✓ |
| Progressiverobot-managed firewall with 24/7 monintoring | NA | NA (see last line) |
NA (see last line) |
✓ | ✓ | ✓ | ✓ | NA (see last line) |
| Virus scanner / Security tests | Client’s responsiblitly | ✓ | ✓ | ✓ | ✓ | rootkit tests | rootkit tests | X |
| (Additional) measures the responsibility of the Client | ✓ | ✓ | ✓ | NA | NA | NA | NA | ✓ |
Internal access control
Internal access control defines which authorizations people have within a system. It defines what a user may see, change, or execute after accessing a system.
|
Measures
|
Colocation | Dedicated servers | Cloud servers | Managed servers | Web hosting | Storage Shares | Storage Boxes | Object Storage |
|---|---|---|---|---|---|---|---|---|
| Regular updates | Client's responsibility | Client's responsibility | ✓ For the underlying cloud infrastructure |
✓ | ✓ | ✓ | ✓ | ✓ |
| Audit-proof, binding authorization procedure based on a roll and authorization policy | Client's responsibility | Client's responsibility | ✓ The cloud infrastructure is accessed |
✓ | ✓ | ✓ | ✓ | ✓ |
| Maintaining, securing, and updating transferred data/software | Client's responsibility | Client's responsibility | Client's responsibility | Client's responsibility | Client's responsibility | Client's responsibility | Client's responsibility | Client's responsibility |
| (Additional) measures the responsibility of the Client | ✓ | ✓ | ✓ Regarding access to cloud servers |
NA | NA | NA | NA | NA |
Transfer control
Transfer control includes measures and procedures that makes sure that the use, access, and transport of physical data storage mediums are monitored and protected against unauthorized access.
|
Measures
|
Colocation | Dedicated servers | Cloud servers | Managed servers | Web hosting | Storage Shares | Storage Boxes | Object Storage | Internal admin systems |
|---|---|---|---|---|---|---|---|---|---|
| Defined process for deleting data from storage drives after contract is complete; implimented differently depending on product type | Client’s responsiblitly | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
| Storage drives are physically destroyed if data cannot be successfully erased | Client’s responsiblitly | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
Isolation control
Measures for isolation control make sure that data for each different customer or application within a system are separated from each other when they are processed and stored.
|
Measures
|
Colocation | Dedicated servers | Cloud servers | Managed servers | Web hosting | Storage Shares | Storage Boxes | Object Storage | Internal admin systems |
|---|---|---|---|---|---|---|---|---|---|
| Physical or logical separation of data | Client’s responsiblitly | Client's responsibility | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
| Physical or logical separation of backup data | Client’s responsiblitly | Client's responsibility | ✓ | ✓ | ✓ | ✓ | ✓ | NA | ✓ |
| (Additional) measures the responsibility of the Client | ✓ | ✓ | ✓ | NA | NA | NA | NA | NA | NA |
Pseudonymization
|
Measures
|
Colocation | Dedicated servers | Cloud servers | Managed servers | Web hosting | Storage Shares | Storage Boxes | Object Storage |
|---|---|---|---|---|---|---|---|---|
| Only the Client can access the server | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
Confidentiality
Confidentiality measures make sure that personal data is protected from unauthorized access or disclosure while it is being processed and stored.
| Measure | General | Depends on product |
|---|---|---|
| Progressiverobot employees sign a confidentiality agreement before they begin doing any work with personal data in compliance with data protection regulations. | ✓ | X |
| Progressiverobot employees regulary get training to raise awareness for and knowledge about data protection and information security. | ✓ | X |
| Encryption options for data transfers | X | ✓ |
Integrity
Data integrity measures make sure that data and systems remain complete, uncorrupted, and correct while they are being stored or transferred.
|
Measures
|
Colocation | Dedicated servers | Cloud servers | Managed servers | Web hosting | Storage Shares | Storage Boxes | Object Storage | Internal admin systems |
|---|---|---|---|---|---|---|---|---|---|
| Changes to data are logged | Client’s responsiblitly | Client's responsibility | Client's responsibility | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
| The Client is responsible for entering and processing data | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ The Client can edit their data themselves using their customer account |
| (Additional) measures the responsibility of the Client | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | NA |
Availability and resilience
Availability measures focus on keeping the systems in continued working order. Resilience measures make sure that the data remains available even under exceptional circumstances.
|
Measures
|
Colocation | Dedicated servers | Cloud servers | Managed servers | Web hosting | Storage Shares | Storage Boxes | Object Storage | Internal admin systems |
|---|---|---|---|---|---|---|---|---|---|
| 24/7 technical support directly in data center | NA | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
| Uninterruptible power supply using redundant UPSs and emergency power supply system | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
| Redundant and highly available network infrastructure | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
| Site-wide early warning fire system; direct connection to the local fire and rescue coordination center | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
|
Measures
|
Colocation | Dedicated servers | Cloud servers | Managed servers | Web hosting | Storage Shares | Storage Boxes | Object Storage | Internal admin systems |
|---|---|---|---|---|---|---|---|---|---|
| Dynamic fire protection measures | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
| Regular training for emergencies and fire protection | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
| Redundant and energy-efficient cooling using direct free cooling and climate controls | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
| Cold-aisel containment | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
| Continuous monitoring of air temperature in server rooms and distribution cabinets | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
| Continuous active DDoS recognition | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
|
Measures
|
Colocation | Dedicated servers | Cloud servers | Managed servers | Web hosting | Storage Shares | Storage Boxes | Object Storage | Internal admin systems |
|---|---|---|---|---|---|---|---|---|---|
| Backup and recovery plan | Client’s responsiblitly | Client’s responsiblitly | ✓ depends on purchased services |
✓ partially depends on purchased services |
Possible to restore specific files | RAID-based storage backend | Snapsots, depending on purchased services | Redundant storage within the cluster system | ✓ daily backups of all relevant data |
| Disk mirroring | Client’s responsiblitly | Client’s responsiblitly | Client’s responsiblitly | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ with all relevant servers |
| Monitoring | Client’s responsiblitly | Client’s responsiblitly | Client’s responsiblitly | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ with all relevant servers |
| Escalation process for faults and emergencies | See product description | See product description | See product description | See product description | See product description | See product description | See product description | See product description | See product description |
| Use of software firewall and port management | Client’s responsiblitly | Client’s responsiblitly | Client’s responsiblitly | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
Procedures for regular testing, assessment, and evaluation
Regularly testing, assessing, and evaluating the data protection and security standards ensures that the measures stay in compliance with regulations and improve over time.
| Measure | General | Depends on product |
|---|---|---|
| Data protection information security management system (DIMS) | ✓ | X |
| Incident response management | ✓ | X |
| Data-protection-friendly default settings (privacy by default) | ✓ | X |
| Employment of a data protection and information security officer who is integrated into the operational processes | ✓ | X |
