.svg)
.svg){kind=icon}
SYMPA’S TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE DATA SECURITY
Sympa has implemented the following technical and organizational measures to ensure the security of processing personal data. These measures are intended to fulfill the requirements of Article 32 of the GDPR and related data security requirements. Furthermore, Sympa is ISO 27001 & 9001 certified service provider.
Sympa has implemented the following technical and organizational:
Measures to ensure confidentiality
Physical access control
Measures that physically deny unauthorized persons access to Sympa’s premises, IT-systems used to process customer data (inc. personal data), and to confidential files and data storage media.
Measures related to the physical access control:
- Sympa’s system is operated from top tier cloud provider infrastructure with effective and recognized physical security management systems
- Sympa offices are separated from public areas by locked doors
- Access to Sympa offices is limited to approved personnel (visitors or external service providers are admitted individually)
- Doors to cabinets and other security areas are always closed and access is regulated
- Individual access control to customer data on need-to-know basis
- All workstations are encrypted, antivirus software and screenlock activated
- The disposal or reusing of IT equipment is regulated
- Guidelines for clean desk and screen locking are implemented and observed
Logical access control
Measures to prevent unauthorized persons from processing or using data subject to applicable privacy laws.
- Access and actions logging in IT-systems
- Technical monitoring 24/7 through expert SOC service.
Encryption measures
Measures or operations whereby customer data is encrypted.
Data Encryption in transit and at-rest through industry recognized and standardized encryption schemes.Transport control
Measures to ensure that the confidentiality and integrity of data is protected during transmission of personal data.
Description of transport control:
- Transmission of data via encrypted data networks or tunnel connections VPN
- All transmissions are encrypted with industry standard schemes.
- Comprehensive logging procedures.
Data access control
Measures to ensure that persons authorized to use data processing systems can only access personal data according to their access rights.
Description of data access control:
- Access and actions logging in all application infrastructure
- All workstations are encrypted, antivirus software and screen lock in place
- Individual access control on need-to-know basis
- Password policy in place, MFA enforced where applicable, SSO used widely
Separation rule
Measures to ensure that data collected for different purposes are processed separately and separated from other data and systems.
Description of the separation control process:
- Access to systems processing personal data is based on roles and require approvals from at least the line manager.
- Encrypted storage of personal data.
Measures to ensure integrity
Data integrity
Measures to ensure that stored personal data cannot be corrupted by means of a malfunctioning of the system.
Description of data integrity:
- Regular third-party penetration testing is conducted against the service by a reputable third-party service provider.
- Changes to the service are peer reviewed before deployment.
- Technical monitoring 24/7
Availability control
Measures to ensure that personal data are protected against accidental destruction or loss.
Description of the availability control system:
- Data backup procedures
- Service is operated from top tier cloud provider infrastructure with effective and recognized physical security management systems.
Recovery measures
Measures to ensure the ability to restore the availability of and access to personal data in the event of a physical or technical incident.
Description of the measures for quick recovery:
- Data backup procedure
- Regular tests of data recovery.
.svg)
