Technical and Organizational Measures
These Technical and Organizational Measures (the “TOMs”) are an integral part of the Personal Data Processing Agreement / Addendum / Attachment / Schedule / Section (or any other equivalent document, as applicable) between SIPPIO (including its Global Affiliates) and Customer (including its Global Affiliates, if any), which incorporates them by reference.
1. Access Control to Premises (NOT APPLICABLE}
SIPPIO operates its services in the Microsoft AZURE Cloud. Responsibility for physical access to Azure Data Centers rests with Microsoft and its’ sub-contractors. Refer to the following links for AZURE data center physical control policies & procedures.
Access control to premises
SIPPIO is completely architected for the cloud and only utilizes software running in Microsoft Azure data centers and therefore inheriting the controls, risk management and security policies set forth by Microsoft’s standards. Microsoft owns the complete physical infrastructure and strictly controls physical access to the areas where customer data is stored.
- GDPR: General Data Protection Regulation – Microsoft GDPR | Microsoft Docs
- Premise Access Management: Physical security of Azure datacenters – Microsoft Azure | Microsoft Docs
- Trust Documents: Trust Documents I Microsoft Docs
- Personal Data: Protection of customer data in Azure | Microsoft Docs
2. Access Control to Use of System
In order to prevent logical access to its Personal Data processing equipment by unauthorized persons, SIPPIO will implement and maintain the following measures:
2.1. SIPPIO will only grant individuals access to the Personal Data processing equipment with
2.1.1. a unique user ID for access with formal authorization process, and
2.1.2. a unique password with the following features:
220.127.116.11. a complex password, consisting of eight characters and three of four-character sets.
18.104.22.168. a maximum password lifetime of ninety days; and
22.214.171.124. an account lockout on failed logins.
2.2. SIPPIO will grant the individuals access based on their job function with the following criteria:
2.2.1. role-based access.
2.2.2. least-privileged access; and
2.2.3. access only on a need-to-know basis.
2.3. The screen of endpoints will be automatically locked after 20 minutes idle time
2.4. SIPPIO will log access to the data processing equipment.
2.5. SIPPIO will use a multi-factor authentication of SIPPIO’s virtual private network (VPN) for remote access.
2.6. SIPPIO will implement and maintain a central user administration.
2.7. SIPPIO will encrypt endpoints provided by itself.
3. Access Control to Personal Data
SIPPIO will prevent logical access to Personal Data by unauthorized persons by implementing and maintaining suitable measures to prevent unauthorized reading, copying, alteration or removal of the media containing Personal Data, unauthorized input into memory, reading, alteration or deletion of the stored Personal Data. This will be accomplished by the following measures:
3.1. SIPPIO will only grant individuals access to the Personal Data with:
3.1.1. a unique user ID for access with formal authorization process, and
3.1.2. a unique password with the following features:
126.96.36.199. a complex password, consisting of eight characters and three of four character sets;
188.8.131.52. a maximum password lifetime of ninety days; and
184.108.40.206. an account lockout on failed logins.
3.2. SIPPIO will grant individuals access to the Personal Data based on their job function with the following criteria:
3.2.1. role-based access.
3.2.2. least-privileged access; and
3.2.3. access only on a need-to-know basis.
3.3. The screen of endpoints will be automatically locked after 20 minutes idle time.
3.4. SIPPIO will log access to the data processing equipment.
3.5. SIPPIO will maintain access control lists (ACL).
3.6. SIPPIO will conduct data backups and retrievals, using a secure storage of backup media and testing backups.
3.7. SIPPIO will implement and maintain a formal access control change management program.
3.8. SIPPIO will implement and maintain internal policies and standards comprising security policies and standards, both at a corporate and business unit level.
3.9. SIPPIO will conduct periodic mandatory trainings with respect to protection of personal data and will monitor and enforce the training participation.
3.10. SIPPIO will implement and maintain anti-virus programs, which are centrally monitored and updated, and conduct regular anti-virus scans on endpoints.
3.11. SIPPIO will conduct a secure deletion and/or disposal of data.
3.12. SIPPIO uses encrypted Azure COSMOS databases for storing data.
4. Transmission Control
SIPPIO will prevent any unauthorized access to Personal Data via implementation of secure communication channels and logging as follows:
4.1. SIPPIO will use a VPN with a multi-factor authentication for remote access.
4.2. SIPPIO will use firewalls with the following features and processes:
4.2.1. stateful inspection.
4.2.2. default denial access rules are implemented unless access rules are explicitly approved.
4.2.3. role-based and least-privileged access on a “need to know” basis.
4.2.4. logging and alerting of access; and
4.2.5. annual review of firewall rules.
4.3. SIPPIO will use encrypted email if the same has been enabled by Customer, using transport layer security (TLS) as the methodology.
4.4. SIPPIO will implement and maintain security policies and standards at a corporate level.
5. Input Control
SIPPIO will ensure the possibility to check and establish whether and by whom Personal Data have been put into, modified or removed from the Personal Data processing equipment as follows:
5.1. Individuals accessing personal data will require a unique user ID and authorization for access.
5.2. SIPPIO will implement and maintain security policies and standards both at a corporate and business unit level.
5.3. The Personal Data processing equipment will have logging functionalities.
5.4. SIPPIO will only grant individuals access to Personal Data based on their job function, with the following categories:
5.4.1. roles-based access;
5.4.2. least-privileged access; and
5.4.3. access on a “need-to-know” basis.
6. Organization Control
SIPPIO will ensure data processing adheres to the instructions of the customer:
6.1. SIPPIO will ensure that in case of commissioned data processing, the Personal Data are processed strictly in accordance with the instructions of Customer.
6.2. Customer will provide clear instructions to SIPPIO regarding the scope of the processing of personal data, and SIPPIO will adhere to these instructions.
6.3. SIPPIO will ensure data retention meet local telco regulatory requirements.
7. Availability Control
SIPPIO will prevent any accidental destruction or the loss of Personal Data by appropriate measures as follows:
7.1. SIPPIO will implement a highly redundant and available architecture within each Azure region & between Azure Data Center Regions.
7.2. SIPPIO will implement and maintain a disaster recovery plan, and annually review and test it.
7.3. SIPPIO will implement and maintain a backup strategy and backup procedures.
7.4. SIPPIO will implement and maintain anti-virus programs and firewall systems.
8. Control of Separation of Data
SIPPIO will implement and maintain appropriate measures to allow the separate processing of data which have been collected for different purposes as follows:
8.1. SIPPIO will separate different customers’ Personal Data by storing Personal Data in logically separated databases.
8.2. SIPPIO will separate between productive and test data.