This document supplements Annex II: Technical And Organisational Measures of the Data Processing Addendum (DPA) between Vtiger and Customer under Art 28(Processor) GDPR (EU General Data Protection Regulation).
Vtiger implements technical and organizational measures by Article 32 (Security of processing) of the GDPR. These measures are continuously improved according to feasibility and the latest technology, including the active ISO 27001 certification to enhance security and protection.
At Vtiger, we are committed to maintaining and enforcing various policies, standards, and processes to secure Personal Data and other data accessed by our employees. Our dedication to data protection includes having a specialized team for privacy and security, providing data protection for external parties, ensuring consistent protection across the organization, strict control over subcontractors, and conducting regular audits and certifications. We update these measures periodically to ensure they are aligned with industry standards.
The following description of technical and organizational measures will be differentiated, where applicable, according to these data categories.
1. Confidentiality
1.1 Physical Access Control
Measures are in place to prevent unauthorized individuals from accessing data processing systems used to process personal data.
Technical Measures |
- Locked building and office
- Biometric access
- Manual locking system
- Doors with an automatic lock system
- Security Personnel
- Video Surveillance of Entrance
- No production servers on-site
|
Organizational Measures |
- Key regulation checklist
- Reception with Security Guard Personnel
- Visitors Book
- Employee/Visitor Badge
- Visitor Accompanied by Employee
- Information Security Policy
- Work Instructions Access Control
|
While Vtiger prioritizes data security, it's important to acknowledge the shared responsibility model in cloud computing. Vtiger utilizes Cloud Service Providers (CSPs) such as AWS, DigitalOcean, and OV to provide cloud resources. These CSPs secure the underlying infrastructure and maintain robust security controls. More details on how ISP's security controls can be found here.
1.2 Logical Access Control
Security measures are in place to prevent unauthorized access to data processing systems.
Technical Measures |
- Login with a username and strong password
- Firewall
- Intrusion Detection Systems
- Use VPN for Remote access
- Encryption of Disks, Devices/Laptops/Tablets
- Two-factor authentication
- Automatic Desktop/Laptop lock
- Anti-virus software installed on devices and servers
- Access is monitored and logged
- Automatic Account Lockout when unsuccessful logins/authentications
- All usage activity and data changes are logged
|
Organizational Measures |
- User permission management, including Role-based authorization
- Creating user-specific profiles
- Information Security Policy
- Password Policy
- Mobile Device Policy
- Work Instructions: IT Security SOP and Employee Access Control
- Employee Vetting
- Training and Awareness
- De Minimis Principle
|
Vtiger Employee Access and Customer Control
Vtiger employees can access Vtiger products and customer data only through secure interfaces. This access is granted solely when customers explicitly enable it within their settings. All-access requests are meticulously logged for audit purposes.
Vtiger limits employee access to specific personnel on a need basis, ensuring that only authorized individuals can view customer data for legitimate reasons. The customer application is accessed for:
- Providing customer support
- Troubleshooting technical issues experienced by customers
- Identifying and responding to potential security threats
1.3 Authorization Control
Measures are in place to ensure that only authorized individuals can access the data processing system. Personal data cannot be read, copied, modified, or removed without proper authorization during processing, use, and storage.
Technical Measures |
- Physical deletion of data carrier/devices
- SSH Encrypted access
- Certified SSL encryption
- Shred Files and Papers that are no longer in use
- Automatic deletion of backups from archival after the retention period or when customer requests
- Logging of accesses to applications, specifically when entering, changing, and deleting data
|
Organizational Measures |
- Information Security Policy
- Minimize the Administrators Roles
- Management of user rights by administrators
- Work instructions on handling the information and assets
|
1.4 Separation Control
Measures are implemented to strict data segregation practices to ensure data collected for different purposes remains isolated. This includes logical separation, where data is categorized and stored in distinct sections within the system, and potentially physical separation, where data is stored on entirely different hardware.
Technical Measures |
- Physical separation (systems/databases/data carriers)
- Multi-tenancy of relevant applications
- Client application and data are logically separated
- Staging of development, test, and production environment
|
Organizational Measures |
- Information Security Policy
- Data Protection Policy
- Control via authorization concept
- Work instruction for: Operational security and, Security in software development and testing
|
2. Integrity
2.1 Transfer Control
Measures are in place to prevent unauthorized access to personal data during electronic transmission or while stored on data storage devices, ensuring that it cannot be read, copied, altered, or removed.
Technical Measures |
- Use of VPN
- Logging of accesses and retrievals
- Provision via encrypted connections such as SFTP, HTTPS, and secure cloud stores
|
Organizational Measures |
- Survey of regular retrieval and transmission processes
- Careful selection of transport personnel and vehicles
- Personal handover with protocol
- Information Security Policy
- Data Protection Policy
|
2.2 Input Control
The measures are in place to verify and review who has entered, modified, or removed personal data from data processing systems. Logging controls input at different levels, such as the operating system, network, firewall, database, and application.
Technical Measures |
- Technical logging of the entry, modification, and deletion of data
- Manual or automated control of the logs (according to strict internal specifications)
|
Organizational Measures |
- Survey of which programs can be used to enter, change, or delete which data
- Traceability of data entry, modification, and deletion through individual user names
- Assignment of rights to enter, change, and delete data based on an authorization concept
- Clear responsibilities for deletions
- Information Security Policy
|
3. Availability and Resilience
3.1 Availability Control
Measures are in place to protect personal data against accidental destruction or loss (e.g., UPS, air conditioning, fire protection, data backups, secure data media storage).
Technical Measures |
- A minimum of 99.9% uptime (excluding maintenance scheduled on weekend nights).
- Data Continuous Availability
- Fire and smoke detection systems
- Fire extinguisher server room
- Server room monitoring temperature and humidity
- Server room air-conditioning
- UPS system and emergency diesel generators
- Protective socket strips in the server room
- RAID system / hard disk mirroring
- Video surveillance server room
|
Organizational Measures |
- Backup concept
- Existence of an emergency plan
- Offsite backup storage
- Separation of OS and data partitions if needed
|
3.2 Recoverability Control
Measures are in place to quickly restore access to personal data in case of a physical or technical incident.
Technical Measures |
- Backup monitoring and reporting
- Restorability from automation tools
- Backup concept according to criticality and customer specifications
|
Organizational Measures |
- Disaster Recovery Plan
- Control of the backup process
- Regular testing of data recovery and logging of results
- Store backup media in a safe place outside the server room
- Existence of an emergency plan
|
4. Procedures for regular Review, Assessment, and Evaluation
4.1 Data Protection Management (DPM)
Data Protection Management (DPM) encompasses a comprehensive strategy and set of practices for securing, managing, and safeguarding sensitive information throughout its lifecycle. This includes controlling access, preventing unauthorized use, and ensuring data recovery in case of incidents.
Technical Measures |
- Central documentation of all data protection regulations with access for employees
- Security certification according to ISO 27001
- A review of the effectiveness of the TOMs is carried out at least annually, and TOMs are updated
|
Organizational Measures |
- A Data Protection Officer (DPO) is appointed.
- All staff members have been trained and are bound to maintain confidentiality and data secrecy. They receive regular awareness training at least annually.
- Data Protection Impact Assessments (DPIAs) are carried out as required.
- Processes have been established to comply with information obligations as per Art 13 and 14 of the GDPR.
- A formalized process for handling requests for information from data subjects is in place.
- Data protection aspects are integrated into our corporate risk management.
- Key parts of the company, including data center operations, are ISO 27001 certified, and annual monitoring audits are conducted.
|
4.2 Incident Response Management
Measures are in place to support security breach response and data breach process.
Technical Measures |
- Use of firewall and regular updating
- Use of spam filter and regular updating
- Use of virus scanner and regular updating
- Intrusion Detection System (IDS) for customer systems on order
- Intrusion Prevention System (IPS) for customer systems on order
|
Organizational Measures |
- A documented process for identifying and reporting security incidents and data breaches, including obligations to report to supervisory authorities
- The standard procedure for handling security incidents involving the Data Protection Officer (DPO)
- Documenting security incidents and data breaches using the internal ticketing system
- The standard process for following up on security incidents and data breaches
- Breach notification policy
|
4.3 Data Protection by Design and by Default
Measures are in place to comply with the principles of data protection by design and by default as per Art 25 GDPR.
Technical Measures |
- Third-party application approval: Approval from team leads and IT operations managers is required for all third-party applications used in development.
- Secure download source: Mandate downloads of development tools only from safe sources like manufacturer servers.
- Single Sign-On (SSO): Implement SSO where possible for third-party applications to manage access centrally.
- Less secure application disabling: Disable less secure third-party applications by default through administrator configurations.
|
Organizational Measures |
- Privacy-conscious design: Encourage product development that minimizes the amount of data users are required to enter. Avoid unnecessary data fields or make them optional.
- Default privacy settings: Pre-select privacy-friendly settings by default to prioritize user data protection.
- PbD: Data Protection Policy (includes principles "privacy by design / by default")
|
4.4 Order Control (outsourcing, subcontractors, and order processing)
Measures are in place to ensure that personal data processed on the client's behalf is only handled per the client's instructions.
Technical Measures |
- Monitoring of remote access by external parties, e.g., in the context of remote support
- Monitoring of subcontractors accordingly.
|
Organizational Measures |
- Process the data according to customer instructions
- Create work instructions for supplier management and supplier evaluation
- Adhere to regulations regarding the use of additional subcontractors
- Carefully select sub-processors, primarily focusing on data protection and security
- Conclude necessary data processing agreements, such as commissioned processing or EU standard contractual clauses
- Ensure the contractor's employees maintain data secrecy and adhere to the Information Security Policy
- Make sure to destroy data after the contract is terminated.
|