Vtiger - Technical and Organizational Measures (TOMs)

• Locked building and office
• Biometric access
• Manual locking system
• Doors with an automatic lock system
• Security Personnel
• Video Surveillance of Entrance
• No production servers on-site

• Key regulation checklist
• Reception with Security Guard Personnel
• Visitors Book
• Employee/Visitor Badge
• Visitor Accompanied by Employee
• Information Security Policy
• Work Instructions Access Control

• Login with a username and strong password
• Firewall
• Intrusion Detection Systems
• Use VPN for Remote access
• Encryption of Disks, Devices/Laptops/Tablets
• Two-factor authentication
• Automatic Desktop/Laptop lock
• Anti-virus software installed on devices and servers
• Access is monitored and logged
• Automatic Account Lockout when unsuccessful logins/authentications
• All usage activity and data changes are logged

• User permission management, including Role-based authorization
• Creating user-specific profiles
• Information Security Policy
• Password Policy
• Mobile Device Policy
• Work Instructions: IT Security SOP and Employee Access Control
• Employee Vetting
• Training and Awareness
• De Minimis Principle

• Physical deletion of data carrier/devices
• SSH Encrypted access
• Certified SSL encryption
• Shred Files and Papers that are no longer in use
• Automatic deletion of backups from archival after the retention period or when customer requests
• Logging of accesses to applications, specifically when entering, changing, and deleting data

• Information Security Policy
• Minimize the Administrators Roles
• Management of user rights by administrators
• Work instructions on handling the information and assets

• Physical separation (systems/databases/data carriers)
• Multi-tenancy of relevant applications
• Client application and data are logically separated
• Staging of development, test, and production environment

• Information Security Policy
• Data Protection Policy
• Control via authorization concept
• Work instruction for: Operational security and, Security in software development and testing

Data Encryption in Transit (In-Motion)

• Implemented Transport Layer Security (TLS 1.2 and above) and Secure Sockets Layer (SSL) protocols for all data transmission.
• These protocols encrypt data as it travels between systems, making it unreadable to anyone who intercepts it.

Data Encryption at Rest (Stored)

• Storage Disks: Encrypted with Disk-level Encryption
• Sensitive Data: Encrypted with AES-256 (256-bit Advanced Encryption Standard)
• Key Management: AWS Key Management Service (KMS)
• Backups: Encrypted with AES-256 at AWS S3
• Data Masking: Customer-specific details are obfuscated.

• Key Rotation: Regular rotation of encryption keys used for data and backups to minimize the risk associated with a compromised key.
• Access Control: Restrict access to encryption keys to a limited number of authorized personnel with a strict need-to-know basis.
• Auditing: Maintain detailed key usage logs to monitor access and identify any potential anomalies.

• Use of VPN
• Logging of accesses and retrievals
• Provision via encrypted connections such as SFTP, HTTPS, and secure cloud stores

• Survey of regular retrieval and transmission processes
• Careful selection of transport personnel and vehicles
• Personal handover with protocol
• Information Security Policy
• Data Protection Policy

• Technical logging of the entry, modification, and deletion of data
• Manual or automated control of the logs (according to strict internal specifications)

• Survey of which programs can be used to enter, change, or delete which data
• Traceability of data entry, modification, and deletion through individual user names
• Assignment of rights to enter, change, and delete data based on an authorization concept
• Clear responsibilities for deletions
• Information Security Policy

• A minimum of 99.9% uptime (excluding maintenance scheduled on weekend nights).
• Data Continuous Availability
• Fire and smoke detection systems
• Fire extinguisher server room
• Server room monitoring temperature and humidity
• Server room air-conditioning
• UPS system and emergency diesel generators
• Protective socket strips in the server room
• RAID system / hard disk mirroring
• Video surveillance server room

• Backup concept
• Existence of an emergency plan
• Offsite backup storage
• Separation of OS and data partitions if needed

• Backup monitoring and reporting
• Restorability from automation tools
• Backup concept according to criticality and customer specifications

• Disaster Recovery Plan
• Control of the backup process
• Regular testing of data recovery and logging of results
• Store backup media in a safe place outside the server room
• Existence of an emergency plan

• Central documentation of all data protection regulations with access for employees
• Security certification according to ISO 27001
• A review of the effectiveness of the TOMs is carried out at least annually, and TOMs are updated

• A Data Protection Officer (DPO) is appointed.
• All staff members have been trained and are bound to maintain confidentiality and data secrecy. They receive regular awareness training at least annually.
• Data Protection Impact Assessments (DPIAs) are carried out as required.
• Processes have been established to comply with information obligations as per Art 13 and 14 of the GDPR.
• A formalized process for handling requests for information from data subjects is in place.
• Data protection aspects are integrated into our corporate risk management.
• Key parts of the company, including data center operations, are ISO 27001 certified, and annual monitoring audits are conducted.

• Use of firewall and regular updating
• Use of spam filter and regular updating
• Use of virus scanner and regular updating
• Intrusion Detection System (IDS) for customer systems on order
• Intrusion Prevention System (IPS) for customer systems on order

• A documented process for identifying and reporting security incidents and data breaches, including obligations to report to supervisory authorities
• The standard procedure for handling security incidents involving the Data Protection Officer (DPO)
• Documenting security incidents and data breaches using the internal ticketing system
• The standard process for following up on security incidents and data breaches
• Breach notification policy

• Third-party application approval: Approval from team leads and IT operations managers is required for all third-party applications used in development.
• Secure download source: Mandate downloads of development tools only from safe sources like manufacturer servers.
• Single Sign-On (SSO): Implement SSO where possible for third-party applications to manage access centrally.
• Less secure application disabling: Disable less secure third-party applications by default through administrator configurations.

• Privacy-conscious design: Encourage product development that minimizes the amount of data users are required to enter. Avoid unnecessary data fields or make them optional.
• Default privacy settings: Pre-select privacy-friendly settings by default to prioritize user data protection.
• PbD: Data Protection Policy (includes principles "privacy by design / by default")

• Monitoring of remote access by external parties, e.g., in the context of remote support
• Monitoring of subcontractors accordingly.

• Process the data according to customer instructions
• Create work instructions for supplier management and supplier evaluation
• Adhere to regulations regarding the use of additional subcontractors
• Carefully select sub-processors, primarily focusing on data protection and security
• Conclude necessary data processing agreements, such as commissioned processing or EU standard contractual clauses
• Ensure the contractor's employees maintain data secrecy and adhere to the Information Security Policy
• Make sure to destroy data after the contract is terminated.