Schedule 2

Compusense Technical and Organizational Measures

The present document describes the technical and organizational measures implemented by Compusense to safeguard the processing of personal data, when security and privacy duties on customer data are in our service scope.

Main purpose of these measures is to:

  • Cover the encryption or pseudonymization of personal data when required.
  • Confirm and ensure the confidentiality, integrity, availability and resilience of Compusense systems associated with the processing of personal data.
  • Address in a timely manner any technical or physical incident that could disrupt availability of personal data.
  • Ensure the security of processing personal data by regularly reviewing, assessing and evaluating the effectiveness of Compusense technical and organizational measures.

Document Management

This document will be reviewed on a regular basis to confirm applicability in time and form to any changes in scope and compliance when processing customers personal data.

Measures

Security policies.

Information Security (IS) policies are followed by all Compusense employees. A security awareness and privacy training program are mandatory across the board, compliance scheduled on a yearly basis. All IS policies are reviewed, and when necessary improved, by Compusense Executive Management team at least annually as well.

Regarding any third-party vendor, Compusense reviews their annual Security Audit report to confirm alignment with own IS policies and practices.

Access control.

Measures to ensure only authorized persons gain access and use data processing systems, and that they can only access data approved for their access authorization, are in place. Personal data is not susceptible of being read, copied, modified or removed during processing. Measures are:

  • Personal Security and Corporate Ethics policies.
  • Rights assigned under the “least privilege” principle.
  • Rights granted in a role-based access control approach.
  • Logging and Monitoring management.
  • Strong cryptography and security protocols (e.g. TLS, IPsec, SSH).

Physical access control.

Access to our third-party data centre is restricted and adopting appropriated access controls to all areas where data processing systems reside. Compusense facilities are protected to prevent any unauthorized persons from accessing areas where data processing systems may be in use. Measures include:

  • Review of annual third-party data centre SOC2 Type 2 Audit report.
  • Review of Compusense complementary subservice organizations controls (CSOCs).
  • For Compusense facilities:
  • Video surveillance of sensitive facilities areas.
  • Employee access keys regulated by authorized access list.
  • In the event of employee termination, access is promptly revoked.
  • Visitors check in-check out log registry.
  • Alarm system.
  • Automatic and manual access control systems.

Logical access control.

Measures suitable for preventing data processing systems from being used by unauthorized persons are in place and include:

  • Access granted under the “need to know” principle.
  • Unique user identification (ID).
  • Strong password policy meeting complexity requirements.
  • Centralized ID-password control system.
  • Multi-factor authentication.
  • Access no longer required is documented and revoked.

Systems and Network security control.

Security measures for systems and networks handling data processing have been implemented to protect connectivity between all IT systems, which include:

  • Use of a Security Information and Event Management (SIEM) tool.
  • Network activity monitoring and logging management.
  • Next-generation firewall.
  • Web Application Firewall (WAF).
  • Remote access control using virtual private networks (VPN).
  • Multi-factor authentication.
  • Network segmentation.
  • Detection of malicious network activities using intrusion detection and prevention systems (IDS/IPS).
  • Appropriated encryption and authentication methods for data in transit and at rest.

Security Incident management control.

In the event of any security incident, there is an Incident Response plan and the respective response policies to address such an event. Prompt communication to affected parties in case any data breach is part of the standard procedure, adopting local law practices for this type of security incidents, when it might happen. Among the measures in place for this purpose are:

  • An Incident Management policy.
  • A Security Incident Response plan.
  • Documenting any security incident in a ticket system.
  • Patch management policy to update systems and network appliances, when needed.

Separation control.

Measures ensure data collected from different customers is not mixed in their processing. These includes:

  • Multi-instancearchitecture in place.
  • An individual file system with defined folder structure for each customer.
  • Restricted access to the file system by users.
  • Encryption at rest is enabled for each customers database.
  • Separated production and testing environments.
  • Separation of users and traffic using VLANs.

Pseudonymization or anonymization.

Pseudonymization or anonymization measures on customers data are in place whenever possible. High level of encryption is adopted to protect confidentiality when data is transfer and storage. Pseudonymization aims to use additional information to restore the identity of previously modified data, while anonymization is irreversible: data cannot be restored with its original identifiers.

Input control.

Accuracy and verification of personal data entered into Compusense service offer is out of our scope. Customers are responsible for validating the integrity of any personal data provided for further processing. However, log reviewing is implemented to identify by whom data has been entered, changed or deleted. The integrity of log information is always secured to avoid modifications. Measures for this purpose are:

  • Logging and monitoring management.
  • Traceability of data processing through individual user IDs and not group user IDs.
  • Restricted access to log files.

Availability and Recoverability control.

Measures to ensure that personal data is protected against accidental destruction or loss are implemented. Our third-party data centre offers a state-of-the-art facility with the highest level of backup resiliency (tier III data centre), which alongside with Compusense internal security policies and procedures can guarantee a prompt response and recovery to business-as-usual mode. Example of these measures are:

  • Logging and monitoring management.
  • Backup process, from media frequency storage and location to full backup restoration procedures.
  • Redundant UPS backup and generators systems.
  • Multiple redundant CRAC cooling units.
  • Climate control (such as hot/cold row design for thermal management).
  • Redundant routing and switching.

Threat and Vulnerability control.

Measures are implemented to identify, manage, mitigate and address remediation of any potential vulnerabilities in the Compusense environment. Such measures are:

  • Patch management.
  • Anti-virus/anti-malware.
  • Vulnerability scanning.
  • Penetration testing.
  • Alert notifications from monitoring systems.

Review, Assessment and Evaluation control.

Risk is evaluated at regular intervals according to information gathered from different sources, internally and externally to Compusense. Findings are reviewed to assessed risk and mitigation/remediation actions planned accordingly. When changes are required on data processing systems, a change process is implemented which allows full testing and evaluation of updates before residing in the production environment.

Compusense IS policies, procedures and controls are audited yearly to comply with industry data protection practices.