We take our responsibility serious and therefore have implemented a variety of technical and organizational measures to protect and secure personal data as good as possible. Our measures are aligned with the GDPR regulations (article 32).
Measures that make sure that no unauthorized access to data processing and data storage facilities takes place.
Concrete measures:
Electronic keys with safety locks to get into the office
Use of state-of-the-art cloud providers to store data with proven protection processes and within highly secured locations
Careful selection of staff (e.g., cleaning, maintenance, security)
Employees are using privacy screens whenever they access the systems remotely in public surrounding
Measure that make sure that there is no unauthorized use of data processing and data storage systems.
Concrete measures:
Secure passwords including use of state-of-the-art password managers
Two-Factor authentication for all key systems
Single-Sign-On (SSO) to reduce risk of managing multiple accounts
Encryption of data whenever possible
Limitation of who can access the systems with very restrictive granting of rights
Internal "data protection policy" that all employees agreed to and apply accordingly
Clear separation of employee sessions for company and private use
Measures that make sure that authorized persons can only access the data according to their assigned rights, so that there is no unauthorized reading, copying, changing or deleting of data within the systems.
Concrete measures:
Rights authorization concept
Need-based rights of access
Limitation of who can access the systems with very restrictive granting of rights
Logging of system access events with regular checks
SaasAnt’s practice is to track and manage key information and physical, software and logical assets. Examples of the assets that SaasAnt might track include:
1)information assets, such as identified databases, disaster recovery plans, business continuity plans, data classification, archived information;
2)software assets, such as identified applications and system software;
3)physical assets, such as identified servers, desktops/laptops, backup/archival tapes, printers and communications equipment.
The assets are classified based on business criticality to determine confidentiality requirements. Industry guidance for handling personal data provides the framework for technical, organizational and physical safeguards. These safeguards may include controls such as access management, encryption, logging and monitoring, and data destruction.
Measures that make sure that data which is collected for a specific purpose is isolated from data related to other purposes.
Concrete measures
Clear separation of core database systems
Database rights are centrally managed and set as granular as possible
Production and test systems are clearly separated
Measures that make sure that personal data is processed in such a way, that the data cannot be associated with a specific data subject without the assistance of additional information, provided that this additional information is stored separately, and is subject to appropriate technical and organizational measures.
Concrete measures:
Sensitive data is pseudonymized or even anonymized when not in regular need
Use of only internal identifiers (e.g., internal user id) instead of the raw personal data whenever sufficient
SaasAnt has implemented corporate information security practices and standards that are designed to safeguard SaasAnt’s corporate environment and to address business objectives across information security, system and asset management, development, and governance.
These practices and standards are approved by SaasAnt’s executive management and are periodically reviewed and updated where necessary.
SaasAnt shall maintain an appropriate data privacy and information security program, including policies and procedures for physical and logical access restrictions, data classification, access rights, credentialing programs, record retention, data privacy, information security and the treatment of personal data and sensitive personal data throughout its lifecycle. Key policies will be reviewed at least annually.
It is the responsibility of all of SaasAnt employees who are involved in the processing of Customer Personal Data to comply with these practices and standards. SaasAnt’s Information Security (“IS”) function is responsible for the following activities:
Security strategy –The IS function works to ensure compliance with its own security related policies and standards and all relevant regulations, and to raise awareness and provide education to users. The IS function also carries out risk assessments and risk management activities, and manages contract security requirements.
Security engineering – the IS function manages testing, design and implementation of security solutions to enable adoption of security controls across SaasAnt’s online and information technology environment.
Security operations – the IS function manages support of implemented security solutions, monitors and scans SaasAnt’s online and information technology environment and assets, and manages incident response.
Security consulting and testing – the IS function works with software developers on developing security best practices, consults on application development and architecture for software projects, and carries out assurance testing.
Screening/background checks: Where reasonably practicable and appropriate, as part of the employment/recruitment process, SaasAnt performs employee screening and background checks on employees or prospective employees (which shall vary from country to country based on local laws and regulations), where such employees will have access to SaasAnt’s networks, systems or facilities.
Identification: SaasAnt requires all employees to provide proof of identification and any additional documentation that may be required based on the country of hire or if required by other SaasAnt entities or customers for whom the employee is providing services.
Training: SaasAnt’s annual compliance training program includes a requirement for employees to complete an online data protection and information security awareness.
Confidentiality: SaasAnt ensures its employees are legally bound to protect and maintain the confidentiality of any data they handle pursuant to standard agreements.
Measures that make sure that no data is compromised during transmission and transport and that there is no unauthorized reading, copying, changing or deleting of data in electronic transfer.
Concrete measures:
Using only secured connections (SSL/HTTPS)
Encrypting sensitive data
No use of physical transportable storage (e.g., external hard drives, USB storage)
Reducing use of physical paper as transport medium
Limiting storage of local files
Measures that make sure that data entry is verified, whether and by whom personal data is entered, changed or deleted in the systems.
Concrete measures:
User-level logging for all critical system components
Central cloud-based document storage with detailed change-logs
Measures which are designed to implement data-protection principles, such as data minimisation, in an effective manner:
Privacy by Design
Privacy by Default
Organisational assurance that notification and notification obligations are fulfilled
Data protection by default with regard to the scope of data processing
Data protection by default with regard to the amount of personal data collected
Data protection by default with regard to storage and deletion periods
Measures that make sure that data is protected against destruction or loss.
Concrete measures:
In-depth backup strategy depending on sensitivity of data
Backups are stored in secured cloud storage with multi-location security
Hosting through state-of-the-art cloud providers in order to minimize risk
Recovery plan
Measures that make sure that data can be restored and recovered rapidly after an incident.
Concrete measures:
Easy backup recovery plan
Use of only state-of-the-art cloud providers and subcontractors to increase flexibility for recovery
Measures to make sure that the implemented processes are regularly tested, assessed and evaluated on effectiveness for ensuring the security of the data processing.
Concrete measures:
External and unbiased data protection officer
Data protection management
Data protection by design
Data protection trainings with the employees
Regular review of all data privacy agreements with subprocessors and subcontractors
Internal "data protection policy" that all employees agreed to and apply accordingly
Regular review of our data protection concept
No third-party data processing without in-depth checks of the subprocessor and guaranteeing clear contractual agreements to make data transfers compliant with the regulations