Security measures

This appendix forms an integral part of the Processor Agreement between the Controller and Digi Hosting. It outlines the technical and organizational security measures taken by Digi Hosting to protect the processing of personal data in accordance with the requirements of the General Data Protection Regulation (AVG).

1. Organization of information security

• Security Ownership
  Digi Hosting has appointed an information security officer in charge of coordinating, implementing and monitoring applicable security measures and procedures. This officer is supported by a management-level internal governing body that oversees the security policy.

• Security roles and responsibilities
  Digi Hosting employees who have access to personal data are subject to strict confidentiality obligations. These obligations are emphasized at the start of employment and periodically brought to their attention.

• Risk management
  Digi Hosting systematically conducts risk assessments prior to processing personal data or commissioning new services. The risk management procedure focuses on identifying, prioritizing and mitigating potential risks. Backup facilities are structurally embedded in the services.

• Document Management
  Security documentation is retained in accordance with legal and contractual retention obligations, even if these documents have formally expired.

2. Asset Management

• Inventory of information assets
  Digi Hosting maintains a detailed inventory of all data carriers on which personal data is stored. Access to this inventory is reserved solely for authorized and written personnel.

• Management of information carriers

  • Digi Hosting classifies personal data to ensure appropriate access restrictions and protection levels.

  • Employees must obtain prior explicit consent for processing personal data on portable devices, outside company facilities or via remote access.

3. Security of personnel

• Awareness and training
  All Digi Hosting employees are instructed regarding their security responsibilities. They receive periodic training and education on relevant procedures and recognizing current threats.

4. Physical and environmental security

• Access security to facilities
  Physical access to locations where personal data is processed is restricted to authorized individuals based on identification and access control.

• Security of information carriers
  Physical data carriers containing personal data are stored in secure areas with access restrictions.

• Protection against calamities
  Digi Hosting uses industry-standard facilities to protect against disruptions due to power outages, fire, flooding and other risks.

• Data removal
  Personal data is destroyed in accordance with industry-standard procedures once it is no longer necessary for the purposes of processing.

5. Operational security

• Policies and procedures
  Digi Hosting has current documentation of its security policies, including procedures and responsibilities of employees with access to personal data.

• Recovery procedures

  • Reserve copies of personal data are stored in geographically separate locations.

  • Access to this data is strictly regulated and documented.

• Malware Protection
  Measures have been implemented to protect against malicious software, including virus scanners and network filters.

• Logging
  Access and usage activities related to systems processing personal data are recorded in log files, including user ID, time, access status and relevant actions.

• Encryption
  Data transmission over the Internet is based on encryption techniques in accordance with current standards.

6. Access Control

• Policy
  Digi Hosting maintains an access control policy that defines which employees have access to which systems and data.

• Authorization management

  • Inactive access data is automatically deactivated after a period of inactivity.

  • Only authorized personnel may grant, modify or revoke permissions.

  • Each user has a unique login identifier.

• Minimal access
  Access to personal data is limited to employees for whom it is necessary as part of their duties.

• Session management and password protection

  • Sessions are automatically terminated upon inactivity or upon leaving the workstation.

  • Passwords are stored in a manner that guarantees irreversible encryption.

• Authentication

  • Access to information systems is granted based on strong authentication procedures.

  • Passwords are regularly renewed, and expired or deactivated accesses are not reused.

  • Unauthorized access attempts are detected and logged.

  • Password management meets industry standards.

• Network Security
  Network architecture and access rights are designed to prevent unauthorized access to personal data.

7. Incident Management

• Reporting and recording of security incidents

  • Digi Hosting records all security incidents including the nature, duration, impact, data involved, and measures taken.

  • In the event of a data breach, notification will be made to the Controller without undue delay, and at the latest within 72 hours.

• Transparency in data disclosure
  Data access is logged indicating nature, recipient and time.

8. Continuity Management

• Emergency Procedures
  Digi Hosting maintains comprehensive emergency and disaster recovery plans for all data processing sites.

• Redundancy and recovery
  The redundant storage structure and recovery procedures are in place so that personal data can be restored to the last known complete state prior to an incident.

These security measures are periodically evaluated and adapted to the current state of the art and risk assessment, with a view to continuing protection of the Personal Data of the Processing Controller.