Technical and organizational measures

Purpose, scope and users

The aim of this top-level Policy is to describe Elastx technical and organisational measures taken to protect personal data which it processes on behalf of its controllers, including but not limited to protecting it against destruction, modification, unauthorized dissemination, unauthorized access, and other types of unauthorized processing.

This description consists of the following ISMS documents that are part of Elastx ISO 27001, 27017 & 27018 (Internal Use only). Whole Elastx (organization) is included in the scope:

• Information Security Policy
• Risk Assessment and Risk Treatment Methodology
• Statement of Applicability
• Risk Treatment Plan
• Mobile Device and Teleworking Policy
• Bring Your Own Device BYOD Policy
• Confidentiality Statement
• Acceptable Use Policy
• Access Control Policy
• Operating Procedures for Information and Communication Technology
• Secure Development Policy
• Security Clauses for Suppliers and Partners
• Incident Management Procedure
• Business Continuity Management Policy (BCMS)
• Business Continuity Plan (BCP)
• Training and Awareness Plan
• Procedure for Corrective Action
• Policy for Data Privacy in the Cloud
• Cloud Security Policy
• Disciplinary Policy & Procedure
• On-, Change, Off-boarding Policy

Security Measures

The measures shall be adapted to a level which is suitable, taking into consideration the degree of sensitivity of the personal data, the particular risks which exist, existing technical possibilities, and the costs for carrying out the measures. At a minimum, the Processor shall maintain the following measures:

1. That it has properly configured access rights for its staff, including well-defined onboarding and off-boarding processes to ensure appropriate access control;
2. That suitable and effective authentication processes are established and used to protect personal data;
3. Enable the Controller to back up personal data on a regular basis via the Services and that any back up data is subject to vigorous security measures as necessary to protect the availability, integrity and confidentiality of the data;
4. That robust and tested business continuity measures are in place to protect the availability, integrity and confidentiality of the Controller’s personal data;
5. Enable the Controller via the Services to ensure that personal data is transferred securely where it is essential to do so and, ensure data transferred electronically is encrypted according to industry best practices;
6. Employees are not able to access personal data remotely, e.g. from home or via their own device other than through a secure electronic network and in accordance with organizational Acceptable Use Policy, Access Control Policy. No data shall be stored on such devices; and
7. Where instructed by the Controller to dispose of data it is disposed of securely and confidentiality in accordance with industry best practices.
8. The Processor shall only allow access to the personal data to its personnel when explicitly instructed to do so in writing by the Controller and then only on a need-to-know basis. The Processor shall ensure that all personnel having access to the personal data have received adequate training and guidelines around use of personal data and are subject to personal confidentiality obligations, which shall survive the termination of employment/engagement of the personnel and the termination of the Main Agreement.
9. Taking into account the nature of the processing, the Processor shall assist the Controller by appropriate technical and organizational measures, for the fulfillment of the Controller's obligation to respond to requests for exercising a data subject's rights laid down in Applicable Law.
10. The Processor shall comply with any decisions from a competent authority with jurisdiction over the Processor or Controller. The Processor shall also allow any competent authority to conduct supervision of the processing under this DPA.