Technical and organizational measures (TOM)
How Versio.io ensures compliance with data protection laws
Last update: 23-08-2024
Classification & delimitation
Versio.io collects personal data in order to be able to implement the registration of users, the notification of users and the optimization of the user experience, the security of the overall platform and the auditability of the customer environment. In doing so, we pay close attention to data minimization. Moreover, we do not collect any personal data in the course of operating the Versio.io platform!
In the context of the use of Versio.io by customers, he imports data into Versio.io, which are stored here. This may also be personal data. Versio.io has no influence on this, so that the customer himself is responsible for the data protection of his imported and possibly personal data. However, Versio.io offers functionalities in the import process to delete or make data unrecognizable before processing and storage.
Confidentiality
Office access control
Measures suitable for preventing unauthorized persons from gaining access to Versio.io office in which data processing systems with which personal data are processed or used.
| Technical measures | Organizational measures |
|---|---|
| Manual locking system | Key regulation and list |
| Security locks | Visitors only accompanied by employees |
| Doors with knob outside | Care in selection cleaning services |
| Video surveillance of entrances |
System access control
Measures suitable for preventing data processing systems (computers) from being used by unauthorized persons.
| Technical measures | Organizational measures |
|---|---|
| Login with username and password or SSL certificate | Guideline for secure passwords |
| Anti virus software desktop | Guideline clean desk |
| Firewall office network | Guideline privacy policies and security |
| Usage of virtual privat network (VPN) | Guideline manuel desktop lock |
| Automatic desktop lock | Minimal number of administrators |
| Password safe usage |
Disconnection control
Measures to ensure that data collected for different purposes can be processed separately. can be processed separately. This can be ensured, for example, by logical and physical separation of the data.
| Technical measures | Organizational measures |
|---|---|
| Separation of productive and test environment | Control via authorization concept |
| Physical separation (systems, databases, data carriers) | Database separated users |
| Multi-client capability of applications |
Integrity
Forwarding control
Measures to ensure that personal data is protected from unauthorized access during electronic transmission or during transport or storage on data media, and that personal data cannot be read, copied, altered, or removed without authorization, and that and that it is possible to verify and identify the entities to which personal data is personal data is intended to be transmitted by data transmission equipment.
| Technical measures | Organizational measures |
|---|---|
| Virtual privat networks usage (VPN, Wireguard) | No data transfer to third parties |
| Monitoring of backup activities and times | No production copies for test systems |
Input control
Measures that ensure that it is possible to check and establish retrospectively whether and by whom personal data has been entered into, modified or removed from data processing systems. Input control is achieved through logging, which can take place at various levels (e.g., operating system, network, firewall, database, application).
| Technical measures | Organizational measures |
|---|---|
| Audit log for entry, modification and deletion of configurations | Assignment of rights to enter, change and delete data on the basis of an authorization concept |
| Manual or automated control of the logs (unsuccessful logins, unvalid API token, request at unknown environments) | Clear responsibilities for deletions |
| Information security policy | |
| Work instruction for IT user regulations |
Availability and resilience
Measures to ensure that the Versio.io SaaS application is available without interruption and can be restored in the event of a total failure.
| Technical measures | Organizational measures |
|---|---|
| Execution load tests | Operation guideline concept |
| Full-stack application performance monitoring | Bi-annual recovery tests |
| IT monitoring enrichment (configurations, database schema, ssl certificates etc.) | Backup concept |
| Daily automated multi-client backup | Pure database backup is performed at a separate physical location. Strict organizational separation from server hard disk backup. |
| USV for backup storage system and router | |
| RAID system for storage system (RAID level 5) |
Procedures for periodic review, assessment and evaluation
Data protection measures
| Technical measures | Organizational measures |
|---|---|
| Central documentation of all data protection regulations with access for employees | Staff trained and obliged to confidentiality/data |
| secrecy | |
| A review of the effectiveness of the TOMs is carried out at least annually and TOMs are updated | Regular awareness trainings at least annually |
| Data protection checkpoints consistently implemented in tool-supported risk assessment | |
| Data protection aspects established as part of | |
| corporate risk managemen |
Incident response management
Measures that ensure security issues are prevented or identified and communicated to users.
| Technical measures | Organizational measures |
|---|---|
| User option for notification of identified security issues | Security oriented product release strategy |
| Use of firewalls | Time-limited token for resetting the user password |
| Use of API token | Security issue notification guideline |
| Storage of hashed user passwords | Defaults for setting strong user passwords |
| Technology version detection | Versio.io events for creating and deleting users and environments |
| Product release strategy verification | |
| Application performance monitoring |
Data protection-friendly default settings
Versio.io based on privacy by design and privacy by default.
| Technical measures | Organizational measures |
|---|---|
| No more personal data is collected than is necessary for the respective purpose are | |
| Data sovereignty and easy access for the data subjects through technical measures |
Job control (outsourcing to third parties)
Versio.io use for the SaaS instance virtual machines, firewalls and network ressources of Hetzner Cloud datacenter. All resources used are located in the European Union.
A data processing agreement (DPA) for Art. 28 of the GDPR is available. The technical and organizational measures of Hetzner itself you find here: https://www.hetzner.com/AV/TOM.pdf