Skip to main navigation Skip to main content Skip to page footer

Alfabet joins Bizzdesign and Mega in creating a new force in enterprise architecture and strategic portfolio management.

Free trial Contact us
Free trial Contact us
Legal Notes

Technical and Organizational Measures

1. General Considerations

This data protection policy outlines the technical and organizational measures implemented for secure and compliant processing of personal data. It takes into account the rights of data subjects and requirements of the articles 24, 25, and 32 GDPR to the extent applicable.

Alfabet BD GmbH deals with two general categories of personal data:

  1. Public data— Any information that can be made freely accessible by anyone or is already
  2. Internal-only or internal data— Any information restricted to an organization’s employees or members 

The following description of technical and organizational measures will be differentiated, where applicable, according to these categories of data.

2. Confidentiality

2.1 Entry Control

Alfabet BD GmbH operates based on office premises that are not freely accessible. They are locked when employees are away. The company implemented the following measures:

  • Locked building
  • Locked office

Alfabet BD GmbH does not maintain servers or server rooms. 

2.2 Access Control

Alfabet BD GmbH has implemented suitable measures to prevent unauthorized persons from gaining access to the data processing equipment where the personal data is processed. This is accomplished by:

a. Access to premises is controlled access cards and (electronic) door locks.

b. Access privileges to premises is only granted to those employees and contractors who have a legitimate business need for such access. When an employee or contractor no longer has a business need for the access privileges assigned, the access privileges are promptly revoked.

c. Visitors are registered, required to wear a visitor badge, and must be accompanied by Processor’s staff throughout their visit.

2.3 Usage Control

Alfabet BD GmbH has implemented following measures when working within software systems:

  • Staff members of Processor are issued their own login credentials. Passwords must be in line with industry best practices and comply with the corporate Login and Password Policy (e.g., length and complexity).
  • Automatic time-out of workstations if left idle, authentication is required to reopen.
  • Staff policies in respect of each staff access rights to personal data (if any), informing staff about their obligations and the consequences of any violations of such obligations, to ensure that staff will only access personal data and resources required to perform their job duties and training of staff on applicable privacy duties and liabilities.
  • Use of state-of-the-art encryption technologies for data in transit and data at rest.

2.4 Pseudonymization

To achieve the purposes of the commissioned data processing it is not possible to pseudonymize the Controller’s personal data. If pseudonymization is required by the Controller, the data provided to the Processor needs to be provided in pseudonymized format.

2.5 Separation Control

Alfabet BD GmbH has implement suitable measures to make sure that data collected for different purposes can be processed separately. This is accomplished by:

  • Access to data is separated through application security for the authorized users.
  • Data that is provided by Controller to the Processor is stored logically separated from data of other Controllers in dedicated systems which are used only for the purpose of providing the Services described in detail in the relevant contracts signed with customers.

2.6 Encryption

All relevant data is transmitted and stored in line with highest standards defined in

Encryption Policy, using state-of-the-art encryption algorithms.

 

3. Integrity

3.1 Transfer Control

Alfabet GmbH has implemented suitable measures to prevent the personal data from being read, copied, altered or deleted by unauthorized parties during the transmission. This is accomplished by:

  • Use of appropriate firewall and encryption technologies for data in transit. Data transmissions are logged and monitored.
  • The Controller controls which data is provided to the Processor as needed to work on the assigned projects

3.2 Input Control

Alfabet GmbH has implemented the following measures for its software systems:

  • Authentication of the authorized personnel; individual user IDs that, once assigned, cannot be re-assigned to another person.
  • If Processor should get remote access to systems of the Controller, this has to happen under the control of the Controller and Processor personnel will follow exactly the instructions as provided by the Controller

3.3 Availability and Resilience

3.3.1 Availability Control

Alfabet GmbH has implemented suitable measures to ensure that personal data is protected from accidental or unauthorized alteration, loss or destruction. This is accomplished through the following efforts:

  • Any changes to the production environments are fully monitored. Processor performs regular tenant backups to be able to restore virtual machine images and tenant data.
  • Control of availability for Cloud Services is ensured under the Cloud Services Information Security Continuity Management and Operations Backup and Restore Controls aligned with the ISO/IEC 27001 Standard.
  • Alfabet BD GmbH IaaS Supplier services are protected from utility service outages in alignment with the ISO/IEC 27001 standard as validated and certified by an independent auditor.
  • Backup up of Controller data and protection of log files are controlled in alignment with the ISO/IEC 27001 Standard. Policies are in place to control the retention of backup copies.
  • Any detected security incident is recorded, alongside the followed data recovery procedures.
3.3.2 Resilience 

Firewalls protect external access to all cloud production networks and systems, and Intrusion Detection Prevention Systems are used to limit/filter network traffic. Cloud Services Disaster recovery is tested and reviewed annually.

3.4 Product Development

3.4.1 Development Tools

Development tools are described in the Software Development Life Cycle document and are aligned with ISO/IEC 27001 controls. 

3.4.2 Privacy-Friendly Settings

Product development takes into account giving users the option of entering only the information necessary for the purpose of processing. Input fields with additional, unnecessary information is designed as non-mandatory. By default, privacy-friendly settings are defined in all available Accelerator packages.

3.5 Data Deletion

The company implemented the following concept for data deletion:

Customer data:

  • Customer Data are deleted 30 days after termination of contracts
  • Lead contact data are deleted after 10 years of paused communication

Customers SaaS:

  • Backup up of customer data and protection of log files are controlled in alignment with the ISO/IEC 27001 Standard DB

Employee Data:

  • Employee data are deleted after end of deployment

Website Data:

  • These data are deleted after every session

4. Employee Workplace

Alfabet BD GmbH has implemented the following measures:

  • Employees must encrypt their hard drives with state-of-the-art encryption,
  • The email account provider applies a default virus, spam and phishing filter to detect malicious software and avert cyber attacks.
  • Employees are required to set up a completely closed firewall for their home office internet network.
  • Employees are obligated to clean their desk of any documents containing sensitive data, especially when accessible by others.
  • The default option for screen savers must be set at the shortest time period until activation. When temporarily leaving the workplace and hardware, employees should always lock their devices.

5. Procedure for Regular Review, Assessment and Evaluation

Data protection and IT security within Alfabet BD GmbH is reviewed regularly and, based on these assessments, continuously improved. Internal auditing may include data privacy requirements such as:

  • Obligation of employees to maintain data secrecy, training and education.
  • Regular auditing of data processing procedures.
  • Procedures in case of data breaches and the protection of data subjects’ rights

The company has implemented the following internal measures:

  • Appointment of a data protection officer
  • Regular auditing of procedures
  • Regular review of technical advancements in accordance with Article 32 GDPR