Last updated: December 2025
This document sets out the technical and organisational measures implemented by the data importer(s) (including any relevant certifications) to ensure an appropriate level of security for personal data from EEA, Switzerland, the United Kingdom and Brazil, considering the nature, scope, context and purposes of the processing, and the associated risks to individuals’ rights and freedoms.
Establishing, maintaining, monitoring, and using appropriate technical, physical, administrative, and organisational safeguards consistent with the highest industry standards to secure against a security incident including, at a minimum:
(a) Secure user authentication protocols and system access control;
(b) Use of mature and appropriate physical security, current malware, antivirus, and security software that includes e-mail filtering and malware detection;
(c) Use of proper network protection measures;
(d) During idle times, company-issued equipment (e.g., company-issued laptops) are automatically locked;
(e) Encourage use of complex passwords;
(f) Concept of least privilege, allowing only the necessary access for users to accomplish their job function. Access above requires appropriate authorisation;
(g) IT access privileges are reviewed regularly by appropriate personnel;
(h) Network monitoring services in place 24 x 7 x 365 to detect unauthorised activities;
(i) Vulnerability scanning and remediation in place;
(j) Penetration testing as appropriate;
(k) Encryption protocols applied as necessary under various circumstances.
Taking, among others, the appropriate security measures in order to establish the identity of the authorised persons and prevent unauthorised access to the data importer(s) premises and facilities in which the data are processed.
Taking technical and organisational measures in order to prevent unauthorised activities in the data processing systems outside the scope of any granted authorisations including, at a minimum:
(a) User and administrator access to the network a role-based access rights model. Authorization model grants access rights to data only on a “need to know” basis;
(b) Administration of user rights through system administrators;
(c) Number of administrators is reduced to the absolute minimum;
(d) Perform internal audits as required to assess high risk processes, technologies, and people;
(e) Prohibit each employee from disclosing the Personal Data to any unauthorised third party or using the Personal Data in an unauthorised manner.
(f) Where encryption of data is used, proper key lifecycle management practices are in place.
Taking technical and organisational measures in order to ensure that Personal Data cannot be read, copied, altered, or removed by unauthorised persons under their electronic transmission or during their transport or recording on data carriers and to guarantee that it is possible to examine and establish where Personal Data are or have been transmitted by data transmission equipment including, at a minimum:
(a) Remote access (including during remote maintenance or service procedures) to the IT systems are to be via VPN tunnels, where appropriate, or other secure, encrypted connections;
(b) Encryption protocols applied as necessary under various circumstances;
(c) Data storage devices and paper documents are locked away when not in use (e.g., clean desk policy);
(d) Appropriate destruction and disposal of documents;
(e) Physical destruction processes in place to industry standards;
(f) Secure communication session established via TLS or similar protocols across core applications/services;
(g) Encrypted certificates utilised for authentication between core web client and core web server.
Taking appropriate technical and organisational measures in order to ensure that it is subsequently possible to verify and establish via log files whether and by whom Personal Data have been entered into data processing systems, altered, or removed.
Taking technical and organisational measures in order to ensure that any Personal Data transferred under this Agreement can only be processed for the purposes specified in the Agreement including, at a minimum:
(a) Clear and binding internal policies contain formalised instructions for data processing procedures;
(b) Clearly articulated contractual protections in place as appropriate in underlying contracts;
(c) Regular staff training on the proper use of the computer security system, the security backup and disaster recovery procedures, and the importance of security to ensure compliance with contractual arrangements and maintain awareness regarding data protection requirements;
(d) Secure destruction processes in place to industry standards;
(e) Periodic access reviews that monitor employee access controls;
(f) Company's corporate network is separated from its user services network by means of complex segregation devices.
Taking technical and organisational measures in order to protect the data from accidental destruction or loss including, at a minimum:
(a) Appliances for the monitoring of temperature and humidity in data centers;
(b) Fire/smoke detectors and fire extinguishers or fire suppression system in data centers;
(c) Use of mature and appropriate anti-virus software that includes e-mail filtering and malware detection;
(d) Data recovery measures and emergency plan in place and regularly tested;
(e) Implementation of mature and appropriate backup methods including physical separation of the backup data and storage of data stored in a redundant archive;
(f) Use a combination of full, differential, and cumulative backups to ensure data integrity and timely restoration for core data, as appropriate;
(g) To ensure an uninterrupted supply of power to the system, redundant power supply units are built into the systems wherever possible;
(h) Integrity of stored data regularly verified using checksums;
(i) Processes in place to move data traffic away from affected area to uncompromised area in case of failure;
(j) Preventative maintenance is performed to ensure continued operability of equipment.
(k) Appropriate Denial of Service and Distributed Denial of Service technology in place to defend against network and systems based resource starvation attacks.