Technical and Organisational Measures

As of: November 2022

The present document supplements article 11 of the Data Processing Agreement (DPA) between Client and Contractor pursuant to Art 28 GDPR (EU General Data Protection Regulation).
The technical and organizational measures are implemented by Comeen’s products in accordance with Art 32 GDPR. They are continuously improved by Comeen according to feasibility and state of the art and brought to a higher level of security and protection

In addition of this document, you can review security measures from our datacenter:
  • Google Cloud Platform:  https://www.google.com/about/datacenters/  


1. Confidentiality


Title
Title
Technical measures
  • All personal data are stored on our servers hosted by Google Cloud Platform
  • Manual locking system
  • Certified SSL encryption
  • VLAN segmentation
  • Separation of productive and test environment
  • Every account deleted from our database is NOT deactivated, but permanently removed
  • Regular penetration testing
  • No more personal data is collected than is necessary for the respective purpose
  • Pseudonymisation of logs
Organizational measures
  • No personal data are copied or stored locally on our offices
  • Visitors accompanied by employees
  • Visitors' book / Visitors' protocol
  • Information Security Policy
  • Use of authorization concepts
  • Minimum number of administrators
  • Management of user rights by administrators
  • Regular training of employees on data privacy measures.
  • Regular monitoring of partner companies regarding data privacy measures


2. Integrity


Title
Title
Technical measures
  • Logging of accesses and retrievals
  • Detailed tracking of entries, edits and deletions, with info about the user_id, IP address, client operating system and client browser.
  • No personal data are copied or stored locally on our offices
  • All different environments (servers and databases) are stored on distinct instances, isolated of each other
  • All SSH connections on non-production servers are made using key pairs (no passwords)
  • Regular updates, especially security fixes
  • Login with SSO
  • Provision via encrypted connections such as sftp, https and secure cloudstores
Organizational measures
  • Assignment of rights to enter, change and delete data on the basis of an authorization concept
  • Documented incident response processes
  • Documented and regularly tested failover procedures
  • A formal process for following up on security incidents and data abreaches


3. Availability and Resilience


Title
Title
Technical measures
  • Backups are completed each day with several retention and rotation policies
  • Backup monitoring and reporting
  • High-availability domain hosting
  • Use of secured data centers with redundant zones
Organizational measures
  • Backup concept
  • Load balancing
  • Existence of an emergency plan
  • Documented incident response processes