Technical and Organisational Measures
Technical and Organisational Measures Including Technical and Organisational Measures to Ensure the Security of the Data.
| 1. | Security of Storage |
| 1.1 | Measures for the protection of data during storage |
| Data is encrypted, securely stored and password protected | |
| 1.2 | Measures for ensuring physical security of locations at which personal data are processed |
| Selectabase offices can only accessed by authorised personnel. Identification required on entry. Key code and locked doors with security systems and alarms. | |
| 1.3 | Measures for ensuring limited data retention |
| Data is automatically deleted in line with the Company Data Retention Policy | |
| 1.4 | Measures for ensuring data minimisation |
| Selectabase ensure they collect no more data than is necessary for business need | |
| 2. | Security of Transmission |
| 2.1 | Measures for the protection of data during transmission |
| Data in transit is encrypted | |
| 3. | Security of Processing: |
| 3.1 | Measures for ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and services |
| The tools in use include but are not limited to, Firewalls at all internet borders, IPS (Intrusion Prevention System) at all internet borders, WAF (Web Application Firewall) protecting all web applications, Anti-virus systems, responding to and reporting on incidents, etc. | |
| 3.2 | Measures for ensuring the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident |
| Alerts are sent to the relevant team to investigate. | |
| 3.3 | Processes for regularly testing, assessing, and evaluating the effectiveness of technical and organisational measures in order to ensure the security of the processing |
| We are regularly audited to ensure compliance with data processing, legal, statutory, and regulatory compliance obligations. | |
| 3.4 | Measures for certification/assurance of processes and products |
| Selectabase demonstrates its security maturity and evidences the measures we have in place by being externally audited and accredited with all relevant certificates. | |
| 3.5 | Measures for ensuring events logging |
| All related servers can only be accessed directly via Gravitational Teleport, ensuring all interactions are logged. All access logs on hosted servers and virtual machines on their hosting platforms. | |
| 4. | Organisational security measures |
| 4.1 | Measures for allowing data portability and ensuring erasure |
| We have a dedicated Team that provide data subjects access to their data as the gateway to all other data subject rights, including the right to data portability and deletion. Ensuring the relevant checks are made to ensure the details are only provided to the data subjects. | |
| 4.2 | Measures for user identification and authorisation |
| All users are assigned individual unique username and password sharing is prohibited. Access to data is only provided to those who need access to complete their role. Access is provided at the level of least privilege and is regularly reviewed | |
| 4.3 | Measures for internal IT and IT security governance and management |
| All requests for alteration to the systems are submitted though relevant systems. All requests are evaluated by the IT department and assigned to the relevant projects, with a relevant task when applicable. The IT department follows secure coding practices in its code development processes. | |
| 4.4 | Measures for ensuring data quality |
| Updates are provided monthly to ensure the most up to date and accurate data is present. Also performing regular data cleansing exercises to improve the data quality. | |
| 4.5 | Measures for ensuring accountability |
| Accountability is owned by the senior management who sit at board level. Adherence with information security policy suites is controlled and monitored via clear lines of escalation, from junior management all the way up to board level management. | |
| 5. | Technical security minimum requirements |
| 5.1 | Measures of pseudonymisation and encryption of personal data |
| All data is encrypted with AES 256 at rest and TLS 1.2 for data in transit. All backups are encrypted using a 4096bit RSA Keys | |
| 5.2 | Measures for ensuring system configuration, including default configuration |
| Configuration of all end user devices, servers and network infrastructure is carried out in accordance with best practise system hardening guidelines. Access can be withdrawn at any point by management. |