Last Updated: 22 February 2023
- MODULE ONE: Transfer Controller to Controller
- MODULE TWO: Transfer Controller to Processor
- MODULE THREE: Transfer Processor to Processor
Build secure devices with PKI
Secure connected vehicles and V2X infrastructure
Ensure devices are safe and secure by design
Secure modern 5G networks and infrastructure
Protect critical IIoT and OT infrastructure
Build trusted and Matter-compliant IoT devices
Avoid costly downtime and disruption
Replace legacy CA infrastructure with modern PKI
Keep up with DevOps teams and CI/CD pipelines
Secure every device and workload with an identity
Stay ahead of threats and prepare for post-quantum
Last Updated: 22 February 2023
The technical and organisational measures must be described in specific (and not generic) terms. See also the general comment on the first page of the Appendix, in particular on the need to clearly indicate which measures apply to each transfer/set of transfers.
Description of the technical and organisational measures implemented by the data importer(s) (including any relevant certifications) to ensure an appropriate level of security, taking into account the nature, scope, context and purpose of the processing, and the risks for the rights and freedoms of natural persons.
A description of the Technical and Organizational Measures that Keyfactor, Inc., will employ in its capacity as a Processor of EU data subjects’ personal data appears below:
The term “Access” means physical access of persons to buildings and premises in which IT systems are operated and used. This may be data centers in which cryptographic materials, web servers, application servers, databases, mainframes, and storage systems are operated and work rooms in which employees use workplace computers. The premises in which network infrastructure components are located and placed are in scope.
General Requirements
Specifications of Secured Areas
The requirement is met with the following measures:
(a) The areas are classified into different security levels based on data sensitivity.
(b) The areas to be protected have been specified.
(c) Areas with particularly high protection requirements have been identified.
Implementation of Access Protection
The requirement is met with the following measures:
(a) All possible points of entry have been secured against unauthorized access.
(b) There is an access authentication credential that is binding upon all persons (assigned proximity cards, lock combinations/PIN codes, physical lock keys).
(c) Access control systems have been implemented.
Specification of Persons with Access Authorization
The requirement is met with the following measures:
(a) There is role-based access control according to job functions and responsibilities.
(b) The roles are assigned to specific persons in writing and electronically.
(c) A person or organization responsible for the role-based access control process has been designated.
Management and Documentation of Personal Access Rights
The requirement is met with the following measures:
(a) Organizational rules on access rights to the business areas.
(b) Documentation of the assignments of proximity cards, lock combinations/PIN codes, and physical lock keys.
(c) Defined procedures for loss, compromise, and replacement of access credentials.
(d) Information Security Policies have been published, communicated, and made readily available to all staff.
Accompanying Visitors and External Staff
The requirement is met with the following measures:
(a) There is an access control policy in place that addresses access requirements for visitors and other third parties (non-employees).
(b) Visitor monitoring (accompaniment, visitor proximity cards, logging).
(c) Access profiles for maintenance, janitorial, and emergency services staff (accompanying, temporary registration, verification of identity).
Logging access
The requirement is met using electronic access control systems. Hardcopy sign-in sheets are used for visitors.
In contrast to access control (premises/equipment), the objective of access control (use of systems) is to prevent IT systems which save, process or use personal data from being accessed or used by unauthorized persons.
2.1 General Requirements
2.1.1 Access Protection (Authentication)
The requirement is met with the following measures:
(a) Access protection of all data processing systems by user authentication.
(b) Password complexity policies are enforced. For more sensitive assets, multi-factor authentication is required.
2.1.2 Strong Authentication at Maximum Protection Level
The requirement is met with the following measures:
(a) Use of mechanisms that require possession and knowledge for authentication (e.g. multi-part smartcard and passphrase authentication).
(b) Network authentication requiring encryption (e.g. Kerberos).
2.1.3 Simple Authentication (Username/Password) at High Protection Level
The requirement is met with the following measures:
(a) There are specifications for the password length for Keyfactor’s customers and end users (minimally 8 characters).
(b) There are specifications for the password complexity (uppercase, lowercase, numeric, and special characters).
(c) There are specifications for multi-factor authentication when accessing internal resources.
2.1.4 Secured Transmission of Authentication Secrets (Credentials) in the Network
The requirement is met with the following measure:
(a) The authentication information is only transmitted over the network once encrypted.
2.1.5 Lockout for Unsuccessful Attempts/Inactivity and Process to Reset Locked Accounts
The requirement is met with the following measures:
(a) Keyfactor user access is locked following multiple incorrect attempts. End user and customer access is temporarily suspended following multiple incorrect attempts.
(b) For Keyfactor staff there is a safe procedure to reset (e.g. password resets by authorized administrators).
2.1.6 Specification of Authorized Persons
The requirement is met with the following measures:
(a) There is a role concept (pre-defined user profiles).
(b) Access rights are assigned individually (in relation to specific persons) where required and documented.
(c) The population of authorized persons has been limited to the operationally necessary minimum.
(d) There are no shared or reusable accounts (e.g. intern1, consultant1, etc.).
2.1.7 Management and Documentation of Personal Authentication Media and Access Rights
The requirement is met with the following measures:
(a) A process to apply for, approve, assign and retrieve authentication media and access rights has been established, documented and applied.
(b) A responsible organization has been designated for awarding access rights.
2.1.8 Logging access
The requirement is met with the following measures:
(a) All successful and unsuccessful network access attempts are logged (ID used, computer, IP address) and stored for auditing purposes for at least 180 days.
(b) Regular sample population evaluations on authentication logs must be performed for abuse recognition.
2.2 Measures at the User’s Workplace
2.2.1 Automatic Access Lock
The requirement is met with the following measure:
(a) In the case of more than 15 minutes’ inactivity of the workstation or terminal, a password-protected screensaver is activated automatically by operating system security policy.
2.2.2 Manual Access Lock
The requirement is met with the following measures:
(a) There is a policy for workstations to be protected against unauthorized use when leaving the workplace temporarily (e.g. by manual activation of the password-protected screensaver).
(b) Keyfactor personnel have been trained regarding the necessity to implement measure a).
The requirements for access control on specific data classifications shall ensure that only authorized persons have access to the data for which they have a legitimate business purpose and that the data cannot be manipulated or read by unauthorized persons.
3.1 General Requirements
3.1.1 Generation of an Authorization concept
The requirement is met with the following measures:
(a) There are rules and procedures to create, change, and delete authorization profiles or user roles.
(b) The areas of administrative responsibilities are established.
3.1.2 Implementation of Access Limitations
The requirement is met with the following measures:
(a) All Keyfactor personnel with access rights can only access the data that he or she specifically requires according to job responsibilities with appropriately assigned authorization profiles.
(b) Where data inventories of several controllers are saved in datastores or processed with a data processing system, logical access limitations are implemented that are aligned solely with data processing for the respective controller (multiple client capacity).
3.1.3 Awarding of Minimum Authorizations
The requirement is met with the following measure:
(a) The scope of authorizations must be limited to the minimum requirements for performing the respective tasks or functions.
3.1.4 Management and Documentation of Personal Access Rights
The requirement is met with the following measures:
(a) A process to apply for, approve, assign and revoke access rights, and how they are reviewed, has been implemented.
(b) Authorizations are attached to unique, person-specific accounts.
The requirements to ensure that personal data cannot be read, copied, modified or removed without authorization during electronic transmission or storage on data carriers, and associated means of audit, are implemented.
4.1 Transport Over Networks
4.1.1 Safe Data Transmission Between Servers and Clients
The requirement is met with the following measure:
(a) If wireless networks are set up within the Keyfactor network infrastructure, employ the WPA2 protocol or stronger with AES encryption mode. Guest wireless networks are separated from Keyfactor’s corporate network systems by means of network access controls (e.g., virtual LANs).
4.2 Logical Access to Systems
4.2.1 Risk Minimization by Network Separation
The requirement is met with the following measures:
(a) Network segmentation is performed, which is targeted at data transfer taking place via a minimum of network elements.
(b) The relevant systems are segregated via network access controls according to data classifications.
4.2.2 Safety Gateways at the Network Handover Points
The requirement is met with the following measures:
(a) There are network/hardware firewalls.
(b) There are personal/desktop firewalls.
(c) The firewalls are always active.
(d) The firewalls cannot be deactivated by end users.
4.2.3 Protecting Systems
The requirement is met with the following measure:
(a) All security patches are implemented within 30 days of release.
(b) Critical security patches are tested and implemented on an emergency basis depending on severity.
4.3 Safe Sending of Data
4.3.1 Shipping Provisions
If data is shipped, the requirement is met with the following measures:
(a) There are packaging and shipping provisions for the transport of personal data by data carriers.
(b) For personal data, encryption of the personal data before transmission is mandatory.
(c) The transport company must authorize before shipping.
4.4 Safe Deletion, Disposal and Destruction
4.4.1 Process for Collection and Disposal
The requirement is met with the following measure:
(a) There are rules for destruction of documents and data media in a manner which ensures data privacy.
4.4.2 Deletion/Destruction Procedure for Data Privacy
The requirement is met with the following measures:
(a) Endpoint devices are cleared of all data before reuse by other users to make recovery impossible or only possible with disproportional effort.
(b) Hardware components or documents are cleared of personal data to make recovery impossible or only possible with disproportional effort.
Requirements to ensure that it is possible to check and establish whether and by whom personal data have been inputted into data processing systems, modified or removed (input control).
5.1 General Requirements
5.1.1 Documentation of the Input Rights
The requirement is met with the following measure:
(a) There is documentation of which persons are authorized due to their job responsibilities to make inputs into the data processing system.
Requirements to ensure that in the case of commissioned processing of personal data, the data are processed strictly in accordance with the instructions of the controller.
The requirement is met with the following measure:
(a) Job control is implemented in the data processing agreement as well as by the organization control in section 9 of attachment 2.
Requirements to ensure that personal data are protected from accidental destruction or loss (availability control).
7.1 Backup Concept
The requirement is met with the following measures:
(a) There is a systems backup program implemented.
(b) There are regular backups according to return to operations (“RTO”) and recovery point objectives (“RPO”).
(c) An organization responsible for backup operations, and a representative, are designated.
7.2 Disaster Recovery
7.2.1 Emergency Plan
The requirement is met with the following measure:
(a) There is an emergency plan in which the steps to be initiated are listed and it is specified which persons are to be informed of the incident. Controller has indicated the relevant contacts in the Data Processing Agreement.
7.2.2 Storing the Backup
The requirement is met with the following measures:
(a) Data backups, both electronic and hardcopy, are stored in industry-standard secure storage facilities.
Requirements to ensure that data collected for different purposes can be processed separately.
8.1 General Requirements
8.1.1 Separate Processing
The requirement is met with the following measure:
(a) There are technical and organizational rules and measures to ensure separate processing (storage, modification, deletion, transfer, etc.) and/or storage of data and/or data carriers with different contractual purposes.
9.1 Training/Obligation
The requirement is met with the following measures:
(a) Principles of data privacy, including the technical and organizational measures.
(b) Obligation to privacy regarding operating and business secrets, including the controller’s processes.
(c) Proper and careful handling of data, files, data carriers and other documents.
(d) Where required, special further confidentiality obligations.
(e) The training has been documented and is tracked for completion.
(f) The training is regularly repeated, annually at a minimum. Shorter intervals if required by applicable laws in specific territories.
9.2 Training/Obligation of External Persons
The requirement is met with the following measures:
(a) There are rules on the access to data processing facilities for external persons (guests, suppliers, etc.).
(b) These rules at least contain that external persons must only be given access to data processing systems when they have been committed to data secrecy and, if applicable, telecommunication secrecy or other confidentiality obligations and trained, before they may put any data processing systems into operation and use them.
9.3 Representative Rule
The requirement is met with the following measures:
(a) A representative has been specified for all operationally necessary functions.
(b) The representative must only receive the required access and admission rights in the event they are acting as representative.
10.1 Managing Maintenance Activities
The requirement is met with the following measure:
(a) For remote assistance on client workstations, the remote administration tool must be configured to obtain user’s consent before any intervention on his/her workstation. User must be able to see that remote assistance is in progress.
10.2 Management of Sub-Processing
The requirement is met with the following measures:
(a) Draft a specific clause to be included in agreements with data processors/sub-contractors.
(b) Provide for conditions of destruction of data on the agreement’s expiry and termination.
10.3 Software Development
The requirement is met with the following measure:
(a) Carry out software development in a computing environment separate from that of production (for example, on appropriately defined network segments).
10.4 Encryption
The requirement is met with the following measures:
(a) Regarding symmetric encryption:
(b) Regarding asymmetric encryption:
For transfers to (sub-) processors, also describe the specific technical and organisational measures to be taken by the (sub-) processor to be able to provide assistance to the controller and, for transfers from a processor to a sub-processor, to the data exporter
Microsoft Corporation – Technical and Organizational Measures – Microsoft maintains copies of its Professional Services Data Protection at the following link: https://www.microsoft.com/licensing/docs/view/Professional-Services-Data-Protection-Addendum-DPA. The document includes an overview of the company’s technical and organizational measures.
Salesforce.com, Inc. – Technical and Organizational Measures – Salesforce maintains an online Data Processing Addendum here that includes a brief overview of its technical and organizational measures: https://www.salesforce.com/content/dam/web/en_us/www/documents/legal/Agreements/data-processing-addendum.pdf. Salesforce states, “Data importer will maintain administrative, physical, and technical safeguards for protection of the security, confidentiality and integrity of Personal Data uploaded to the SCC Services, as described in the Security, Privacy and Architecture Documentation applicable to the specific SCC Services purchased by data exporter, and accessible via http://help.salesforce.com or otherwise made reasonably available by data importer. Data Importer will not materially decrease the overall security of the SCC Services during a subscription term.”
Rapid7 – Rapid7 provides a copy of its Data Processing Addendum, which includes an overview of the technical and organizational measures that the company implements, here: https://www.rapid7.com/legal/dpa/.
Mailgun / Sinch Email – Mailgun provides a copy of its Data Processing Addendum, which includes an overview the technical and organizational measures that the complements, here: https://www.mailgun.com/legal/dpa/.