To supplement the Data Processing Agreement (DPA) between Client and Contractor pursuant to Art 28 GDPR (EU General Data Protection Regulation), our organization has authored a Technical & Organizational Measures document.

The technical and organizational measures are implemented by Welocalize in accordance with Art 32. They are continuously improved by Welocalize according to feasibility and state of the art and brought to a higher level of security and protection.


Introduction

The present document supplements the Data Processing Agreement (DPA) between Client and Contractor pursuant to Art 28 GDPR (EU General Data Protection Regulation).

The technical and organizational measures are implemented by Welocalize in accordance with Art 32. They are continuously improved by Welocalize according to feasibility and state of the art and brought to a higher level of security and protection.

Scope

Confidentiality, integrity, availability and resilience, procedures for regular review, assessment and evaluation, organization and data protection at Welocalize.

Description

Confidentiality

Measures suitable for preventing unauthorized persons from gaining access to data processing systems with which personal data are processed or used.

Technical MeasuresOrganizational Measures
Alarm SystemKey Regulation / List
Automatic Access Control SystemReception / Receptionist / Gatekeeper
Biometric Access BarriersVisitors’ Book / Visitors’ Protocol
Smart Cards / Transponder SystemsEmployee / Visitor Badges
Manual Locking SystemVisitors Accompanied by Employee
Doors with Knob OutsideCare in Selection of Security Guard Personnel
Doorbell System with CameraCare in Selection of Cleaning Services
Video Surveillance of EntrancesInformation Security Policy
Biometric Access Control Data CenterWork Instructions for Operational Safety
Visitor identification verificationWork Instruction Access Control
Geo-fencing capabilities
Technical MeasuresOrganizational Measures
Login With Username + Strong PasswordUser Access Control
Anti-Virus Software ServersCreating User Profiles
Anti-Virus Software ClientsCentral Password Assignment
Anti-Virus Software Mobile DevicesInformation Security Policy
FirewallMobile Device Policy
Intrusion Detection SystemsBring Your Own Device (BYOD) Policy
Use of VPN for Remote AccessPersonal Device Enrollment
Encryption of Company SmartphonesPrivileged access management
Automatic Desktop LockRegular review and recertification of access rights
Encryption of Notebooks / Tablets
Multi-Factor Authentication

Measures to ensure that those authorized to use a data processing system can only access the data subject to their access authorization and that personal data cannot be read, copied, modified or removed without authorization during processing, use and after storage.

Technical MeasuresOrganizational Measures
Physical deletion of data carriersUse of authorization concepts
Logging of accesses to applications, specifically when entering, changing, and deleting dataMinimum number of administrators
SSH encrypted accessManagement of user rights by administrators
Certified SSL encryptionInformation Security Policy
Mobile Device Policy
Communication security policy
Technical MeasuresOrganizational Measures
Separation of productive and test environmentControl via authorization concept
Multi-tenancy of relevant applicationsDetermination of database rights
VLAN segmentationInformation Security Policy
Client systems logically separatedData Protection Policy
Staging of development, test and production environmentWork instruction operational security
Work instruction security in software development

The processing of personal data in such a way that the data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to appropriate technical and organizational measures.

Technical MeasuresOrganizational Measures
Log files are pseudonymized at the request of the clientInternal instruction to anonymize/pseudonymize personal data as far as possible in the event of disclosure or even after the statutory deletion period has expired
Data encryption at rest and in transit by defaultInformation Security Policy
Data Protection Policy
Specific internal regulations on cryptography

Integrity

Technical MeasuresOrganizational Measures
Use of VPN where applicableSurvey of regular retrieval and transmission processes
Logging of accesses and retrievalsTransmission in anonymized or pseudonymized form
Provision via encrypted connections such as SFTP, HTTPS and secure cloud storesCareful selection of transport personnel and vehicles
Use of signature procedures (case-dependent)Personal handover with protocol
Encryption at rest using AES 256-bit encryption in addition to unique per-file keysInformation Security Policy
Encryption in transit utilizing HTTPS (TLS 1.2+) for web services, and TLS encryption for email transportData Protection Policy

Measures that ensure that it is possible to check and establish retrospectively whether and by whom personal data has been entered into, modified or removed from data processing systems. Input control is achieved through logging, which can take place at various levels (e.g., operating system, network, firewall, database, application).

Technical MeasuresOrganizational Measures
Technical logging of the entry, modification and deletion of dataSurvey of which programs can be used to enter, change or delete which data
Manual or automated control of the logs (according to strict internal specifications)Traceability of data entry, modification and deletion through individual usernames (not user groups)
Assignment of rights to enter, change and delete data on the basis of an authorization concept
Clear responsibilities for deletions
Information Security Policy
Work instruction IT user regulations

Availability and Resilience

Measures to ensure that personal data is protected against accidental destruction or loss (UPS, air conditioning, fire protection, data backups, secure storage of data media, virus protection, raid systems, disk mirroring, etc.)

Technical MeasuresOrganizational Measures
Fire and smoke detection systemsBackup concept
Fire extinguisher server roomNo sanitary connections in the server room
Server room monitoring temperature and humidityExistence of an emergency plan
Server room air-conditioningStorage of backup media in a secure location outside the server room
UPS system and emergency diesel generatorsSeparate partitions for operating systems and data where necessary
Protective socket strips server roomInformation Security Policy
RAID system / hard disk mirroringWork instruction operational security
 Video surveillance server roomRansomware detection and response protocols
Alarm message in case of unauthorized access to server roomCloud-native backup solutions

Measures capable of rapidly restoring the availability of and access to personal data in the event of a physical or technical incident.

Technical MeasuresOrganizational Measures
Backup monitoring and reportingRecovery concept
Restorability from automation toolsControl of the backup process
Backup concept according to criticality and customer specificationsRegular testing of data recovery and logging of results
Existence of an emergency plan
Information Security Policy
Work instruction operational security

Procedures for regular Review, Assessment and Evaluation

Technical MeasuresOrganizational Measures
Central documentation of all data protection regulations with access for employeesInternal data protection officer appointed: Group Data Protection Officer, DPO
Security certification according to ISO 27001Staff trained and obliged to confidentiality/data secrecy
A review of the effectiveness of the TOMs is carried out at least annually and TOMs are updatedRegular awareness trainings at least annually
Data protection checkpoints consistently implemented in tool-supported risk assessmentInternal Information Security Officer appointed: Group Information Security Officer, ISO
Privacy certification according to ISO 27701Data Protection Impact Assessment (DPIA) is carried out as required
Processes regarding information obligations according to Art 13 and 14 GDPR established
Formalized process for requests for information from data subjects is in place
Data protection aspects established as part of corporate risk management

ISO 27001 certification of key parts of the company including data center operations and annual monitoring audits
Continuous vulnerability management program

Support for security breach response and data breach process

Technical MeasuresOrganizational Measures
Use of firewall and regular updatingDocumented process for detecting and reporting security incidents / data breaches (also with regard to reporting obligation to supervisory authority)
Use of spam filter and regular updatingFormalized procedure for handling security incidents
Use of virus scanner and regular updatingInvolvement of DPO and ISO in security incidents and data breaches
Intrusion Detection System (IDS)Documentation of security incidents and data breaches via ticket system
Intrusion Prevention System (IPS)A formal process for following up on security incidents and data breaches
Security Information & Event Management (SIEM) systemInformation Security Policy
Data Protection Policy
Work instruction operational security
Tabletop exercises
Data breach simulation tests

Measures pursuant to Art 25 GDPR that comply with the principles of data protection by design and by default.

Technical MeasuresOrganizational Measures
No more personal data is collected than is necessary for the respective purposeData Protection Policy (includes principles “privacy by design / by default”)
Use of data protection-friendly default settings in standard and individual softwareOWASP Secure Mobile Development Security Checks are performed
Perimeter analysis for web applications
Privacy impact assessment (PIA) templates
Technical MeasuresOrganizational Measures
Monitoring of remote access by external parties, e.g. in the context of remote supportWork instruction supplier management and supplier evaluation
Monitoring of subcontractors according to the principles and with the technologies according to the preceding chapters 1, 2Prior review of the security measures taken by the contractor and their documentation where applicable
Selection of the contractor under due diligence aspects (especially with regard to data protection and data security) where applicable
Conclusion of the necessary data processing agreement on commissioned processing or EU standard contractual clauses
Framework agreement on contractual data processing within the group of companies
Written instructions to the contractor
Obligation of the contractor’s employees to maintain data secrecy
Ensuring the destruction of data after termination of the contract
In the case of longer collaboration: ongoing review of the contractor and its level of protection
Third-party risk management tools

Organization and Data Protection at Welocalize

Welocalize has set itself the goal, among other things, of providing its customers with the products and services to be delivered at the highest possible level of information security in compliance with the law.

In this context, Welocalize has established a distinctive cross-sectional security organization to ensure comprehensive protection of its own corporate information and data as well as protection of the data of its customers and clients. The functions of Information Security Officer (ISO), Data Protection Officer (DPO), Quality Officer (QO), Risk Officer (RO) and Legal Compliance Officer (LCO) with group-wide responsibility and direct authority in these areas of activity have been established.

Employees are continuously informed and trained in the area of data protection. In addition, all employees are contractually bound to data secrecy and confidentiality. External parties who may come into contact with personal data in the course of their work for Welocalize are obligated to maintain secrecy and confidentiality as well as to comply with data protection and data secrecy by means of a so-called NDA (Non-Disclosure Agreement) before they begin their work.

Any subcontractors entrusted with further processing (as “other processors”) are only used after approval by the Client as the “controller” and after conclusion of a Data Processing Agreement (DPA) in accordance with Art 28 GDPR, with which they are fully bound by all data protection obligations to which Welocalize itself is subject.

All of these organizational measures are flanked by Welocalize current, high technical security standards, and both dimensions are periodically reviewed.

Certifications

MeasureGDPR ComplianceComments
Physical Access Control
Logical Access Control
Authorization Control
Separation Control
Pseudonymization
Transfer Control
Input Control
Availability Control
Recoverability Control
Data Protection Management
Incident Response Management
Privacy by Design and Default
Order Control
Organization