We take technical and organizational measures (TOM) to ensure that data is stored securely and protected from unauthorized access.
1. Confidentiality
1.1. Entry control
Data processing by Friendly shall be performed in a secure computer centre. The computer centre is certified according to ISO 27001 concerning its information security management system. Access to the computer centre is secured by state-of-the-art control systems.
1.2. Access control
Friendly is required to prevent the intrusion by unauthorised persons into systems and applications used for the processing of Personal Data. Friendly ensures this by granting access to the data processing systems solely to explicitly authorised personnel. The login is done with complex passwords or with certificates and if possible additionally via multi-factor authentication. Access to Friendly’s systems and applications is only possible via connections that are encrypted using state-of-the-art technology. Friendly protects its servers according to the current state of the art by, among other things, firewalls, intrusion prevention systems and regular security updates and checks.
1.3. Access controls
Friendly is required to prevent unauthorised activities within the data processing systems. Accordingly, only the respective Customer and a group of administrators reduced to the minimum have access to the data. Technical measures shall ensure that a Customer cannot view, modify or erase data of other Customers. Within the services provided by Friendly, access is controlled by the Customer via a comprehensive role-based access control and authorisation concept.
1.4. Separation control
All data records that are collected, processed or used by Friendly’s systems and applications are explicitly and clearly assigned to the respective Customer and technically separated from other data. Friendly’s data processing systems are specially designed for data processing that is limited to a specific purpose and specific client. Access to the data of another client is thus technically impossible.
2. Integrity
2.1. Transfer control
Control of the transfer of the Customer’s data is ensured by various technical and organisational security measures. For the purpose of invoicing for services, billing data is transferred to Friendly’s accounting systems via an encrypted connection.
2.2. Input control
Friendly must guarantee the transparency and/or documentation of data processing. For this purpose, all entries made into the systems and applications are logged. The logs are archived and erased once the purpose has been achieved or on the basis of legal requirements.
3. Availability
3.1. Availability control
Friendly must protect Personal Data against accidental destruction or loss. For this purpose, the architecture of Friendly’s data processing systems, including network infrastructure, the power supply and the connection to the Internet must be designed redundantly.
A comprehensive backup and recovery concept must be in place to prevent data loss. Friendly takes full daily backups of all systems and data.
The systems and applications are continuously monitored with regard to availability, functionality, safety and utilisation. A written emergency plan is in place to restore the backups in the event of loss or destruction.
3.2. Rapid recoverability
Measures must be taken to ensure that data can be recovered quickly in the event of data loss. A combination of redundant systems and backup solutions is used to protect against the loss of the Customer’s data.
4. Resilience
Resilience means the ability to resist attacks or to quickly bring systems back into working order after an attack.
The technical systems of Friendly are able to cope with expected disruptive events without their functionality being significantly impaired. IT systems are continuously hardened to protect against known attacks such as denial-of-service attacks.
In addition, each essential component is designed redundantly so that in the event of a fault, a switch to a defect-free component takes place automatically. Additional capacities can also be flexibly exchanged or expanded.
Emergency plans exist which, in the event of a fault, provide precise instructions for restoring the desired condition. These emergency plans, and the protection concepts, are continuously reviewed and the relevant employees receive regular training in connection with their deployment.
5. Management
5.1. Contact details of Friendly’s representative (s)
Data Protection Officer, registered with the Federal Data Protection and Information Commissioner FDPIC (Switzerland) and the Irish Data Protection Commission DPC (EU):
Dr. Kathrin Schmid, CISO
Email:
Postal address: Friendly LLC, Kathrin Schmid, Werkhofstrasse 5, 6052 Hergiswil, Switzerland.
EU Representative: Jochen Vetter, Dargower Weg 6, 23883 Seedorf, Germany.
5.2. Process for regular testing, assessment and evaluation
A process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing must be implemented.
This measure is to be implemented with the aid of a data protection management system. The effectiveness of the technical and organisational measures implemented is to be tested and optimised within the scope of a continuous improvement process.
5.3. Incident response management; reporting channel
Measures must be in place to ensure that Friendly informs the Customer without undue delay in the event of a Personal Data breach or the suspicion of a Personal Data breach.
All contractual partners are contractually obliged to report data protection incidents within the legal deadlines. Internal processes ensure that the Data Protection Officer is involved in case of data protection incidents.
5.4. Data protection by default
Appropriate technical and organisational measures must be implemented for ensuring that, by default, only Personal Data that are necessary for each specific purpose of the processing are processed.
After expiration of the test phase, as well as after termination of the contractual relationship, customer data that have been collected must be erased within three months. In addition, the customer can independently delete individual person’s data within its Friendly services.
5.5. Contractor control
Friendly processes data submitted to them in accordance with the applicable contract and, in doing so, ensures compliance with statutory provisions and requirements defined by contract within the scope of the instructions provided by the Customer.
The services provided by Friendly have an administration interface through which the Customer can manage their customer account. The Customer specifies their access data within their user account during the initial account creation process. Only persons who have such access data can enter, change or delete data within the scope of their assigned authorisations. The written form requirement applies to all other tasks that the Customer cannot perform independently via the administration interface.