1 General provisions
1. 1 The data processor assures the data controller that it has taken the following technical and organisational measures with regard to the services it provides.
2 Review and evaluation
2.1 The processor integrates the application into its existing information security management system.
2.2 The processor has a certified security management system in accordance with ISO/IEC 27001, which explicitly includes the regular monitoring of measures and an ongoing assessment of risks. The effectiveness of the measures is regularly reviewed by external bodies.
2.3 The processor operates an internal audit programme for this purpose, which is supplemented by annual external audits by the certification body.
2.4 The processor operates the customer's applications with corresponding customer data exclusively with platform providers (PaaS/IaaS) that also have valid ISO/IEC 27001 certification and undergo regular audits accordingly.
3 Dealing with security incidents
3.1 The processor has a documented procedure for dealing with security incidents. Every potential incident is documented, classified and appropriate measures are initiated based on the risk assessment.
3.2 The security contact of the person responsible, who is registered with the processor for each system, is actively informed about incidents affecting them.
3.3 The processor is subscribed to the usual channels used by software manufacturers for security announcements and in some cases also receives confidential advance information about security problems. It applies the patches required on the basis of the risk assessment as quickly as possible, but no later than 72 hours after they appear.
3.4 If there is a very high risk of data leakage to third parties (loss of confidentiality) due to a security vulnerability and no reasonable patch is available, the processor pursues a security policy in the interests of the controller that confidentiality objectives are prioritised over availability objectives . In the absence of explicit instructions to the contrary and assumption of risk by the controller, the processor is authorised in this case to restrict the availability of the system in an appropriate manner at any time, even if this conflicts with contractual target values regarding system availability. In this case, the controller shall in return waive any penalties or liability claims against the processor that might be filed due to the failure to meet SLA target values regarding availability. The controller may issue written instructions to the contrary at any time.
4 Physical access control
Access control is intended to ensure that only authorised persons gain access to sites, buildings or premises where data processing is carried out.
4.1 Control of access to the processor's server systems is contractually agreed with the commissioned subcontractors and is ensured by them.
4.2 By means of a locking system with personal badges and/or other identification (e.g. ID/biometrics), the respective data centre operators commissioned by us ensure that only authorised persons have access to the contractor's systems.
4.3 In accordance with the established security zone concept, no customer data from the systems operated for him may be permanently stored outside of these server systems. This does not apply to unavoidable processing on workstation systems, after which the data is deleted from the workstation system.
4.4 The processor's premises are secured against unauthorised access with an electronic locking system.
4.5 Screens are positioned so that they cannot be seen from the door.
4.6 A clean desk policy is applied.
4.7 Guests may not be unaccompanied in the processor's offices.
4.8 Outside the processor's premises (e.g. home office for on-call assignments), employees are obliged to process personal data in suitable locations that prevent unauthorised access by third parties.
5 Logical access control
Access control is intended to ensure that only authorised persons have access to data processing systems with which the processing is carried out.
5.1 The hard drive of workstation devices is encrypted.
5.2 A password policy for activating hard disk encryption and logging in to the workstation is adhered to.
5.3 The workstation is automatically locked when the user is inactive.
5.4 Work equipment used for business purposes is personal and employees are contractually prohibited from sharing it with other persons such as family members.
5.5 A password manager provided by the company must be used to store passwords.
5.6 To log in to critical systems (password manager) of the processor, it is necessary to log in to the identity & access management system (IAM) of the processor.
5.7 Login to the IAM system is only possible with two-factor authentication.
5.8 Security-relevant events are logged by the components used for authentication and forwarded to the log infrastructure.
5.9 Compliance with the device-based security policies, including up-to-dateness of the software used, activation of the virus scanner and hard disk encryption, is automatically checked on the PC workstations each time they log on to the IAM system. If the requirements are not met, it is not possible to log in.
5.10 Access to impersonal passwords is restricted to those employees who require access for their tasks. The authorised persons are automatically updated by the IAM system when personnel changes occur.
6 Access control
Access control is intended to ensure that only authorised persons are granted authorisation to process personal data (namely to read, copy, change, remove or transfer).
6.1 The processor carries out a personal security check on all employees. This includes checking criminal and debt enforcement register extracts to the extent permitted by law. In the case of employees who have resided outside Switzerland in the last 5 years, the management defines which documents must be obtained and submitted in the countries concerned.
6.2 For employees in sensitive positions, in particular employees with admin rights in relevant IT systems, the personal security check is repeated every three years and at the request of the management.
6.3 If the controller is a government agency of the Swiss Confederation, the processor shall disclose existing security declarations from the PSP DDPS specialist unit1 in accordance with the Ordinance on Personnel Security Checks2 (VPSP) on request. Depending on the area of operation, selected employees of the processor already have valid examinations for access to civilian or military confidential (PSP 10) or secret information and facilities (PSP 11). As the PSP DDPS can only be initiated by the customer, the processor cannot initiate its own checks.
6.4 The processor organises regular security awareness events for its employees. These include Training, phishing simulations and information about current threats. All awareness measures are systematically documented and traceable.
6.5 Where possible, personal data will only be processed on the processor's server systems or in a software system provided by the customer. If personal data must be temporarily stored on the workstation for technical reasons in order to fulfil tasks, e.g. to create a CSV file for user import, this data is deleted from the workstation as soon as it is no longer required.
6.6 A company-wide role concept is stored in the IAM system, which controls the authorisations for important systems.
6.7 Particularly security-critical roles, such as for logging in as an administrator on a cluster operated by linkyard, can only be temporarily requested by authorised persons in the IAM system with a time limit (e.g. 4 hours). The IAM system removes these authorisations fully automatically after the time limit has expired. The request and removal of security-critical roles is automatically and actively communicated via the chat system.
6.8 The processor subjects the applications it develops itself (e.g. Phonemos or customised software for the customer) to tool-supported security scans in order to identify possible vulnerabilities (in particular OWASP Top 10) and implement patches if necessary.
6.9 Launched test environments are treated by the processor in the same way as production systems with regard to confidentiality objectives, i.e. they also receive security patches. Nevertheless, the controller is advised to cleanse test systems of particularly confidential data.
6.10 The standard authorisation system integrated into the respective products is used to manage and check user authorisations. This is used in accordance with the approved role and authorisation concept issued by the person responsible.
5 Transfer and transport control
The purpose of transfer and transport controls is to ensure that the confidentiality and integrity of data is protected when personal data is transferred and data carriers are transported.
5.1 All connections are encrypted with the current version of TLS or using SSH. The processor uses generally recognised certificates.
5.2 Email messages are sent encrypted using TLS, provided this is supported by the remote station.
5.3 The transport of personal data using mobile data carriers is avoided and does not normally take place. If this does take place, the data is encrypted using at least AES-256 and the key is transported separately. Corresponding transports are documented.
5.4 The processor does not transfer any customer data to third parties without the explicit consent of the customer. The consent is documented. Legal obligations to provide information are reserved.
6 Input control
The purpose of input control is to ensure that it is subsequently possible to check and establish which personal data has been entered or modified in automated processing systems, at what time and by whom.
6.1 For hosting customer systems: Change management of the central infrastructure and software components is managed according to the infrastructure-as-code principle and controlled by an automated continuous integration/continuous deployment system (CICD).
6.2 The log files written by the software components are monitored and stored in the central log infrastructure of the processor.
6.3 The processor retains the audit and log files of the applications operated for 6 months.
6.4 For hosting customer systems: On request, the log files can also be sent to a Security Operations Centre commissioned by the responsible party.
7 Order control
The purpose of order control is to ensure that processing is carried out in accordance with the instructions of the controller.
7.1 Appropriate, separate contracts for commissioned data processing are concluded with the subcontractors.
7.2 The employees of the processor are instructed on the regulations for processing the client's personal data when the contract is concluded.
7.3 The employees of the order processing department sign a confidentiality agreement when they are hired, which also covers customer data and remains valid even after the employment relationship has ended.
7.4 For hosting of customer systems: The controller is granted the right to audit. Audits must be notified to the processor within a reasonable period of time. Expenses incurred by the processor for participation in audits shall be compensated by the controller on a time and material basis . Penetration tests by the controller that could affect the availability or integrity of the system shall be scheduled in such a way that as few system users as possible are affected and the processor is able to react quickly to interruptions.
7.5 When hosting customer systems: After the system is decommissioned, the data stored in the system is offered to the controller for storage and then deleted by the processor.
8 Availability control and recoverability
Availability control is intended to ensure that personal data is protected against destruction or loss.
8.1 When hosting customer systems: Backups are created and stored in accordance with the backup plan selected by the customer, at least daily. The recoverability (restore) is checked at least once a year as part of the application updates. Additional checks can be carried out at the customer's request.
8.2 The storage of backups is physically separated from the source data in a separate data centre. The backups are stored in encrypted form and the contractually guaranteed location only applies to the storage of the keys.
8.3 Service monitoring recognises service failures and initiates a recovery by means of automatic self-healing procedures. If this fails, the fault is automatically escalated to the processor's service support.
8.4 The availability of the services is logged and failures are subsequently analysed.
8.5 All services are designed to be redundant at a physical level; the failure of individual devices leads to a brief interruption at most. The infrastructure (servers, storage, networks) is designed for high availability in accordance with contracts with our partners.
8.6 In the event of a major incident that leads to a prolonged outage of an entire data centre (disaster), the processor is able to resume operations at a second location on the basis of the backups.
9 Separation control
The separability check ensures that personal data collected for different purposes is processed separately.
9.1 The applications of the individual customers are separated from each other by the following measures:
Separate database instances: The applications all have their own database with access data
Separate (logical) discs: Each application and each database has its own logical disc for its data. It has no access to the discs of other applications.
Container: The applications run in separate Linux containers with minimal rights.
Network: Each customer has their own isolated (software-defined) network (where technically possible).
Access: Customers only have access to the application itself and not to the systems
9.2 The separation of data within the applications is the responsibility of the customer.
10 Mobile device control
Mobile device control is intended to ensure that only authorised persons can read, copy, change or delete mobile devices containing data.
10.1 The use of paper-based documents and mobile data carriers is avoided as far as possible. Paper-based documents and mobile data carriers are destroyed properly after use.
11 Storage control
The purpose of storage control is to ensure that only authorised persons can access, enter, change and delete stored personal data.
11.1 All discs are clearly assigned to a customer and before the data is made available on the disc, it is automatically checked whether this data is really from the relevant customer and the relevant application. The data is only made available if this is the case.
11.2 The operators of the PaaS/IaaS infrastructure have undertaken in the contracts to restrict access to the systems to a minimum and do not make any changes to data.
11.3 All data on the discs is encrypted using AES256. The key for this is only accessible to carefully selected employees of the processor; subcontractors do not have access to this data.
12 User control
User control ensures that only authorised persons can use automated processing systems with the aid of data transmission.
12.1 The applications used authenticate end users according to industry standards.
12.2 When hosting customer systems: The controller can potentially make some or all of the content of the applications publicly available and thus waive authentication for this content. This is the responsibility of the customer and the processor has no influence on this. The processor configures the products on delivery so that only authenticated users have access.
12.3 The processor only uses trained and security-checked employees to administer the systems.
13 Data integrity
Data integrity is intended to ensure that stored personal data cannot be damaged by system malfunctions.
13.1 When hosting customer systems: Daily backups exist for all data (see "Recoverability"). The integrity of the backups is checked automatically.
13.2 For major interventions such as software updates, an additional backup is created in advance and the relevant interventions are tested on test systems beforehand.
1: https://www.sepos.admin.ch/de/personensicherheitspruefung