Technical and Organisational Measures (TOM)

Introduction

Deskhero AB (“we,” “us,” or “our“) is committed to implementing appropriate technical and organisational measures to ensure a level of security appropriate to the risk associated with processing personal data for our Clients (“you” or “Client“), Users, and Client’s Customers, in compliance with the EU General Data Protection Regulation (GDPR) and other applicable data protection laws.

This document outlines the technical and organisational measures we have implemented to protect personal data processed through our Software-as-a-Service (SaaS) platform (“Service“), leveraging our AWS infrastructure.

---

1. Organisational Measures

1.1 Data Protection Governance

• Data Protection Officer (DPO):
  • Name: Klas Karlsson
  • Email: dpo@deskhero.com
  • Phone: +46 70 601 13 22
• Responsibility:
  • Overseeing data protection strategy and compliance.
  • Monitoring adherence to data protection policies and procedures.
  • Acting as a point of contact for data subjects and supervisory authorities.

1.2 Policies and Procedures

• Data Protection Policies:
  • Establishing internal policies for data protection, which are regularly reviewed and updated.
  • Policies cover data handling, breach response, access control, and employee responsibilities.
• Employee Training:
  • Mandatory training programs for all employees on data protection, privacy, and information security.
  • Regular updates on emerging threats and best practices.
• Confidentiality Agreements:
  • Employees and contractors are required to sign confidentiality and non-disclosure agreements.

1.3 Access Management

• Access Control Policy:
  • Access to personal data is granted on a need-to-know basis.
  • Regular reviews of user access rights.
• Authentication Mechanisms:
  • Use of strong passwords and multi-factor authentication (MFA) for system access.
  • Account lockout policies after multiple failed login attempts.

1.4 Incident Response

• Incident Response Plan:
  • Procedures for detecting, reporting, and responding to security incidents.
  • Designated incident response team.
• Notification Procedures:
  • Obligations to notify Clients and authorities of personal data breaches without undue delay.

1.5 Vendor Management

• Due Diligence:
  • Assessing Sub-Processors for compliance with data protection standards.
• Contracts:
  • Ensuring that agreements with Sub-Processors include data protection obligations.

---

2. Technical Measures

2.1 Data Encryption

• In Transit:
  • Personal data is encrypted during transmission over public networks using TLS 1.2 or higher.
• At Rest:
  • Personal data stored in databases and backups is encrypted using AWS encryption services (e.g., AES-256 encryption for EBS volumes, RDS encryption).

2.2 Network Security

• AWS Infrastructure:
  • Our Service is hosted on Amazon Web Services (AWS), utilizing their secure infrastructure and services.
• Firewalls and Security Groups:
  • AWS Security Groups are used to control inbound and outbound traffic to resources, acting as virtual firewalls at the instance level.
• Virtual Private Cloud (VPC):
  • AWS VPC is configured to isolate and secure network traffic.
  • Private subnets are used for internal resources, ensuring that databases and caches are not exposed to the public internet.
• AWS CloudFront and Application Load Balancer (ALB):
  • AWS CloudFront serves as the content delivery network (CDN) and entry point, providing secure and efficient distribution.
  • AWS ALB distributes incoming traffic to Amazon ECS (Elastic Container Service) containers hosting the application.
• Intrusion Detection and Threat Monitoring:
  • AWS GuardDuty is utilized for threat detection and continuous monitoring for malicious activity.
  • While dedicated IDS/IPS systems are not used, AWS services provide network traffic monitoring capabilities.

2.3 System Security

• Secure Configuration Management:
  • Infrastructure is managed using Terraform, enabling consistent and secure configurations across environments.
• Environment Segregation:
  • Separate environments for development (“sandbox”), staging, and production are maintained to test code and infrastructure changes before deployment.
• Patch Management:
  • Regular updates and patches are applied to operating systems and applications, leveraging AWS services and automation where applicable.

2.4 Application Security

• Secure Development Practices:
  • Adoption of Secure Software Development Lifecycle (SSDLC) principles.
  • Regular code reviews, static code analysis, and security testing are conducted.
• Penetration Testing:
  • Periodic security assessments and vulnerability scanning are performed, including third-party penetration testing where appropriate.

2.5 Access Control

• AWS Identity and Access Management (IAM):
  • Role-based access control (RBAC) is enforced using AWS IAM roles and policies.
  • Access to AWS resources is granted on the principle of least privilege.
• Multi-Factor Authentication (MFA):
  • MFA is required for all administrative access to AWS management interfaces.
• Logging and Monitoring:
  • AWS CloudTrail is used to log API calls and actions within the AWS environment.
  • AWS CloudWatch monitors logs and metrics for anomalies.

2.6 Data Backup and Recovery

• Regular Backups:
  • Automated backups of databases are performed using AWS RDS automated backup features.
• Encrypted Backups:
  • Backup data is encrypted at rest using AWS Key Management Service (KMS).
• Disaster Recovery Plan:
  • Documented procedures for data restoration and service continuity are in place.
• Testing Recovery Processes:
  • Regular testing of backup restoration and recovery procedures is conducted.

2.7 Physical Security

• AWS Data Centers:
  • Physical security controls are managed by AWS, including:
    • 24/7 security personnel.
    • Biometric access controls.
    • CCTV surveillance.
    • Environmental controls like fire suppression and climate control.
• AWS Compliance:
  • AWS data centers comply with industry standards such as ISO 27001, SOC 1/2/3, which supports our compliance efforts.

2.8 Endpoint Security

• Device Security Policies:
  • Company devices are secured with:
    • Full disk encryption.
    • Up-to-date anti-malware software.
    • Strong authentication mechanisms.
• Remote Access:
  • Secure VPN connections are required for remote access to internal systems where applicable.
• Remote Wipe Capabilities:
  • Ability to remotely wipe company devices in case of loss or theft.

2.9 Logging and Monitoring

• Comprehensive Logging:
  • Detailed logs of system activities, access logs, and error logs are maintained.
• Security Monitoring:
  • Real-time monitoring for security events using AWS services like CloudWatch and GuardDuty.
• Alerting:
  • Automated alerts are configured for suspicious activities or security incidents.

2.10 Data Minimization and Pseudonymization

• Data Minimization:
  • Collecting and processing only the personal data necessary for specified purposes.
• Pseudonymization and Anonymization:
  • Where appropriate, personal data is pseudonymized or anonymized to reduce the risk to data subjects.

---

3. Regular Testing and Assessments

• Vulnerability Scanning:
  • Regular automated scanning of systems to detect vulnerabilities, using tools compatible with AWS environments.
• Security Audits:
  • Periodic security audits and assessments are conducted to evaluate the effectiveness of security measures.
• AWS Well-Architected Reviews:
  • Regular reviews using the AWS Well-Architected Framework to ensure best practices are followed.

---

4. Compliance with Standards

• Regulatory Compliance:
  • Adherence to GDPR and other applicable data protection laws.
• Best Practices Alignment:
  • Aligning security practices with industry best practices and guidelines, including:
    • AWS Security Best Practices.
    • NIST Cybersecurity Framework.

---

5. Data Protection by Design and Default

• Privacy Impact Assessments (PIAs):
  • Conducted for new processing activities or significant changes to existing processes.
• Secure Defaults:
  • Systems and applications are configured to ensure that, by default, only necessary personal data is processed.

---

6. Awareness and Training

• Employee Education:
  • Regular training sessions on data protection policies, procedures, and best practices, including AWS-specific security training.
• Security Awareness Programs:
  • Ongoing initiatives to promote a culture of security and privacy within the organization.

---

7. Sub-Processor Security

• AWS Shared Responsibility Model:
  • Understanding and adhering to the AWS Shared Responsibility Model, where AWS is responsible for security ‘of’ the cloud, and we are responsible for security ‘in’ the cloud.
• Vendor Management:
  • Regular assessment of Sub-Processors to ensure they meet our security and compliance requirements.

---

8. Incident Management

• Detection and Reporting:
  • Systems in place to promptly detect security incidents using AWS monitoring services.
• Response Procedures:
  • Defined steps for containment, eradication, recovery, and communication.
• Notification Obligations:
  • Procedures to notify Clients and authorities of personal data breaches without undue delay.

---

9. Data Retention and Deletion

• Data Retention Policies:
  • Personal data is retained only as long as necessary for the purposes for which it was collected or as required by law.
• Secure Deletion:
  • Upon the end of the retention period, personal data is securely deleted or anonymized.
• Data Deletion Requests:
  • Processes in place to handle data subject requests for deletion in compliance with GDPR.

---

10. Contact Information

For any questions or concerns regarding our technical and organisational measures, please contact our Data Protection Officer (DPO):

• Name: Klas Karlsson
• Email: dpo@deskhero.com
• Phone: +46 70 601 13 22

---

Note: This document may be updated from time to time to reflect changes in our security practices. We will notify Clients of significant changes as outlined in our Privacy Policy and Data Processing Agreement.