Introduction This document outlines the Technical and Organizational Measures (TOMs) implemented by Archlet to ensure the protection of personal data processed as part of our software-as-a-service (SaaS) offerings. Our goal is to provide appropriate security for all data processed and to comply with relevant regulations, such as the European Union's General Data Protection Regulation (GDPR).
Measures Access Control: Access to personal data is granted based on the principle of least privilege, meaning that employees only have access to the personal data they need to perform their job duties. Strong passwords are required for all user accounts and are regularly changed. All access to personal data is logged and monitored for signs of unauthorized access or misuse. Multi-factor authentication (MFA) is required for access to sensitive personal data. Access to personal data is automatically revoked if an employee leaves the company.
Network Security: Our network is protected by firewalls and other security devices to prevent unauthorized access from the internet. We use secure protocols, such as SSL/TLS, for data transmission. Archlet’s infrastructure is hosed in Azure, benefiting from Microsoft’s best-in-class security offerings.
Data Encryption: All personal data stored in our systems is encrypted using industry-standard encryption algorithms, such as AES-256. Data is encrypted both at rest (when stored) and in transit (when transmitted).
Recoverability: Regular backups of personal data are taken and stored in a redundant and geo-distributed way. Backups are encrypted using the same encryption algorithms as the original data. The backup process is regularly tested to ensure that data can be recovered in the event of a disaster. Vulnerability Management: We regularly scan our systems for vulnerabilities and promptly apply software updates to address any security issues. We also conduct regular penetration testing by independent security consultants to assess the security of our systems. Various tools are applied throughout software development life cycle (SDLC) to reduce the risk of introducing vulnerabilities into our SaaS offering.
Data Retention: We retain personal data only for as long as necessary to fulfill the purpose for which it was collected. We regularly review our data retention policies to ensure that they are up-to-date and appropriate. We securely delete personal data when it is no longer needed. Pseudonymization and anonymization: Measures for pseudonymization or anonymization of personal data are implemented to the extent necessary. Data in non-production environments used for testing purposes is anonymized or pseudonymized wherever possible.
Data Protection Officer (DPO): We have appointed a Data Protection Officer (DPO) who is responsible for overseeing our data protection processes and ensuring that we comply with relevant regulations. The DPO regularly reviews our TOMs and recommends changes as necessary.
Incident Response Plan: We have an incident response plan in place to deal with data breaches or other security incidents. The plan includes procedures for incident reporting, investigation, and resolution. Employees are regularly trained on the incident response plan and how to respond to security incidents.
Third-party Providers: We assess the reputation of any third-party providers who have access to personal data and ensure that they have appropriate measures in place. We enter into data processing agreements with third-party providers to ensure that they understand their obligations with respect to personal data protection. Security Policies: Archlet maintains and follows IT security policies and practices that are integral to Archlet’s business and mandatory for all Archlet employees, including supplemental personnel. IT security policies are reviewed periodically and amended as Archlet deems reasonable to maintain protection of services and content processed therein.
Conclusion Archlet is committed to protecting personal data processed as part of our SaaS offerings. The technical and organizational measures outlined in this document are designed to ensure the security of personal data and comply with relevant regulations. We regularly review and update our TOMs to ensure that we continue to provide appropriate protection for all data processed.
