Technical and Organizational Measures (TOMs)
      Back to home
      1. Fidectus Knowledge Base
      2. Trust Center
      3. Technical and Organizational Measures (TOMs)

      Technical and organisational measures (TOMs)

      September 2024, Version 1.0

       

       

      The current technical and organisational measures of Fidectus are defined in the following sections. The measures are based on the policies of Fidectus' ISO27001-certified Information Security Management System (ISMS). Fidectus may change these measures at any time without prior notice as long as a comparable or higher level of security is maintained. Individual measures may be replaced by new measures that fulfil the same purpose without reducing the security level for the protection of personal data.

       

      1.        ACCESS CONTROL

      Unauthorised persons are denied physical access to facilities, buildings and premises in which data processing systems that process or use personal data are located.

      1.1.     Measures

      1.1.1.    Fidectus protects buildings with appropriate measures.

      1.1.2.    Buildings are generally secured by access control systems (e.g. access by chip card).

      1.1.3.    As a minimum requirement, the external entrances to a building must be equipped with a locking system, including a key management system.

      1.1.4.    Depending on the security classification, buildings, individual areas and the surrounding grounds may be protected by additional measures. These include special access profiles, video surveillance, intruder alarm systems and biometric access control systems.

      1.1.5.    Access rights are assigned to authorised persons on an individual basis in accordance with the measures for system and data access control (see sections 1.2 and 1.3 below). This also applies to the access of visitors. Guests and visitors to Fidectus buildings must register by name and be accompanied by authorised Fidectus personnel.

      1.1.6.    Fidectus personnel and external personnel must wear their company ID/access card at all Fidectus locations.

      1.2.     Additional measures for data centres

      1.2.1.    Strict security measures apply to all data centres, which are supported by security personnel, surveillance cameras, motion detectors and access control mechanisms, among other things, to protect data centre systems and facilities from unauthorised access. Only authorised persons have access to the systems and infrastructure of the data centres. Security devices (motion sensors, cameras, etc.) are serviced at regular intervals to ensure that they function properly.

      1.2.2.    Fidectus and all data centres operated by third parties log the names and times of authorised persons who enter the non-public areas of Fidectus within the data centres.

       

       

      2.        SYSTEM ACCESS CONTROL

      Data processing systems used to provide the cloud service must be protected against unauthorised use. Measures:

      2.1.     Access to sensitive systems, including systems for storing and processing personal data, is granted via authorisation levels. Authorisations are managed via defined processes in accordance with Fidectus ISMS.

      2.2.     All persons access the Fidectus systems with a unique identifier (user ID).

      2.3.     Fidectus has established procedures so that requested changes to authorisations are only carried out in accordance with the Fidectus ISMS (for example, no rights are granted without appropriate authorisation). When an employee leaves the company, their access rights are cancelled.

      2.4.     Fidectus has established a password policy that prohibits the disclosure of passwords, regulates how to proceed if a password is disclosed and requires passwords to be changed regularly and default passwords to be changed. Personalised user IDs are assigned for authentication purposes. All passwords must fulfil certain minimum requirements and are stored in encrypted form.

      2.5.     The company network is protected from the public network by firewalls

      2.6.     Fidectus uses up-to-date virus scanners at the transitions to the company network (for e-mail accounts), as well as on all file servers and on all standalone computers.

       

       

      3.        DATA ACCESS CONTROL

      Persons who are authorised to use data processing systems are only granted access to the personal data for which they have access rights, and personal data may not be read, copied, modified or removed without authorisation during processing, use or storage. Measures:

      3.1.1.    In the context of the Fidectus ISMS, personal data requires at least the same protection as "confidential" information as defined by the Fidectus information classification standard.

      3.1.2.    Access to personal data is only granted when necessary ("need-to-know" principle). Each person is only granted access to the information they need to fulfil their duties. Fidectus uses authorisation concepts that document the assignment processes and the roles assigned per account (user ID). All client data is protected in accordance with the Fidectus ISMS.

       

       

      4.        DATA TRANSFER CONTROL

      The data transmission control ensures that personal data cannot be read, copied, modified or removed without authorisation during transmission or storage, except to the extent necessary for the provision of the cloud services in accordance with the agreement. During the physical transport of data carriers, Fidectus takes appropriate measures to ensure the agreed service level (e.g. encryption). Measures:

      4.1.     Personal data is protected during transmission via internal Fidectus networks in accordance with the Fidectus ISMS.

      4.2.     With regard to the transfer of data between Fidectus and its clients, the security measures for the transferred personal data are agreed by the parties and form part of the agreement. This applies to both physical and network-based data transmission. In any case, the Client assumes responsibility for the data transmission as soon as it takes place outside the systems controlled by Fidectus.

       

       

      5.        DATA INPUT CONTROL

      It will be possible to retrospectively investigate and determine whether and by whom personal data was collected, modified or removed from Fidectus' data processing systems. Measures:

      5.1.     Fidectus only allows authorised persons to access personal data within the scope of their duties.

      5.2.     Fidectus has implemented a logging system within the Cloud Service for the collection, modification and deletion or blocking of Personal Data by Fidectus or its sub-processors to the extent technically possible.

       

       

      6.        CONTROL OF PROCESSING

      Personal data processed on behalf of the client (e.g. on behalf of the client) will only be processed in accordance with the agreement and the client's instructions in this regard. Measures:

      6.1.     Fidectus utilises controls and procedures to monitor compliance with contracts between Fidectus and its principals, sub-processors or other service providers.

      6.2.     In the context of the Fidectus ISMS, personal data requires at least the same protection as "confidential" information as defined by the Fidectus information classification standard.

      6.3.     All Fidectus employees and subcontracted processors or other service providers are contractually bound to maintain confidentiality with respect to all sensitive information, including trade secrets, of Fidectus' clients and partners.

       

       

      7.        AVAILABILITY CONTROL

      Personal data is protected against accidental or unauthorised destruction or loss. Fidectus has regular backup processes in place to restore the availability of business-critical systems if required. Measures:

      7.1.     Fidectus has developed business contingency plans for business critical processes and can provide disaster recovery strategies for business critical services as further described in the documentation or included in the order form ("Order Agreement") for the respective Cloud Service.

      7.2.     Emergency processes and systems are tested regularly.

       

       

      8.        SEPARATION CONTROL

      Personal data that is collected for different purposes can be processed separately. Measures:

      8.1.     Fidectus utilises the technical possibilities of the implemented software to enable the separation of personal data originating from different clients.

      8.2.     The client (including those responsible) only has access to its own data.

      8.3.     If personal data of the client is required to process a support case of the client, the data is assigned to this notification and only used to process this notification. This data is stored in dedicated support systems.

       

       

      9.        DATA INTEGRITY CONTROL

      Personal data remains intact, complete and up-to-date during processing activities. Measures:

      9.1.     Fidectus has implemented numerous security measures to protect against unauthorised changes.

      9.2.     In particular, Fidectus uses the following means to implement the above sections on controls and measures:

      9.2.1.    Firewalls;

      9.2.2.    Security Monitoring;

      9.2.3.    Antivirus software;

      9.2.4.    Create backup copies and restore;

      9.2.5.    External and internal penetration tests;

      9.2.6.    Regular auditing of security measures by external third parties.