Technical and organizational measures (TOMs) for azuma mimoto in accordance with Art. 32 GDPR
This translation is NOT legally binding and a working translation only. Legally binding and relevant, particularly in case of any discrepancies, is solely the German text.
Preamble
In order to ensure the security and confidentiality of data, azuma will take and maintain all necessary technical and organizational measures, in particular the measures defined by the relevant applicable legal framework. The technical and organizational measures refer to the data categories mentioned in §5:
- Data in the web token (identity data of the end user): This data is not stored by azuma, but is deleted immediately after successful login
- Meta data for the token handling process: This data is stored by azuma for the duration of the contract for billing purposes
- Access data for employees of the controller: This data is stored by azuma for the duration of the contract for the purpose of configuration of azuam mimoto by the customer.
Data in the web token and meta data are transferred to azuma and sub-processors when the end user starts the login process with the health ID until the login process is completed. Access data is transferred to azuma and sub-processors after the employee of the controller logs in to the azuma mimoto portal until the time of logout.
The measures taken by azuma include in particular:
§ 1 Physical Access Control
Unauthorized persons must be denied access to data processing systems with which personal data is processed and used. azuma ensures access control through the use of the following measures:
For all data types in accordance with §5 of the Data Processing Agreement for the fulfillment of all purposes specified in §3 of the Data Processing Agreement:
- No own physical data processing facilities or server infrastructures are used
- Personal data is only stored in cloud applications and systems (policy in place)
- All authorized access to the organization's premises must be controlled.
- Information, physical files/papers and devices must be stored in secure and lockable areas When working from home, files/papers must be stored in a lockable container
§ 2 Access Control
It must be prevented that data processing systems can be used by unauthorized persons. azuma ensures access control through the use of the following measures:
For all data types in accordance with §5 of the Data Processing Agreement for the fulfillment of all purposes specified in §3 of the Data Processing Agreement:
- Access to cloud services, cloud applications and data/documents therein only via account-based, approved access implemented with regular review
- Use of passwords in accordance with azuma's policy is mandatory for all employees. The policy is based on the BSI basic protection for secure passwords. It follows the strategy of "short but complex passwords", which should consist of eight to twelve characters and contain at least four different character types. This includes a random combination of upper and lower case letters, numbers and special characters
- The consistent use of two-factor authentication procedures for administrator and user accounts is mandatory for information systems that process personal data
- Assigning separate passwords for the operating system, application and database levels
- Within the database system, the database itself is protected by passwords
- Antivirus software (Norton) for clients and firewall systems (Microsoft WAF V2) for cloud software are installed
§ 3 Data Access Control
It must be ensured that the persons authorized to use a data processing system can only access the data subject to their access authorization and that personal data cannot be read, copied or changed without authorization during processing, use and after storage. azuma ensures access control by using the following measures:
For all types of data in accordance with §5 of the agreement on order processing for the fulfillment of all purposes specified in §3 of the agreement on order processing applies:
- No administrator identifiers are permitted for users who do not perform administrative activities
- In principle, access to the cloud applications used or to documents may only be assigned on an account basis, so that only authorized employees have access to information and data
- No data may be stored on mobile data storage devices; only secure cloud storage and cloud applications are permitted. All employees are obliged to comply with the policy
- Encryption takes place at all API endpoints. The API endpoints are secured through the use of OAuth 2.0, OIDC and OIDC Federation standards
- Use of secure encryption methods for database encryption (256-bit AES-based)
- Separation of all azuma product environments (see §6)
§ 4 Transfer Control
It must be ensured that personal data is not read, copied, changed or removed without authorization during electronic transmission and that it can be checked and determined where the transmission of personal data is intended. azuma ensures the transfer control by using the following measures:
For all types of data in accordance with §5 of the Data Processing Agreement for the fulfillment of all purposes specified in §3 of the Data Processing Agreement:
- Connections are secured exclusively via TLS 1.2 with exclusive use of secure cipher suites, or via TLS 1.3
- The requirements of BSI TR-03161 are observed and only the recommendations of BSI TR-02102-2 for TLS and keys are followed
- Public keys are stored tamper-proof with a trust anchor
- Remote access to web servers is only permitted with an encrypted connection (https) and two-factor authentication
- Cryptographic procedures (256-bit AES) of the providers of the cloud services used are used Key management guaranteed by the cloud provider
- All domain certificates are obtained from a trusted certification authority (Let's Encrypt) with automated certificate renewal
The following applies to the data categories meta data and access data (in accordance with Section 5 (2) and (3) of the agreement on commissioned processing) for the fulfillment of the purposes stated in Section 3 (4) of the agreement on commissioned processing
- Personal data is not stored permanently and is deleted in accordance with the deletion concept
The following applies to the data category Web Token Data (pursuant to Section 5 (1) of the Data Processing Agreement) for the fulfillment of the purposes specified in Section 3 (1) - (3) of the Data Processing Agreement:
- Personal data is not stored and is deleted in accordance with the deletion concept
- Personal data is additionally secured with self-administered keys (256-bit AES)
§ 5 Availability Control
It must be ensured that personal data is protected against accidental destruction or loss. azuma guarantees compliance with availability control by using the following measures.
The following applies to all types of data in accordance with §5 of the Data Processing Agreement for the fulfillment of all purposes specified in §3 of the Data Processing Agreement:
- Personal data is only stored in cloud applications and systems with appropriate failover and backup functions (policy in place). Backups are carried out at least once a day (snapshot) and additionally on a transaction basis if available
- Compliance with availability control by means of emergency planning for the prevention and management of emergencies
- The resilience of the services is ensured by autoscaling the services (at least two instances) and a minimum availability of the infrastructure (at least two zones)
The following applies to the data categories meta data and access data (in accordance with Section 5 (2) and (3) of the agreement on commissioned processing) for the fulfillment of the purposes specified in Section 3 (4) of the agreement on commissioned processing:
- Backups are performed exclusively by the mechanisms of the cloud services and cloud applications used
- Backups are protected against encryption by ransomware by the providers of the cloud services used (256-bit AES)
- Backups and archiving must be implemented exclusively in ISO27017/ISO27018/C5-certified cloud services and cloud applications
- Access and availability of backups is ensured through the use of at least three availability zones Backups are stored redundantly in all availability zones
- Each availability zone used is physically separated from each other with its own power supply, cooling and network connection
§6 Separation Control
It must be ensured that data collected for different purposes can be processed separately. azuma ensures compliance with the separation control by using the following measures:
For all types of data in accordance with §5 of the agreement on order processing for the fulfillment of all purposes specified in §3 of the agreement on order processing:
- Separation of all azuma product environments
- Implementation of multi-client capability and separation of clients at database level
- Separation of all azuma services into different runtime environments (container-based)
azuma will in particular ensure that data is protected against unauthorized or accidental destruction, accidental loss, technical defects, falsification, theft, unauthorized use, unauthorized modification or duplication and other forms of unauthorized access and unauthorized use.
In addition, the following measures are also the responsibility of azuma:
§ 7 Pseudonymization
The following applies to the data category meta data (in accordance with §5 (2) of the agreement on commissioned processing) for the fulfillment of the purposes specified in §3 (4) of the agreement on commissioned processing:
- Data will only be provided by the Client in pseudonymized form and will only be processed by azuma in pseudonymized form.
- The web token data (in accordance with Section 5 (1) of the Data Processing Agreement), including the identity data of the end users contained therein, will not be stored.
§ 8 Order Control/Input Control
It must be ensured that personal data (all types of data in accordance with § 5 of the agreement on order processing) that are processed on behalf of azuma can only be processed in accordance with the instructions of the client or purely for a specific purpose. azuma guarantees compliance with the order control by using the following measures.
For the data category Web Token Data (in accordance with §5 (1) of the Data Processing Agreement) for the fulfillment of the purposes stated in §3 (1) - (3) of the Data Processing Agreement:
- Data is only transferred automatically if the controller has configured the integration with azuma mimoto accordingly
- Deletion of the data takes place automatically after each login process
The following applies to the data category meta data (in accordance with §5 (2) of the agreement on order processing) for the fulfillment of the purposes stated in §3 (4) of the agreement on order processing:
- Transfer and storage of the data takes place automatically only if the controller has configured the integration with azuma mimoto accordingly
- Deletion of the data takes place on request or automatically after the end of the contract. A confirmation of the deletion will be provided to the controller
The following applies to the data category access data (in accordance with Section 5 (3) of the agreement on commissioned processing) for the fulfillment of the purposes stated in Section 3 (4) of the agreement on commissioned processing:
- Data is only transferred and stored automatically if employees of the controller register and log in to the azuma mimoto portal via self-service
- Deletion of the data takes place on request or automatically after the end of the contract. A confirmation of the deletion will be provided to the controller
Access to the backend and configuration systems is limited to the necessary employees and follows the principle of necessity. Access to configuration systems by employees of the client can be controlled by the client and serves, among other things, to control the processing by azuma.
§ 9 List of Procedures
azuma keeps a register of procedures in accordance with Art. 30 GDPR. This directory contains, among other things, the processes and purposes of data processing, as well as a deletion concept. In addition to the management, the employees who are responsible for the development and customer support of azuma products are responsible for implementing the procedures and safeguarding the rights of data subjects. Other employees do not have access to the processed data. The central e-mail address for inquiries is privacy@azuma.health. The list of procedures is regularly reviewed and, if necessary, adapted to technical or organizational changes.
This applies to all types of data in accordance with Section 5 of the agreement on commissioned processing for the fulfillment of all purposes specified in Section 3 of the agreement on commissioned processing.
§ 10 Data Protection Concept
Data protection measures are regularly reviewed for security and fulfillment of purpose with regard to the respective state of the art. azuma defines the handling of personal data in guidelines. A data protection officer has been appointed and the measures taken and the list of procedures are regularly reviewed. A data protection audit with audit report is carried out once a year. In the event of changes to processes, the external data protection officer is involved in the planning so that a GDPR-compliant design is guaranteed.
This applies to all types of data in accordance with §5 of the agreement on commissioned processing for the fulfillment of all purposes specified in §3 of the agreement on commissioned processing.
azuma attaches great importance to ensuring that internal processes comply with information security and data protection requirements. To this end, further measures are implemented to anchor the topics in the organization and especially in product development. These measures include in particular
§ 11 Management, Organization and Awareness of Information Security
It is essential that the importance of information security and data protection is understood by the management and employees and supported by the actions of the persons responsible. azuma ensures this through the following measures:
- A suitable organizational structure for information security is in place and information security is integrated into the organization-wide processes and procedures
- Security policies and guidelines are defined, approved by management and communicated to staff
- Use of a suitable information security management system (ISMS) in accordance with ISO27001 (not yet certified)
- The roles and responsibilities in the area of security are known and assigned within the company
- Existence of escalation processes in the event of security breaches
- Consistent documentation of security incidents (security reporting)
- All persons involved in the organization have been made aware of the importance of information security and data protection
- All relevant guidelines on information security and the correct handling of IT systems are in place and are accessible and known to all employees
- All necessary employees are aware of the internal processes for dealing with information security and possible breaches
This applies to all types of data in accordance with §5 of the agreement on commissioned processing for the fulfillment of all purposes specified in §3 of the agreement on commissioned processing.
§ 12 Development and Selection of Software
It is essential that information security and data protection are taken into account as important factors in the development of our own products and in the selection of software in order to build the best possible trust with customers in the healthcare sector. azuma ensures this through the following measures:
- Relevant employees are trained that security-by-design (ensuring confidentiality, availability and integrity) as a subset of data protection-by-design is a legal data protection requirement and has an influence on central design decisions (product selection, centralized vs. decentralized, pseudonymization, encryption, country of a service provider, SSL certificates). The requirements for employees are set out in the Secure Development Policy and the training for employee onboarding is set out in azuma's ISMS Awareness Policy
- There is a separation between the production system and the development/test system
- Access to the source code during software development is restricted
- Access to test/production systems is restricted
- No personal data or access data is stored in the source code management system
- System and security tests (unit tests, integration tests) are carried out
- Ongoing inventory of the versions of software or components (e.g. frameworks, libraries) and their dependencies
- Standard software and corresponding updates are only obtained from trustworthy sources
- It must be ensured that there is an ongoing plan for monitoring, evaluating and applying updates or configuration changes for the entire lifetime of a software application
- The implementation of the regulations for secure software development is mandatory in a guideline
This applies to all types of data in accordance with §5 of the agreement on commissioned processing for the fulfillment of all purposes specified in §3 of the agreement on commissioned processing.
§ 13 Dealing with Suppliers and Processors
It is essential that azuma has a special duty of care when selecting suppliers and processors. Above all, it is important to be able to comply with the protection of personal data across the supply chain. azuma ensures this through the following measures:
For the data categories Meta Data and Web Token Data (in accordance with §5 (1) and (2) of the Data Processing Agreement) to fulfill the purposes stated in §3 (4) of the Data Processing Agreement:
- Only suppliers that provide guarantees for the implementation of GDPR-compliant data protection and information security (in the form of documents) will be used
- The effectiveness of the guarantees must be proven by suitable certifications. Relevant for azuma C5/ISO27017/ISO27018 certifications are
- Listings of sub-processors of azuma's processors are regularly reviewed
For all types of data in accordance with §5 of the Data Processing Agreement for the fulfillment of all purposes specified in §3 of the Data Processing Agreement:
- Information security practices are reviewed at least once a year at document level
- An information security policy for dealing with suppliers has been implemented