Working Translation
This translation is NOT legally binding and a working translation only. Legally binding and relevant, particularly in case of any discrepancies, is solely the German text.
azuma healthtech GmbH Technical and Organizational Measures (TOMs)
1. Management and Organization
- A suitable organizational structure for information security is in place and information security is integrated into the organization-wide processes and procedures
- Security policies and guidelines are defined, approved by management and communicated to staff
- The roles of individual employees in the security process are clearly defined
- A regular review of the effectiveness of the technical and organizational measures is planned
- Concepts and documentation in the security environment are regularly reviewed and kept up to date
- Use of a suitable information security management system (ISMS) in accordance with ISO 27001 (not yet certified)
- The roles and responsible parties in the area of security are known and assigned within the company
- Existence of escalation processes in the event of security breaches
- Consistent documentation of security incidents (security reporting)
2. Physical Security of the Infrastructure
- No own physical IT infrastructure available
- Personal data should only be stored in cloud applications and systems (policy in place)
- Access to cloud services, cloud applications and data/documents should only be provided via account-based, approved accesses
- If possible, no storage on local servers or storage media as a requirement for all employees
3. Employee awareness
- All persons involved in the organization were made aware of the importance of information security and data protection
- New employees are required to familiarize themselves with the ISMS of azuma healthtech GmbH
- All relevant guidelines on information security and the correct handling of IT systems are available and easily accessible
- All necessary employees know the internal processes for dealing with information security and possible breaches
- A detailed guideline for handling IT systems in the home office is available and provided to all employees
4. Authentication
- Instruction of all employees in the use of authentication procedures and mechanisms
- Use of strong passwords specified and policy for this adopted
- Passwords may only be stored in designated password security applications using two-factor authentication (see subcontractors)
- Do not send passwords by email (e.g. for a company account to a cloud service)
- Where possible, two-factor authentication procedures should be used consistently for administrator accounts for applications
5. Roles/Rights Concept
- No administrator IDs are permitted for users who do not perform administrative activities
- In principle, access to the cloud applications used or to documents is only assigned on an account basis, so that only authorized employees have access to information and data
6. End Devices (Clients)
- A policy for dealing with bring-your-own-device is in place and is specified for all employees
- No data is stored on local storage devices; only secure cloud storage and cloud applications are permitted
- Integration of external devices is limited to the minimum required by technical measures
- Only operating systems and software for which security updates are made available in a timely manner are used
7. Mobile data storage
- No data is stored on mobile data storage devices; only secure cloud storage and cloud applications are permitted
- Use of backup and synchronization mechanisms to prevent major data loss in the event of loss and theft
- Regulations on the private use of notebooks and smartphones are created by a bring-your-own-device policy
- For mobile data carriers: There is a policy for the secure handling of mobile data carriers
8. Server Systems
- No own physical server systems available
- Personal data should only be stored in cloud applications and systems (policy in place)
- Access to cloud services, cloud applications and data/documents should only be provided via account-based, approved accesses
- If possible, no storage on local servers or storage media as a requirement for all employees
9. Websites and Web Applications
- Use of the HTTPS protocol according to the state of the art (TLS1.2 or TLS1.3)
- Remote access to web servers only with an encrypted connection and two-factor authentication
- Use of exclusively secure service providers, e.g. for cloud services, mail services, etc.
10. Network
- No own physical IT infrastructure and no central networks available
11. Archiving
- Backups and archiving take place exclusively in cloud services and cloud applications
- Data archives are subject to the same access restrictions as live data
- No archiving on physical data carriers or servers permitted
- Processes in place for handling the archiving of information
12. Maintenance by Service Providers
- No external service providers in use
13. Logging
- Access is logged via the logging mechanisms of the cloud services and cloud applications used
- The log files for self-developed software solutions are carried out in the cloud platforms, taking into account all common security aspects
- Aspects relevant to data protection/security are taken into account during logging and excluded from logging
14. Business Continuity
- Backups are made exclusively through the mechanisms of the cloud services and cloud applications used
- Backups are protected against encryption by ransomware by the selected cloud service providers
15. Cryptography
- Cryptographic procedures of the cloud service providers are used
- SSL certificates are procured from trusted certification authorities
16. Data Transfer
- Data is transferred exclusively via secure/encrypted communication channels (HTTPS)
17. Development and Selection of Software
- Relevant employees are trained that security by design (ensuring confidentiality, availability and integrity) as a subset of data protection by design is a legal data protection requirement and has an influence on central design decisions (product selection, centralized vs. decentralized, pseudonymization, encryption, country of a service provider, SSL certificates)
- There is a separation between the production system and the development/test system
- Access to the source code during software development is restricted
- Access to test/production systems is restricted
- No personal data or access data is stored in the source code management system
- System and security tests, such as code scans and penetration tests, should be carried out
- Sufficient test cycles are taken into account
- Continuous inventory of the versions of software or components (e.g. frameworks, libraries) and their dependencies is ensured
- Standard software and corresponding updates are only obtained from trustworthy sources
- Ensure that there is an ongoing plan for monitoring, evaluating and applying updates or configuration changes for the entire life of a software application
18. Processor
-
Only service providers who can provide the guarantees (in the form of documents) are used
-
The effectiveness of the guarantees can be (partially) proven by suitable certifications
-
The processor may not take on any further sub-processors without informing the client - the client then has the right to object
-
Data is effectively deleted (at the latest) after the end of the contract in the case of order processing
-
Information on the deletion methodology can be provided if required