Technical and Organisational Measures

ToM (Art. 32 of the General Data Protection Regulation - GDPR): OpenSanctions Datenbanken GmbH

Confidentiality

As per Art. 32 §1 b GDPR

Building access

  • Offices: Campus and building secured via PIN entry, office secured via an electronic door system with access logs.
  • Data centers: All data is stored in secure data centers (see Subprocessors list). All data is stored in European data centers (where applicable and available: Google, ChargeBee, HubSpot).

System access

  • Authentication using username and password
  • Multi-Factor Authentication (MFA)
  • Firewall
  • Use of a team password management software
  • Technical workstation locking upon not active
  • Encrypted notebook hard disks

Data access

  • Central staff user account management (Google Workspaces)
    • Role-based access control, need-to-know to access to storage mechanisms which contain customer information (CRM, Billing, Payments, Contracts).
  • Use of Infrastructure-as-Code (Terraform) and version control for configuration management of information processing systems; use of ephemeral service accounts.

Data separation

  • Separation of test and production systems where customer data is being stored
  • Storage of payment information in separate, PCI-certified systems (Stripe.com)

Pseudonymisation

  • Pseudonymisation is not used within the company

Integrity

As per Art. 32 (1) lit. b GDPR

Confidentiality - Data Transmission / Storage / Destruction

  • Comprehensive use of transport layer security (TLS)
  • Use of at-rest encryption of staff computers (LUKS, FileVault)
  • Destruction of all printed matter not needed for legal compliance (GoBD)
  • Use of audit logs for systems which retain sensitive information

Integrity - Data Entry Controls

  • Data quality assurance via monitoring systems and programmatic verification of data
  • Regular and automated execution of integration tests against development and production environments
  • Data processing code used for products is open source and subject to public scrutiny
  • Ability to revert to previous data product releases

Availability and Resilience

As per Art. 32 (1) lit. b GDPR

Availability

  • Use of Firewalls
  • Backup concept including offline backups and cross-provider data mirroring
  • Data stored in two certified data centres with Uninterrupted Power Supply (USP)
  • Automated patch management
  • Monitoring system (Google GKE, Monitoring, Error Reporting, BetterStack Uptime)

Rapid Recovery & Restore

  • Tested ability to restore files from backup
  • Tested ability to programmatically re-generate data used in products

Procedure for regular testing, assessing and evaluating

As per Art. 32 (1) lit. d GDPR; Art. 25 (1) GDPR

Organisational Control

  • Records of processing activities (Art. 30 GDPR)
  • Security of Processing (Organisational and Technical Measures) (Art. 32 GDPR)
  • Risk Analysis (Art. 32 GDPR) / Business continuity planning
  • Employees and contractors are required to sign and comply with confidentiality agreements
  • Structured and documented process for the handling, processing and response to information and deletion requests.
  • Structured and documented process in response to security incidents or data loss.
  • OpenSanctions is working to acquire ISO 27001 certification by year-end 2024

Data Protection by Design and Default

  • Use of transport and at-rest encryption
  • Use of Infrastructure as Code (IaC) techniques for environment management
  • Customer information is only collected and processed as needed for specific business purposes.

Last updated: October 18, 2023

Got more questions? Our support is here to help. You can also join the Slack chat to meet the community.
About OpenSanctions
FAQ
Licensing the data
Contact us
Talk to sales
Get support
The team
Data inclusion criteria
Terms and conditions
Privacy Policy
Impressum
OpenSanctions · Find sanctions targets and persons of interest
OpenSanctions Datenbanken GmbH · info@opensanctions.org · https://opensanctions.org/meeting