Technical and Organizational Measures (TOMs)

The technical and organizational measures (TOMs) provided below apply to all standard service offerings provided by Cyberator. Evidence of the measures implemented and maintained by Cyberator may be presented in the form of up-to-date attestations, reports or extracts from independent bodies upon request from the Client. 

Document Management

Cyberator will validate that necessary documentation is in place between Cyberator and the Client where Cyberator processes Personal Data covered by GDPR. In case of a change to the defined scope, any change to the processing of Personal Data will be reviewed to determine any impact on required TOMs and other contract exhibits. Sub-processors will be identified for Client approval with periodic review to validate ongoing adherence to the agreed upon TOMs.

Cyberator will create and maintain the following security and privacy documentation as well as store them in a central repository with restricted access control:

a. DPA and DPA Exhibit

b. Technical and Organizational Measures (TOMs)

c. Non-disclosure Agreement (NDA) or Agreement to Exchange Confidential Information (AECI) or similar (as required)

d. Sub-processor Agreement (as required)

e. European Commission Model Clause (as required)

Security Incidents

Cyberator will maintain an incident response plan and follow documented incident response policies including data breach notification to Data Controller without undue delay where a breach is known or reasonably suspected to affect Client Personal Data.

Risk Management

Cyberator will assess risks related to processing of Personal Data and create an action plan to mitigate identified risks.

Security Policies

Cyberator will maintain and follow IT security policies and practices that are integral to Cyberator’s business and mandatory for all Cyberator employees, including supplemental personnel. IT security policies will be reviewed periodically and amend such policies as Cyberator deems reasonable to maintain protection of services and Content processed therein.

Cyberator will maintain an inventory of Personal Data reflecting the instructions set out in the DPA and DPA Exhibit, including disposal instructions upon contract closure. Computing environments with resources containing Personal Data will be logged and monitored.

Cyberator employees will complete security and privacy education annually and certify each year that they will comply with Cyberator's ethical business conduct, confidentiality, and security policies, as set out in Cyberator's Business Conduct Guidelines. Additional policy and process training will be provided to persons granted administrative access to security components that is specific to their role within Cyberator’s operation and support of the service, and as required to maintain compliance and certifications.

Physical Security

Cyberator will implement the physical security of Cyberator facilities including data centers. Access to the data center and controlled areas within the data center will be limited by job role and subject to authorized approval.

User Access Management

Cyberator will maintain proper controls for requesting, approving, granting, modifying, revoking and revalidating user access to systems and applications containing Personal Data. Only employees with clear business need access to Personal Data located on servers, within applications, databases and/or ability to download data within Cyberator’s network. All access requests will be approved based on individual role-based access and reviewed on a regular basis for continued business need. All systems must meet corporate IT Security Standards and employ security configurations and security hygiene practices to protect against unauthorized access to operating system resources (OSRs).

System and Network Security

Cyberator will employ encrypted and authenticated remote connectivity to Cyberator computing environments.

Availability of data through business continuity and disaster recovery planning support our documented  risk management guidelines.

Controls and Validation

Cyberator will maintain policies and procedures designed to manage risks associated with the application of changes to the Client systems.

Media Handling

Cyberator will implement protections to secure portable storage media from damage, destruction, theft or unauthorized copying and the personal data stored on portable media through encryption and secure removal of data when it is no longer needed. Additional similar measures will be implemented for mobile computing devices to protect personal data.

Workstation Protection

Cyberator will implement protections on end-user devices and monitor those devices to be in compliance with the security standard requiring hard drive passwords, screen saver, antivirus software, firewall software, unauthenticated file sharing, hard disk encryption and appropriate patch levels. Controls are implemented to detect and remediate workstation compliance deviations.

Cyberator will securely sanitize physical media intended for reuse prior to such reuse and will destroy physical media not intended for reuse.

Privacy by Design

Cyberator will incorporate Privacy by Design principles for systems and enhancements at the earliest stage of development as well as educate all employees on security and privacy annually.

Threat and Vulnerability Management

Cyberator will maintain measures meant to identify, manage, mitigate and/or remediate vulnerabilities within the Cyberator computing environments. Security measures include:

• Patch management

• Anti-virus / anti-malware

• Threat notification advisories

• Vulnerability scanning (all internal systems) and periodic penetration testing (Internet facing systems) within remediation of identified vulnerabilities