1. This Schedule 2 describes the technical and organizational measures as supplied by the Data Processor which the Data Processor warrants to comply with when processing the Personal Data covered by this DPA.
    2. The measures listed in this Schedule 2 are non-exhaustive and the Data Processor warrants to ensure that the technical and organizational measures are, at any time, in compliance with applicable regulation on protection of personal data, e.g. in any national regulation or the EU PDR.
  2. ACCESS CONTROL (PHYSICAL SECURITY MEASURES ARE REQUIRED) Which technical and organizational measures are in place in order to control physical access to the Data Processor’s premises and to identify authorized persons?

    All employees and guests are always required to wear visible identification cards. Office locations are secured with a lock and requires and Personal ID card (smartcard) and a personal code to access the premises.

  3. CONTROLLED ADMITTANCE (UNAUTHORIZED PERSONS ACCESSING DATA PROCESSING SYSTEMS MUST BE PREVENTED) Which measures are in place with regard to user identification and authentication technically (password protection) and organizationally (user master record)?

    The Identification of users is validated through Active Directory. . Passwords are protected through policies of complexity and must be changed frequently. Network security is managed by the internal IT Team.

  4. ACCESS CONTROL (UNAUTHORIZED WORK IN DATA PROCESSING SYSTEMS BEYOND THE GRANTED AUTHORITIES MUST BE PREVENTED) Are the authorization concept and the access rights adjusted to the requirements? How is monitoring and logging ensured?

    User name and password is required to access the Data Processor’s systems and individual computers/accounts. Password policy requires password change every 90 days. Blocking will happen after 5 failed attempts. After 10 min of inactivity screen will be locked .and will require AD password to unlock it.

    Differentiated authorizations are used so that each individual user’s access is limited to a certain extent. Unauthorized users are blocked from access.

    Sharepoint access is restricted by customer. And principle of least privilege is followed where access is granted, by request of the project manager.

    All employees are bound by confidentiality obligations via their employment contracts.

  5. DISCLOSURE CONTROL (ANY AND ALL ASPECTS OF THE TRANSMISSION OF PERSONAL DATA: ELECTRONIC TRANSMISSION, DATA TRANSPORT, TRANSMISSION CONTROL) Which security measures are in place for the transport, transfer and transmission and storage on data storage devices (whether manual or electronic) as well as for the subsequent inspection?

    Data is transferred electronically using VPN.

  6. INPUT CONTROL (TRACEABILITY, DOCUMENTATION OF DATA ADMINISTRATION AND MAINTENANCE) Which measures are in place for a subsequent inspection, if and by whom data have been entered, amended or removed (deleted)?

    Logging is done separately in the respective systems which handle data.

  7. CONTROL OF INSTRUCTIONS (WARRANTY THAT THE CONTRACT DATA PROCESSING COMPLIES WITH THE INSTRUCTIONS) Which measures are in place to differentiate between the competences of the Data Controller and the Data Processor?

    The Data Processor will amend, remove or delete any Personal Data if specifically instructed hereto by the Data Controller.

    Upon receiving a written instruction from the Data Controller, the Data Processor will set up a procedure to ensure compliance with specifically requested traceability requirements.

  8. AVAILABILITY CONTROL (DATA SHALL BE PROTECTED AGAINST ACCIDENTAL DESTRUCTION OR LOSS? Which measures are in place for data protection (physically/ logically)?

    Backup and re-establishment procedures are in place for all centralized data.

  9. SEPARATION CONTROL (DATA COLLECTED FOR DIFFERENT PURPOSES SHALL BE PROCESSED SEPARATELY) Which measures are in place for a separate data processing (storing, alteration, deletion, transmission) of data with different contract purposes?

    The Data processing is done using separate environments for production, testing and development purposes, and all documents are separated using share point privileges to secure that customers data is protected.