Security Measures

Data Protection Measures

Rooms Security
  • Personal data is stored in a room secured with standard key-locked doors (non-reinforced, non-fire-resistant).

  • Personal data is stored in a room secured with doors of increased resistance to break-ins - C-class doors.

  • The room where personal data is stored has windows secured with grilles, blinds, or anti-break-in film.

  • Rooms where the dataset is processed are equipped with an intruder alarm system.

  • Access to rooms where the dataset is processed is covered by an access control system.

  • Access to rooms where the dataset is processed is monitored by a surveillance system using industrial cameras.

  • Access to rooms where the dataset is processed is supervised by security personnel in the absence of employees working there.

  • Access to rooms where the dataset is processed is under the 24/7 surveillance of security personnel.

  • Backup/archival copies of the dataset are stored in a closed non-metallic cabinet.

  • Backup/archival copies of the dataset are stored in a closed safe or armored cabinet.

  • The room where personal data sets are processed is protected against fire through a fire protection system and/or a standalone fire extinguisher.

  • Documents containing personal data, after becoming obsolete, are destroyed using document shredders.

  • Reception and Guest "In/Out" Log.

Organizational Measures
  • Employees involved in data processing are familiar with the regulations regarding the protection of personal data.

  • Employees engaged in processing personal data have undergone training on the security measures of the information system.

  • Individuals employed in personal data processing are obligated to maintain confidentiality.

  • Computer monitors processing personal data are positioned to prevent unauthorized viewing by third parties.

  • Personal data is not disclosed by employees to third parties during activities (e.g., invoicing personal data for another client).

  • Backup copies of the dataset are stored in a different room than the one containing the server where personal data is processed in real-time.

  • A data protection policy and instructions for managing the IT system used for processing personal data have been implemented.

  • ISO 27001 Information Security Management System has been implemented.

  • The principle of accountability is applied to demonstrate that administrative actions are carried out to ensure security.

  • An inventory of equipment processing personal data is being conducted.

  • Incidents regarding the security of personal data are being recorded.

Hardware Measures in Information Technology and Telecommunication Infrastructure
  • The dataset of personal data is processed using a laptop computer.

  • The computer used for processing personal data is connected to the local computer network.

  • Devices such as UPS, a power generator, and/or a dedicated power network are employed to protect the information system processing personal data from the consequences of power failures.

  • Access to the computer's operating system where personal data is processed is secured through authentication processes using a username and password.

  • Measures are implemented to prevent unauthorized copying of personal data processed using information systems.

  • System mechanisms enforcing periodic password changes are in place.

  • A system for logging access to the system/dataset of personal data is implemented.

  • Cryptographic measures are applied to protect personal data transmitted via teletransmission.

  • Access to teletransmission facilities is secured through authentication mechanisms.

  • Disk arrays are used to protect personal data from the consequences of disk memory failures.

  • Measures are implemented to protect against malicious software such as worms, viruses, trojan horses, and rootkits.

  • A Firewall system is used to protect access to the computer network.

  • An automatic access blocking mechanism has been implemented for the IT system used for processing personal data in case of prolonged user inactivity.

  • Data media encryption has been applied, especially on disks in portable computers.

Protection Measures within Software Tools and Databases
  • Measures have been implemented to define access rights to specific data within the processed dataset of personal data.

  • Access to the dataset of personal data requires authentication using a username and password.

  • Screen savers have been installed on workstations where personal data is processed.


Technical and Organizational Measures

VERCOM implements policies, procedures, standards, and guidelines related to information security, typically within the context of an Information Security Management System, as defined in ISO/IEC 27001 and ISO 27018 standards.


Access

  • VERCOM S.A. conducts a risk analysis and implements appropriate controls in its systems to prevent unauthorized access to data. These controls encompass a combination of legal, technical, physical, procedural, and human layers to prevent unauthorized misuse, destruction, disclosure, or modification of data.

  • The area of rooms, facilities, or buildings containing information, information systems, or other network infrastructure is physically and durably protected, using risk-oriented security measures.

  • Formal procedures for granting access to data have been introduced.

  • Access to data is restricted to authorized employees only.

  • Access is granted based on the principle of least privilege, minimizing necessary and justified access directly related to the employee's job responsibilities.

  • Access to data can only be granted to an identified individual with associated individual user accounts, and audit records of these activities must be logged and made available upon request. The use of privileged access rights and non-personal accounts is limited and controlled.

  • Data is made available on a "need-to-know" basis. Users or clients (external or internal) cannot have access to data that does not concern them.

  • Portable media is secured through encryption and appropriately labelled.

  • Multi-factor authentication is implemented for all authorized access.

  • A periodic access review is conducted at least once a year.


Responsibility

  • For each access to client data, there is an identifiable person or automated process responsible.

  • Formal processes governing the granting, removal, or modification of access to data are in place. All such actions are recorded and made available to the client within 48 hours upon their request.

  • Systems, hardware, and software used for data processing are maintained in accordance with these security requirements.


Security Incident Response

All detected security incidents and data breaches affecting client data or services provided to the client must be reported by VERCOM S.A. without undue delay, within a maximum of 48 hours after detection.

A report of a personal data breach includes at least the following information:

  • Nature of the personal data affected.

  • Categories and number of individuals affected.

  • Number of personal data records affected.

  • Measures taken to remedy the data breach.

  • Potential consequences and negative impact of the data breach.

As applicable:

  1. Criminal background check (for teams handling banks, and financial institutions).

  2. Creditworthiness check.


Continuity of Operations and Backups

  • VERCOM has a business continuity plan that includes appropriate sections on incident management and crisis situations, resilience, backups, and data recovery procedures after a failure, which are subject to review and testing at least once a year.

  • VERCOM securely stores copies of current, essential system software, images, data, and documentation to ensure rapid and controlled recovery of informational resources.

Data Integrity, Change Management, and Vulnerability Management

  • All data provided by users and data entered by users must be approved to maintain data integrity.

  • A formalized change management process has been implemented.

  • Vulnerability management for threats and patches has been introduced, including regular updates to ensure continuous system integrity and timely mitigation of new security threats.

  • Strict separation of data between production environments and development or testing environments is required. Storing production data in non-production environments such as development or test environments is not permitted.

  • Penetration tests are conducted at least once a year, and a summary of the results is provided to the Customer upon request.

Encryption

All sensitive data (such as Personally Identifiable Information - PII) must be encrypted during transmission and at rest.


Antivirus Protection

  • VERCOM S.A. consistently raises user awareness and implements appropriate controls and policies for detecting, preventing, and recovering data in the event of malicious software (viruses, malware).

  • VERCOM S.A. conducts periodic training for employees in this area.


Full compliance with GDPR and other applicable laws, regulations, and contractual obligations is required.


Security Training

All employees with access to data or information must undergo appropriate security training. Vercom assesses employees' knowledge levels after training.


Asset Ownership

  • All informational assets (data, systems, processes, etc.) must have a designated responsible owner within VERCOM S.A.

  • Upon completion of assigned tasks or when data is no longer needed for processing activities, it will be returned to the client and securely destroyed.


Non-Repudiation

Controls must be implemented to ensure that actions and events will have legal effect and cannot be challenged or repudiated by VERCOM S.A. The actions must meet the requirements of authorized individuals within VERCOM S.A, including the Data Protection Officer (DPO) and the authorized representative.


Periodic Review

VERCOM S.A. conducts a periodic review of access, security controls, and risks at least once a year to ensure that the security of assets is not compromised.


Right to Audit

During the term of the agreement with VERCOM S.A., the client and its associated entities have the right to conduct a security assessment at an agreed-upon and convenient time to ensure an adequate level of data protection. This security protection will encompass measures related to technical, physical, procedural, and human controls.

Last updated