Updated: October 06, 2021
In the course of providing our service, SESSIONSTACK may process personal data on your behalf. In order to outline specifics of how we will perform this processing and what our obligations are as well as the obligations of our users/customers we’ve developed a Data Processing Addendum (DPA) that we enter into free of charge with anyone that uses our service and requests it. This document forms part of a contract of service with SESSIONSTACK (as the Data Processor) and our users/customers (as the Controllers). The DPA reflects the parties’ agreement with regard to the processing of personal data performed using our service. As a Controller, in order to sign this addendum, you must review and request a copy in order to sign it by contacting us on support@sessionstack.com. We will countersign it and provide you with a fully executed downloadable copy via email. Upon SessionStack’s receipt of the validly completed and digitally signed Addendum, this Addendum shall be in full force and effect.SECURITY AREAS | SECURITY MEASURES FOR PERSONAL DATA PROTECTION |
NETWORK AND SYSTEMS SECURITY | Firewall and router configurations have to be set-up, in order to restrict the traffic, inbound and outbound, from “untrusted” networks (including wireless) and hosts. Deny all other traffic except for protocols necessary for the personal data environment (PDE). |
Production (real) data should only be allowed in production environments. Upon exception and with all necessary approvals, QA environments may process (real) personal data only to the extent that they are protected as production environments. The environment of testing and development, as well as pre-production environments must use either anonymized or synthetic data. | |
Standard hardening configuration templates have to be developed for databases, applications, operating systems and applications containing personal data. | |
DATA SECURITY | Personal data retention time must be limited to the extent which is necessary for each single processing activity, albeit in compliance with legal and/or regulatory (retention) obligations. |
Strong cryptography and security protocols have to be implemented, in order to protect personal data during the transmission over open, public or untrusted networks. | |
In case the channel encryption is not possible, files and attachments containing personal data have to be protected by means of encryption whenever they are transmitted over open, public or untrusted networks. | |
Security tools should be used to monitor and control the flow of personal data through endpoints and towards external networks. | |
Databases/data storages encryption should be based upon a proper classification of assets in scope, according to the level of criticality. As a sample, databases/data storages serving bank’s core business processes/services or storing a large amount of personal data may be protected by strong encryption. Each Legal Entity shall decide whether to implement encryption or not, as well as the granularity of encryption to be enforced (e.g. at storage level or table level). | |
Personal data at rest should be protected by encryption when they are stored by Cloud Providers and/or other Third Parties Data Processors. | |
Media containing personal data must be protected against unauthorized access, through adequate physical (e.g. lock) and logical (e.g. encryption, access control, etc.) security measures. | |
Upon return and/or dismissal of ICT assets and resources, secure clean-up procedures (e.g. wiping) should be put in place, in order to remove all personal data and/or securely overwrite prior to disposal or re-use. | |
Paper documents or magnetic/optical media (e.g.: hard disks, DVDs, CDs, smart cards, USB flash drives) have to be destroyed or rendered unusable to ensure that the data and information they contain cannot be reconstructed and/or used (even partially) by unauthorized Third Parties. Paper documents have to be physically destroyed before being trashed, through specific shredder devices. | |
Employees must be adequately educated and trained on the correct rules of conduct to be adopted for the protection of personal data contained in paper documents (example: in case of removal from the workstation make sure that nobody can access confidential information, protect the original documents and the photocopies from theft or unauthorized use, keep the documentation in drawers and closets locked at the end of the working session) | |
DATA AVAILABILITY | Proper procedures should be put in place in order to restore the availability of personal data (as a right of the data subject) in a timely manner. Back-up procedures should ensure copies of personal data at least weekly. |
IDENTITY AND ACCESS MANAGEMENT | Access authorization to production environments containing personal data should be given according to the “need to know” and “least privilege” principles. |
Policies and procedures must be implemented to ensure the proper identification of users and administrators accessing system components managing personal data. All users should be assigned with a unique user name before allowing them to access system components or personal data. | |
Individual remote administrative accesses to systems managing personal data have to be protected, by means of an authentication mechanism requiring password or private encryption key changes every 90 days. Additionally, password vaulting tools should be evaluated in order to increase credentials’ security. | |
Passwords for systems and devices managing personal data must contain at least 8 digits, not easily attributable to the user, and they must be changed at least every 3 months. | |
Remote access (from external networks) to PDE have to be protected by means of multi-factor authentication. | |
All accesses to databases containing personal data should be protected/controlled as follows: – Application credentials to access databases cannot be used by individual users or other non-application processes – Such application/system user credentials must be appropriately protected against potential misuse. – Access must be granted only to the personnel who really need it for the performance of their own job/tasks (need to know principles) – A formal user registration and de-registration process should be implemented to enable assignment of access rights to manage personal data. | |
Number of personal data repositories (databases, files, copies, archives) should be kept to an absolute minimum, avoiding unnecessary duplication. Instead of duplication, preference should be given to pseudonymised databases that perform look-ups into master repositories for specific personal data, if, and when needed. | |
Visibility of personal data must be limited to the sole set of information which is necessary for the single processing activities. No unnecessary personal data should be made available to users. | |
Users’ access rights to personal data should be reviewed/re-certified at regular intervals and, in any case, at least annually – as per the regular Identity and Access Management process. | |
Administrators should be required to access a system using a fully logged and non-administrative account. Then, once logged onto the machine without administrative privileges, the administrator should gain administrative privileges. | |
LOGGING AND MONITORING | Access to production environments containing personal data – and where technically possible access to personal data – should be monitored and logged, in order to precisely record the link between access and individual user accessing personal data |
Record at least the following audit log entries for all system components processing personal data for each event: – User identification – Type of event – Date and Time – Success or failure indication – Source of event – Identity of affected data (NDG for client and the ID for others), system component, or resource. | |
Upon necessity and/or regulatory request, the Data Controller has the right to obtain logs from the Third-Party Data Processor and/or Cloud Provider processing personal data on its behalf. | |
ORGANISATION AND HUMAN SECURITY | Adequate procedures should be put in place to ensure the continuous availability of personal data: back-up personnel should be identified to ensure the continuity of the service to the data subject willing to access own personal data. |
A formal security awareness program has to be implemented, to make all personnel aware of policy and procedures related to personal data security. Periodic tests or simulations may be performed, to assess whether employees click on a link from a suspicious e-mail or provide personal/sensitive information without following appropriate security procedures to verify the reliability of the source. As a consequence, targeted training should be provided to those employees falling victim to the test. | |
Clear contractual agreements have to be signed-off with service providers, in order to state their responsibility for the security of personal data they process/store/transmit on behalf of the Data Controller. | |
Employees responsibilities and duties on the confidentiality of personal data should be clearly stated as valid also after the termination or change of employment. | |
Personal data must not be copied on removable media, except from those media expressly authorized by the Processor for specific tasks. | |
DATA PROTECTION BY DESIGN | Processes and tools for the Secure Software Development Lifecycle (SDLC) have to be integrated with appropriate security check/controls and requirements, in order to ensure that new ICT software/applications are designed and developed taking into consideration the requirements of embedded security. |
Processes of ICT Change Management have to be integrated with appropriate security check/controls and requirements, in order to ensure the continuous protection of ICT software/applications in place, upon relevant changes. | |
PERSONAL DATA BREACH NOTIFICATION | Processes and tools for Incident Management have to be properly implemented and/or improved, in order to enable the detection and classification of personal data breaches so that they are correctly communicated to the Controller within the terms established in the paragraph “Notification obligation and Security Breach“. |
A register of personal data breaches should be created and maintained. |