Technical and Organizational Measures In Accordance with Art. 32 GDPR and Amendments
I. Pseudonymisation and Encryption of Personal Data (Art. 32 Para. 1 Clause A GDPR)
Your password and account data is encrypted as is all data that is stored within our billing portal and client area portal. We do not store any other billing related material on our servers (i.e. credit card data) and we use 3rd party PCI compliant companies to handle these payments.
II. Confidentiality (Art. 32 Para. 1 Clause B GDPR)
Our data center facility (EvoSwitch AMS-1) has a physical entry control system with a log, a high security perimeter fence. Distribution of keys to their employees and collocated customers is controlled and logged. Access to the building including guests is strictly controlled and logged. Data center staff are present twenty-four hours a day. The site is monitored by CCTV at all entrances and exits, and server rooms are protected with security door interlocking systems.
After initial deployment of servers, root passwords can be reset by the client and are not known to EuroVPS unless requested in order to login and offer support. Passwords must meet a minimum length and new passwords must be changed on a regular basis. While EuroVPS shall try to prevent unauthorized access by applying security udpates regularly, the responsibility for access control is incumbent upon the client.
For EuroVPS internal administration systems, we prevent unauthorized access by applying security updates regularly, by keeping critical systems off of the public facing internet and accessible only via DMVPN (dynamic multipoint VPN), and by creating a compulsory process for allocating authorization for employees.
Upon termination, hard disks that are decommissioned, are swiped multiple times (deleted) in accordance with data protection policies. The swiped (deleted) hard disks are only reused after thorough testing and defective drives are destroyed and environmentally sensibly recycled in specialised facilities.
EuroVPS internal administration systems’ data is physically isolated from customer data. Also, networking is air gapped seperated from customer networks.
We offer clients the choice to anonymize their accounts and they can do so from within their client area portal.
III. Integrity (Art. 32 Para.1 Clause B GDPR)
Data transfer control
In accordance with Art. 32 Para. 4 GDPR, all EuroVPS staff is trained and obliged to ensure that personal data is handled in accordance with data protection regulations. This means that client data is wholly deleted after termination of a contract, in accordance with data protection regulations. Furthermore, encrypted data transmission is also provided as standard in our client area portal.
Data Entry Control
All data changes made by EuroVPS staff in internal administration systems are logged. For client servers, the responsibility for input control is incumbent upon the client.
IV. Availability and Resilience (Art. 32 Para. 1 Clause B GDPR)
EuroVPS internal administration systems are backed up daily and are also protected by the employment of security processes which include but are not limited to, firewalls, intrusion detection systems (IDS), intrustion protection systems (IPS), website application firewalls (WAF), spam filters, and virus scanners. Furthermore, all internal systems are monitored using http and snmp monitoring protocols. Data resilience is enhanced by employing hardware RAID across any hard disk in operation.
Client server backups are included as a courtesy, but data backups are incumbent upon the client. EuroVPS provides an uninterruptible power supply system, high availability networking (WAN/LAN and Storage via FC) and also provides an uptime SLA.
V. Procedures for Disaster Recovery (Art. 32 Para. 1 Clause C GDPR)
EuroVPS has created and defined an escalation process which notes who is to be informed in the case of any sort of network, storage, or compute malfunction which results in service degredation and/or data loss. The goal of this escalation process is for all staff to be in a state of readiness in the case that disaster recovery procedures ie. data recovery need to be actioned as to restore systems as quickly as possible.
VI. Procedures for Regular Testing, Assessment, and Evaluation (Art. 32 Para. 1 Clause D GDPR; Art. 25 Para. 1 GDPR)
As part of the procedure for regular testing of our GDPR preparedness process staff will undergo regular “drill” to prove beyond any doubt readiness to react swiftly and effectively in the case of service degredation. Employees are regularly trained in data protection law and are expected to be familiar with the procedural and user guidelines for data processing on behalf of clients also with regard to the client’s right of instruction.