Organizational and Technical measures to ensure information security

UAB “Ruptela” takes all necessary organizational and technical measures to ensure the security of the processed data and to protect the processed personal data from any accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data transmitted.

Personal data security policies and procedures. The security of personal data and its processing in the organization is documented as part of the information security policy. The security policy is reviewed and revised on annual basis.

Confidentiality. Prior to up taking their duties employees are asked to review and agree on the security policy of the organization and sign respective confidentiality and non-disclosure agreements.

Training. The organization ensures that all employees understand their responsibilities and obligations related to the processing of personal data. Roles and responsibilities are clearly communicated during the pre-employment and/or induction process.

The organization ensures that all employees are adequately informed about the security controls of the IT system that relate to their everyday work. Employees involved in the processing of personal data are also informed about relevant data protection requirements and legal obligations through regular awareness campaigns.

Also, the Data Protection Officer is appointed, who is responsible for data protection in the organization, the dissemination of knowledge, and ensuring compliance with the GDPR. The Data Protection Officer can be contacted by e-mail: [email protected].

Access control policy. Specific access control rights are allocated to each employee, who is involved in the processing of personal data, following the need to know principle. An access control policy is detailed and documented. The organization has determined the appropriate access control rules, access rights and restrictions for employees towards the processes and procedures related to personal data during the reorganization of the organization, dismissal of employees or change of functions.

Access control management. Access to Ruptela internal resources are protected and managed through Active Directory. O365 multi-factor authentication is enabled for all users. Other than O365 systems containing customer data are accessible only from the internal network by authorized employees with their unique accounts.  Access is being removed immediately after employee contract termination. Every 6 months account audit is being performed to ensure no unauthorized accounts are present.

Change management. All changes to the IT system are registered and monitored by the assigned employee.

Encryption. Ruptela solutions are using SSL/TLS with high-grade encryption algorithms to secure externally facing service endpoints. In addition to this, Ruptela is also leveraging IPSec VPN with high-grade encryption to secure communication between remote sites or service endpoints.

Backups. Backups are performed at least once a day. All data stored in production databases have replicas. The coordinate database is replicated to three separate nodes (quorum). End users are not eligible to delete information directly on a database level.

Logging. Ruptela is using logging solutions that are tracking changes that were performed on virtual machines.  System user’s actions (logins/ logouts, deleting, inputting) are also monitored and can be identified through the user’s IP address.

Business continuity. Ruptela has established the main procedures and controls to be followed in order to ensure the required level of continuity and availability of the IT system processing personal data in the event of an incident/personal data breach. The business continuity plan is regularly tested to assess whether it will be possible to ensure uninterrupted service in the event of an incident.

Data breaches and incidents. Ruptela has established a security incident response plan that ensures effective management of incidents related to the security of personal data. Incidents and data breaches are recorded. They are reported to management without undue delay. Notification procedures for the reporting of the breaches to competent authorities and data subjects are established.

Data processors. Formal guidelines and procedures covering the processing of personal data by data processors (contractors/outsourcing) is defined, documented and agreed prior to the commencement of the processing activities.

Data Protection Impact Assessment. When choosing the information systems required for the organization’s activities, the impact on data protection in accordance with GDPR is assessed. Only certified software is used, which is updated on a regular basis.

Physical access control. Access to the premises is protected by an access control system.

Malware protection. All workstation are antivirus protected, has Microsoft Windows 10 Operating System with all the newest security updates and are centrally managed. Workstation hard drives are encrypted.

Inquiries management. All customer inquiries are recorded in a centralized system by specifying the time of inquiry. Log in to the system is password controlled. The system manages incidents, changes, and consultations. Centralized management of issues and changes is also ensured. The quality of customer systems operation is ensured by means of continuous monitoring where each event is recorded and analyzed in a centralized system. Incidents are managed according to an established incident response plan, informing the responsible persons and, if necessary, forming a Business Continuity Management Team. Periodic tests and trainings, established in a business continuity plan, are carried out.

Software. Critical and important fixes for software security vulnerabilities are implemented for all software.

Data centers. Ruptela stores its servers in two data centers that are Tier 3 and Tier 3 Design certified. The data is stored in the European Economic Area and is not transferred to third countries.