Data security

TELQ TECHNICAL AND ORGANISATIONAL MEASURES INCLUDE TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA.

TelQ currently applies the security practices described in this Annex II. TelQ may modify or update these practices at its discretion provided that such modification and update do not result in a material degradation in the protection offered by these practices. All capitalised terms not otherwise defined herein shall have the meanings as set forth in the Agreement.

The Processor implemented the following technical and organisational security measures to maximize the protection of Personal data:

A. Access control to premises, computers, and technical equipment

• Premises in which technical equipment is stored are protected in the most appropriate manner in order to prevent unauthorized access to the computers.
• Business equipment for work may be used solely for business purposes, on TelQ’s premises or in remote workplaces.
• In order to access computers and emails, employees are obliged to use complex passwords that are resistant to dictionary attacks.
• In absence of employees, protected premises are locked and can never be left without the supervision of employees.
• If an employee leaves the computer unattended, he/she is obliged to disable access to the computer, i.e., to lock the computer. After working hours, an employee is obliged to lock or shut down the computer and to clear the table from all documentation that contains personal information.
• Employees do not have access to personal data in absence of authorized personnel within TelQ who are allowed to process personal data.
• TelQ enters into separate non-disclosure agreements with every employee who has or may have access to personal data.

B. Access control to software and computer systems during personal data processing

• The software kept inside of business premises of TelQ is protected in such a manner that only authorised persons in accordance with appropriate service agreements have permission to access them.
• Employees are obliged to regularly install security patches for software installed on the TelQ’s computers that they use.
• Online services provided by TelQ run on secured HTTPS protocol.
• TelQ performs vulnerability scanning and assessments on applications and infrastructure level to assess information leakage issues.
• TelQ secures its computer networks using multiple layers of access controls to protect against unauthorised access.
• TelQ restricts access through mechanisms such as, but not limited to, management approvals, robust controls, logging, and monitoring access events and subsequent audits.
• TelQ identifies computer systems and applications that warrant security event monitoring and logging, and reasonably maintains and analyses log files.

C. Receipt and transfer of personal data

• Personal data can be transferred by informational, telecommunication and other means only if appropriate measures and procedures for the prevention of unauthorized destruction, alteration, loss, access, processing, use and transfer of personal data are previously set in place.
• Personal data can be transferred only to users who previously deliver the evidence of the existence of appropriate legal ground, or based on the request, i.e. the consent of the data subject. Legal ground i.e. consent of the data subject must be provided to TelQ in writing.
• Each processing activity of personal data must be recorded and kept in an appropriate database, which contains information on TelQ acting as a data controller or data processor, data subjects, categories of personal data, subjects whom personal data are or will be shared with, international data transfer if such transfer is made, the time period after which the data are being erased, as well as the general description of organizational and technical measures implemented by TelQ.
• TelQ uses the appropriate firewall and encryption technologies to protect the gateways and pipelines through which the data travels.
• TelQ ensures the transfer of data via SSL (end-to-end data check).

D. Personal data processing arising from the sub-processing agreement

In case any activities related to personal data processing need to be delegated to a sub-processor, TelQ enters into a written agreement with the sub-processor which stipulates the mutual rights and obligations of TelQ and sub-processor. The agreement stipulates the requirements and measures securing the protection of personal data by the sub-processor.

Sub-processors which have concluded agreements with TelQ comply with legal requirements in terms of technical and organisational measures for personal data protection, in accordance with this DPA.

Sub-processors who have entered into agreements with TelQ are obliged to destroy or return personal data to TelQ after the processing of such data.

TelQ is using virtual servers and cloud infrastructure that are provided by Amazon AWS.

Information about the security of Amazon Web Services:

a) Information about the security of Amazon Web Services aws.amazon.com/security

b) Information about the physical security of Amazon AWS data centres: aws.amazon.com/compliance/data-center/controls

c) Information about GDPR compliance of Amazon Web Services: aws.amazon.com/compliance/gdpr-center