GDPR: Technical & Organizational Measures

This document describes Technical and Organization Measures for data processing safety established by SkyFiber Internet regarding its personnel, applications and infrastructures.

Organizational Control

SkyFiber Internet takes the following general organizational measures for the protection of personal data:

  • All the employees of SkyFiber Internet are obliged to confidentiality.
  • The IT Security Policy establishes standards for password and computer security, as well as guidelines for processing data.
  • The employees participate in training on data protection and information security when hired.
  • All employees aimed at processing sensitive data participate in a training at least once a year.
  • The company’s data protection official is appointed.

Physical Access Control

All personal data are stored in a data centre.

Measures that prohibit the access of unauthorized persons to the data processing systems involved in the processing or use of personal data.

Data Centre

The employed technical and organizational measures of the data centre operator are regularly audited by an independent third-party body.

The access controls consist of:

  • Access to only authorized employees and authorized external staff
  • Use of electronic access control systems
  • Access audit logs
  • Guests are accompanied and identified
  • Video surveillance of entrances and exits

Office Building

The business premises of SkyFiber Internet are protected against unauthorized access by means of an electronic access control system.

  • Only the employees of SkyFiber Internet receive the identifiers to open and close the access system.
  • Documents with personal data are locked in lockable pieces of furniture, in the absence of authorized persons.
  • Documents that are no longer needed are destroyed according to the data protection regulations.

IT Access Control

Measures that prevent the use of the data processing systems by unauthorized persons.

Computers & Networks

Measures which ensure that the persons authorized to use a certain data processing system can access exclusively the data assigned to their individual access rights, and that personal data cannot be read, copied, edited, or deleted upon the processing, use and subsequent storage thereof:

  • All computers are equipped with an anti-virus, significantly reducing the risk of malware.
  • The organization WLAN is encoded and can be used only by the registered devices
  • Personal IT and telecommunication systems, as well as visitor’s systems, are not allowed to connect to SkyFiber SkyFiber Internet’s office WLAN. A separated, protected WLAN is available for guests, visitors and personal devices, and such WLAN does not enable access to the organization’s network.
  • The allocation of access rights within the systems occurs based on documented procedures with authorization instance.
  • The user rights are limited to the minimum level required for the performance of activities (need-to-know principle).

User Credentials & Access Rights

  • Each SkyFiber Internet employee has personal user accounts for all systems they have access to.
  • All user accounts are secured by individual passwords, each password is known only by the account holder and may not be communicated to other persons, not even within the organization.
  • User passwords follow a state-of-the-art policy including length and complexity requirements,
  • The user passwords must be changed regularly, and recent passwords cannot be used again.
  • User accounts are automatically locked after several consecutive unsuccessful authentication attempts.
  • Access to systems providing access to personal data is secured using additional security measures, such as two-factor authentication (2FA) mechanism.
  • Administrative access to server systems is reserved to authorized persons. The connection is performed via encrypted VPN connections, and authentication is performed using nominative accesses.
  • All the production server systems are secured via firewalls that allow only for the intended (incoming and outgoing) transfer protocols (default deny).

Customer Data Access Control

Operations

Measures which ensure that personal data cannot be read, copied, modified, or deleted in an unauthorized manner upon electronic transfer, transport or storage on storage media, and that allow for the verification and identification of the locations to which a transmission of personal data is provided through data transfer devices.

  • Data are transmitted over encrypted channels (HTTPS).
  • Access to data is limited to the minimum level required for the performance of activities (need-to-know principle).
  • There is a standardized process for the identification and handling of safety incidents.
  • All accesses of SkyFiber SkyFiber Internet to customer data are logged

Partnership

Measures which ensure that personal data processing by SkyFiber Internet partners is performed only in accordance with the law.

  • Connectivity between SkyFiber Internet and its partners for the purpose of transferring data between systems is setup and established on the written request of the customer.
  • Data protection agreements with partners contain mention of their legal obligation regarding the protection of personal data.

As a personal data processor, SkyFiber Internet do not impose specific measures on its partners. It’s up to SkyFiber Internet customers, who own control of the personal data, to determine and impose relevant measures to their other service providers.

Subcontracting

Measures which ensure that personal data processing by SkyFiber Internet subcontractors is performed only in accordance with the customer’s instructions.

  • Data protection agreements with subcontractors contain detailed information on the type and scope of the commissioned processing and use of the customer’s personal data.
  • Data protection agreements with subcontractors contain detailed information on the limitation of use to specific purposes regarding the customer’s personal data, as well as the interdiction for the service provider to use them beyond the written order.
  • When applicable, the rights of control of SkyFiber Internet in relation to the agents processing the data are stipulated in the agreement.
  • The technical and organizational measures of the contractors are verified.

Availability Control

Measures which ensure that the personal data are protected against accidental destruction or loss.

Software Development & Deployment

  • Significant changes of the productive systems are approved and documented via a change-management process.
  • Software development versions are tested via a multiple-stage system (development environment, testing environment, production environment).
  • Software development occurs via source code review management.
  • Deployments are versioned. This way, different versions can be restored at any time.
  • The availability of the safety patches and known weak points in system and software components are monitored via a patch management process. The installation of patches occurs via the change management process.

Data centre

  • All servers are secured via redundant circuits, UPS devices and diesel generators against power failures. Servers are equipped with redundant mains adaptors. The UPS system completely filters all irregularities or faults of the power supply network.
  • The climate control is redundant.
  • State-of-the-art fire-fighting and fire prevention and systems are used.
  • The Internet connection is redundant.
  • Hard disk mirroring is used in the servers.
  • The data are secured by means of a multiple-stage data protection concept and stored on redundant systems.

Office Buildings

  • No relevant data storage takes place in the offices of SkyFiber Internet.
  • Central IT devices are secured using a UPS system.
  • The administrative access to the server system is independent of the availability of the office infrastructure.

Segregation Rule

Measures which ensure that data collected for different purposes are separately processed.

  • Data collected for different purposes and data of different clients are kept and processed separately, by means of logic access controls.
  • The development, test, and production system are reliably separated.
  • Non-production data are used for testing purposes.