To ensure the protection of personal data processed as part of the Services, we implement a range of technical and organizational measures (TOMs) in compliance with applicable data protection legislation. Leveraging our sub-processors industry-leading security features, we maintain a secure environment that aligns with standards for data privacy and protection.
Access to personal data is restricted to authorized personnel based on role-based permissions. Access levels are reviewed regularly to ensure appropriate data access. We use Okta’s authentication offerings to enforce secure access to systems and applications. User Authentication is provided by Okta’s reliable identity management services, ensuring that only verified users can access personal data.
All data transmitted over public networks is encrypted using Transport Layer Security (TLS) 1.2 or higher, ensuring secure transmission between users and our services.
Data is encrypted at rest using AES-256 encryption within Microsoft Azure to protect data stored on servers. Data is logically separated in Azure’s environment to prevent unauthorized access between customers and maintain data integrity.
Data is backed up regularly and stored securely to facilitate restoration in the event of data loss or system failure. Azure’s built-in disaster recovery and redundancy features allow us to respond to incidents promptly and ensure continuity of services.
Data centers managed by Microsoft Azure comply with high physical security standards, including 24/7 surveillance, access control systems, and environmental protections. Only authorized personnel have physical access to data centers, and Microsoft Azure maintains a record of all access attempts and entry logs.
We monitor our systems for potential security incidents, leveraging Azure Security Center and Okta’s security alerts to detect unauthorized access or anomalous activities. In the event of an incident involving personal data, we follow defined protocols to contain, mitigate, and resolve the incident, as well as notify affected individuals or authorities as required under data protection laws.
We implement data minimization practices, ensuring that only data necessary for specific processing purposes is collected and stored.
All employees undergo GDPR and data privacy training to stay informed of data protection responsibilities and protocols. Internal policies and audits are conducted to ensure ongoing compliance with GDPR requirements and to assess the effectiveness of security measures.
Data is retained only as long as necessary for the purposes for which it was collected, in accordance with GDPR’s data minimization and storage limitation principles. When data is no longer required, it is securely deleted from our systems using Microsoft Azure’s secure data deletion methods.