Technical and organizational measures
This document describes the requirements and implementation of measures for secure and compliant processing of personal data. It considers Articles 24, 25, and 32 GDPR where applicable.
1. Confidentiality
1.1 Entry control
Requirements: Rooms in which personal data are processed or data processing systems are installed are not freely accessible. They are locked when employees are absent. Entry authorization is assigned on a need-to-know basis according to an established process and is reviewed for necessity at regular intervals. Rooms in which data processing systems are located (computing center, servers, network distributors, etc.) have special entry protections and may be accessible only to IT administration employees (possibly management). Devices must be stored in appropriately locked cabinets. Visitors and non-company persons must be registered through an appropriate and documented process and are monitored while in the office space.
Integromat has implemented the requirements in the following manner:
 | Locked building |
| Locked offices |
| Electronic security locking system |
| Mechanical security locking system |
| Documented key issuance |
| Locked server rooms with entry control |
| Locked server cabinets |
| Electronic entry control |
| Visitor registration and monitoring |
| Daily security service |
1.2. Access control
Requirements: For every IT Service or system user, a personally assigned user must be set up with at least a 10-character password including upper and lowercase letters, numbers, and special characters. The system must require users to change passwords at least every 120 days. The network users must agree in the documented form to comply with the user access guideline. A documented procedure is required when setting up, changing, and removing access authorization. All assigned access authorization must be documented and reviewed routinely regarding necessity. IT Service and System access to data must be monitored and logged, including any unsuccessful login attempts. The system must block any IT Service and System access automatically after no more than 10 failed login attempts.
Integromat has implemented the requirements in the following manner:
| Complex passwords |
| Central authentication |
| Access blocked after too many incorrect password entries |
| Secure line connection for external access (VPN) |
| Use of an up-to-date firewall |
| Multifactor access control |
1.3 Usage control
Requirements: A documented, role-based authorization concept exists for use of personal data that limits use so that only authorized persons can use the personal data necessary for their job (minimization principle). The password rules from access control are also implemented for usage control. Administrative tasks must be limited to a small group of administrators. The tasks of administrators are monitored and logged to the extent technically feasible.
Integromat has implemented the requirements in the following manner:
| Role-based authorization process |
| Application-specific authentication with username and password |
| Logging user access and data processing |
| Allocation of authorizations only after approval by the data owner |
| Protected access to data storage media |
| Destruction of paper documents in compliance with data protection law |
| Encryption of mobile data storage media |
| Restriction of Admin users incl. appropriate documentation |
1.4 Separation control
Requirements: Personal data must be separated by means of various storage locations or client separation.
Integromat has implemented the requirements in the following manner:
| Separation of productive and test systems |
| Logical client data separation within the data processing system |
2. Integrity
2.1 Transmission control
Requirements: During transmission control, it is necessary that only authorized persons can view personal data. For transmission by email, protective actions (e.g., encryption of communication between the email servers) are required. Mobile devices or mobile storage media must be encrypted if personal data are stored on them.
Integromat has implemented the requirements in the following manner:
| Communication end-to-end encryption (e.g. TLS) |
| The use of private data storage media is prohibited |
| Special protection when physically transporting data storage media |
| A VPN Connection is needed when accessing system critical resources from outside of the corporate network |
2.2 Input control
Requirements: It must be possible to assign the input, modification, and deletion of personal data to the employee performing the task. The system must limit the modification and deletion of datasets to effectively prevent accidental modification or deletion.
Integromat has implemented the requirements in the following manner:
| Traceability when assigning, changing, and deleting user authorizations |
2.3 Contractual order control
Requirements: In terms of contractual order control, it is necessary that the data processing procedures carried out on a subcontracted basis take place exclusively at the instruction of the Controller. To that end, the individuals involved in data processing must be trained and provided with instructions. Outsourced processing must be monitored through internal controls. The results of the controls are documented.
Subcontractors may be hired only on the basis of the rules agreed with the Controller. Transmission or use of personal data may only take place after the subcontractor has signed an outsourced processing agreement pursuant to Article 28 GDPR and has confirmed compliance with the rules of the data protection concept. The contractor’s duty to supervise its subcontractor is based on the outsourced processing agreement entered into with the Controller.
Integromat has implemented the requirements in the following manner:
| Documentation of processing activities |
| Careful selection of processors (detailed assessment of provided guarantees) |
| Written agreement with the processor on the data protection minimum standard |
| Appropriate monitoring of the processor |
| Assuring compliant destruction or return of data upon completion of the assignment |
3. Availability and reliability
Requirements: Personal data must be processed on data processing systems that are subject to routine and documented patch management. Systems may not be connected within the network that are outside the maintenance cycles of the manufacturers. Security-related patching must be initiated within 72 hours after they are released. Redundant storage media and backups must be used to ensure continuous availability of personal data based on the latest technical standards. Computing centres and server rooms must meet the technical standards (temperature regulation, fire protection, flooding, etc.). The servers must have an uninterruptible power supply (UPS) allowing a controlled shutdown without loss of data.
Integromat has implemented the requirements in the following manner:
| Regular patch management for servers |
| Regular patch management for end devices |
| Initiate security-critical patches within 72 hour |
| Uninterrupted power supply |
| Early fire detection in office buildings |
4. Procedure for routine review, assessment, and evaluation
Requirement: A procedure must be implemented for monitoring data protection at the company. This procedure must include an agreement by employees to maintain data secrecy, training and education of employees, and routine auditing of data processing procedures. Likewise, the processing procedure carried out for the Controller must be documented before the start of data processing. A thorough reporting and management process must be introduced for data breaches and the protection of the rights of data subjects. This process must also include notification of the Controller.
| Regular documented training of employees involved in data processing |
| Documented procedure for introducing, modifying, and discontinuing procedures |
| Regular review of the latest technical standards pursuant to Article 32 GDPR |
