Technical and Organizational Measures In Accordance with Art. 32 GDPR and Amendments
Effective date: 2024.04.01.
Unless otherwise defined in this document, terms used in this document have the same meaning as in our Terms and Conditions, accessible from https://serverastra.com/docs/GTCS .
This document includes important additions to ServerAstra GTCs
I. Pseudonymisation and Encryption of Personal Data
Your credentials are stored in an encrypted industry highest standard hash format (BCRYPT). All data transfers are encrypted either using SSL/TLS, Wireguard or SSH2 protocols with the highest grade ciphers available. Access to payment credentials does not exist within our system. We use 3rd party PCI compliant companies to handle payments.
II. Confidentiality
Datacenter
Our datacenters are high-security facilities which employ physical entry control systems with active accounting and logs, high security perimeter protection, 24/7 guard security and surveillance cameras at all entry and exit points. Any access to the datacenter is strictly logged and accounted for by guards and automatic systems using keycard security. The datacenter employs staff working in shifts 24/7 protecting the data and keeping the facility operational.
Access Control
During the deployment the deployed system passwords are saved in the database. All passwords must be reset by customers upon receiving the emails. All passwords can be reset by the Customer and will not be known to ServerAstra unless requested in order to login and offer support. Passwords must meet a minimum length entropy level and new passwords must be changed on a regular basis. While we do our best to prevent unauthorised access by applying security updates and preventive pen-testing regularly, the responsibility for access control is incumbent upon the Customer. We suggest using cryptographic keys based on elliptic curves or RSA keys with at least 4096 bit length instead of raw passwords. ServerAstra internal administration systems are protected with a secure cryptographic keyring and autogenerated high entropy passwords with strictly defined expiry time in case key setup is not available. We prevent unauthorised access by regularly applying security updates and keeping critical systems in an internal network, accessible only via VPN. No single employee holds single access to all systems and the keyring system is secured and isolated up to the highest industry standards.
Transfer Control
Upon termination system drives are decommissioned to perform Secure Erase procedure which is either performed using the drives' capabilities or using single pass of random non-patterned high-entropy data and zeroed data writing and reading for verification if Secure Erase is not available. The swiped (clean) drives are only allowed to be reused after thorough testing. Defective drives are degaussed and destroyed with a logged procedure to ensure compliance.
Isolation Control
Provider internal administration system data is physically isolated from customer data and the networking is accessed only via an encrypted VPN.
Anonymization
The Customer is solely responsible for anonymization.
III. Integrity (Art. 32 Para.1 Clause B GDPR)
Data transfer control
In accordance with Art. 32 Para. 4 GDPR, all Provider staff is trained and obliged to ensure that personal data is handled in accordance with data protection regulation. Customer data is deleted after termination of the contract in accordance with the law. All data transfers are encrypted either using SSL/TLS, Wireguard or SSH2 protocols with the highest grade ciphers available.
Data Entry Control
All data changes made by Provider staff in internal administration systems are logged. All data changes made by Customer in administration systems are logged. For the dedicated servers, co-located servers, virtual dedicated systems and cloud systems the responsibility for input control is incumbent upon the Customer.
IV. Availability and Resilience (Art. 32 Para. 1 Clause B GDPR)
Provider internal administration systems are continuously backed up and protected by using highest industry standards in security processes which include but are not limited to: encryption, (V)LAN separation, firewalls, intrusion detection systems (IDS), web application firewalls (WAF), spam filters, active penetration testing (pen-test) and virus scanning. All of our internal systems are monitored internally via active logging system with agents and externally by a 3rd party uptime monitoring solution. Data resilience is enhanced by employing RAID or a zero single-point-of-failure (SPoF) clustering system.
Customer server backups are included as a courtesy in some cases (noted within service description), but data backups are incumbent upon the Customer. Provider provides high-availability network and electric supply, uninterruptible power supply systems and an uptime SLA.
V. Procedures for Disaster Recovery (Art. 32 Para. 1 Clause C GDPR)
Provider has employed a specific set of rules which directly mentions the responsible for recovery and the ones who need to be informed in the case of any sort of malfunction which results in service degradation or data loss. Beyond that Provider implements automated disaster recovery simulation which ensures the vital systems can be up and running with minimal possible interruption.
VI. Procedures for Regular Testing, Assessment, and Evaluation (Art. 32 Para. 1 Clause D GDPR; Art. 25 Para. 1 GDPR)
Provider staff are trained to react swiftly and effectively in the case of service degradation as part of the procedure for regular testing of our GDPR compliance. This includes training of data protection law and procedural and user guidelines for data processing on behalf of Customers with regard to the Customer's right of instruction.
Contact Us
If you have any questions about this document, please contact us:
- By email: dpo@serverastra.com
- By visiting this page on our website: https://serverastra.com/Contact