Starting from the DPA Effective Date, Processor will implement and maintain the Security Measures set out in this ANNEX 2 – SECURITY MEASURES. These Security Measures may be amended and/or updated by Processor from time to time provided that such amendments and/or updates do not materially decrease the overall security of the Service provided by Processor.
- Processor has a code of conduct and a disciplinary process for violations which all personnel and/or contractors are required to read and acknowledge upon hire/start of cooperation.
- Agreements between Processor and third parties or subcontractors include clearly defined terms, conditions and responsibilities, including information security responsibilities.
- Processor’s ongoing risk assessment and management process includes a periodic review of its organizational structure to help meet changing commitments and system requirements.
- Management performs periodical performance reviews for employees, contractors and subcontractors.
Communication and Information
- Processor performs logging of core information, including but not limited to development, financial transactions, payroll and expenses.
- Processor has implemented policies and procedures for significant processes, which are made available to all personnel and/or contractors.
- Processor’s and Controller’s responsibilities are described in the Processor’s Terms of Service.
- Planned or emergency system changes are communicated internally to all relevant stakeholders. This is covered via the incident and change-management-procedures.
- status.sketch.com is used by Processor to inform its customers and stakeholders of incidents and availability and major maintenance operations. Users can subscribe to email updates to this status dashboard.
- Processor has a dedicated information security team which meets regularly with the legal team and with top managers to review risk assessments and security policies.
- Appropriate levels of Processor’s management are involved in the risk management process and risk identification considers both internal and external factors and their impact on the achievement of goals.
- As a part of the risk management process, risk assessment includes management’s decision on how internal and external risk should be managed (whether to accept, avoid, reduce or share the risk) and considers potential fraudulent activities.
- Processor performs annual, periodic and ad-hoc information security assessments based on international standards such as ISO27005.
- Sketch Platform and products are always built and deployed from source code stored at source-code-management systems like Github.
- Before deploying to production, any deployment is tested on non-production environments and tested by engineers and a dedicated QA team. No production data is used for testing.
- Deployment is fully automated and controlled by a dedicated infrastructure team. Infrastructure-as-code practice is used.
- All changes to the software are logged.
- Processor identifies security risks and evaluates the effectiveness of controls in place, making changes as appropriate to address any identified risks. Personnel with expertise in the affected area is assigned to investigate and develop risk mitigation. An incident procedure is followed for major security risks and incidents, including follow-ups via post-mortems.
- Processor’s policy and process changes are communicated company-wide. Major changes are announced via internal HR tool to ensure the changes are read and approved by everyone in the company.
- Policies are stored in a company wide Knowledge Base system where changes are tracked and latest version is always available to everyone. Management does review and approve policies.
Logical Access Controls
- Processor’s access to customer created documents, data and usage logs are controlled through AWS identity-access-management mechanisms.
- Accounts with access to production environment, or customer-data, have 2-factor authentication enforced.
- Processor’s staff can access Controller’s data only upon Controller’s written instructions. Access to customer data is restricted based on role and need to know basis.
- Processor’s staff is granted access to the above information via completing an Access Request and will use their own credentials. Shared accounts or passwords are prohibited on production systems.
- When an employee/freelance contract is terminated, access is immediately removed. Processor is having an off-boarding procedure, triggered by Processor’s HR department.
- All accesses to Processor’s services (including temporary ones) are monitored and periodically reviewed and updated if necessary on a need to know basis.
- Secure erasure of unneeded storage is handled by AWS.
- A private VPC network is used to store and access internal data. A VPN (with 2FA layer) is required to access those data.
- Communication between Processor’s services and the Controller’s are always encrypted using TLS 1.2 or better.
- Deployments are communicated via Slack to all engineers and staff.
- Configuration changes are tracked via source-code-management systems and announced to infrastructure staff members.
System Operations & Change Management
- All code-changes and configuration-changes are reviewed by at least one member of the Processor’s engineering team (and/or infrastructure team when required). QA is involved before those changes are merged and deployed to non-production environments, and do review the changes to ensure they meet the objectives.
- Changes are automatically tested and scanned for known vulnerabilities. Used dependencies are also checked automatically for known vulnerabilities and available updates. Automatic alerting systems are in place.
- CI testing is used for testing and verifying application logic before any change can be merged.
- Processor is using multiple environments to develop and test changes. Production environment is fully isolated from all other environments.
- Deployments to production and non-production environments are lead by infrastructure team.
- Processor is running multiple penetration test programs. Test results are reviewed by management to determine threat levels. Incident procedure is used for critical findings to ensure those are addressed as soon as possible, including mitigation and follow-ups.
- Telemetry and anonymised usage data (e.g. exceptions, logs) are used to optimise processor services.
- Monitoring is used on the telemetry and usage reports to detect technical issues quickly with the goal to fix them. Mitigation and resolution of security issues and incidents are prioritized.
- Backup of all data is performed via multiple systems to prevent data loss and to ensure systems can quickly be restored in case of need.
- Processor is ensuring the ongoing confidentiality, integrity and availability of processing systems and services.
- Data is always transmitted encrypted (using TLS 1.2 or better).
- Data is stored encrypted at Processor’s environments.
- All backup data is encrypted.
- Key management systems are used by Processor.
- Processor has developed a business continuity plan with instructions to contain possible business disruptions.