Annex 1 - Technical and organisational security measures


This document applies to UK, DK, US and other countries which are not subject to other country specific terms.

Ikrafttrædelsesdato:

30/12/2022

This Annex 1 forms part of the Famly Data Processing Agreement, and any capitalised terms in this Annex 1 have the meaning set out in the Famly Data Processing Agreement. Famly has in place certain technical and organisational security measures to ensure compliance with the Applicable Data Protection Laws. Those measures are set in place to prevent improper destruction, alteration, disclosure, access, and other improper form of processing of Customer Data.

Famly reserves the right to modify the measures and safeguards implemented, provided that the level of security is not less protective than initially agreed upon. In the event of considerable changes to the measures, Famly shall notify the Customer of such changes.


1. Confidentiality (Article 32 Paragraph 1 Point b GDPR) 

Physical Access Control

Unauthorized access (in the physical sense) must be prevented.

Technical and organizational measures to control access to premises and facilities, particularly to check authorization:

  • Famly’s offices are protected with fire detection as well as electronic security and intrusion alarms. No customer data is stored at Famly’s offices or on local employee computers. All data is accessed by Famly employees via secure encrypted connections with the Data Centres.
  • The Data Centres used by Famly are state of the art. The Data Centre providers have many years of experience in designing, constructing, and operating largescale data centres. This experience has been applied to the platform and infrastructure. Data Centres are housed in nondescript facilities. Physical access is strictly controlled both at the perimeter and at building ingress points by professional security staff utilizing video surveillance, intrusion detection systems, and other electronic means. Authorized staff must pass two-factor authentication a minimum of two times to access data center floors. All visitors and contractors are required to present identification and are signed in and continually escorted by authorized staff. All physical access to Data Centers is logged and audited routinely.
  • Physical Media: Physical media (e.g. transcripts) that contains personal data from the Famly IT solution shall be stored in locked cabinets when they are not in use and up to the time of destruction, cf. the section on Physical Media below. Only employees with a specific requirement may access such physical media.

Electronic Access Control

Unauthorized access to IT systems must be prevented.

Technical and organisational measures for user identification and authentication:

  • Firewalls: Updated firewalls are applied to protect the network at Famly's office against unauthorized access. The same standards are applied at the Data Centres, where firewalls and other technical methods are used to protect the Data Centres network against unauthorized access. 
  • Anti-virus/anti-malware: IT devices used by Famly to access Personal Data on the Famly IT Solution, including servers that are used in the operation are, to the extent possible and relevant, protected with updated anti-virus- and anti-malware software.
  • Encryption: In relation to the transfer of data within the Famly IT Solution through public communication connections, including when the Famly IT Solution is accessed by users, secure encryption is applied, based on generally recognized algorithms that as a minimum will be equivalent to SSL 256bit. All WIFI connections used at the Famly office and in the Data Centres are secured through use of encryption in the form of WPA or better.
  • Famly’s Remote Access: When Famly's employees access the Famly IT Solution through remote access, such connections are secured through encryption e.g. in the form of VPN. Any access to the Famly IT Solution requires that the Famly employees register a username, password and two-factor. Famly complies with the conditions in this Data Processing Agreement, irrespective of the use of remote access.
  • Famly’s Password Policy: Famly Employees with access to Famly’s IT Solution are covered by a strict password policy. Passwords must be minimum 10 characters and contain: Upper case as well as lower case letters, numerals, and special characters. Passwords are required to be changed periodically. Passwords must not contain any names or usernames.
  • Penetration Testing: Famly has penetration tests performed on the Famly IT Solution by an external agency according to industry standards on a regular basis.

Internal Access Control

Activities in IT systems not covered by the allocated access rights must be prevented.

Requirements-driven definition of the authorization scheme and access rights, and monitoring and logging of accesses:

   a. Authorization

  • All Famly employees with access to Personal Data are authorized by Famly. Such authorizations specify which access and for what purpose each employee can access the Personal Data. The Famly employees are solely authorized to access the Customer's Personal Data for operational or technical purposes. The Famly employees do not have access to Personal Data that is not included in their authorization. All access to Personal Data by Famly employees is logged.
  • Famly checks and updates all employee authorizations on a regular basis, as a minimum semi-annually. The authorizations are adapted or revoked in relation to employees changing job positions, responsibilities or termination of employment. 
  • The Famly IT Solution is configured so that the Customer can authorize its employees based on access roles. The Customer assigns its employee authorizations through the web or app module provided by Famly.
  • All Famly employees with access to Personal Data are informed of this Data Processing Agreement and are obliged to comply with the employee targeted requirements of this Data Processing Agreement.
  • Data security and privacy awareness training is conducted for all new Famly employees and a refresher training is conducted for all Famly employees at least annually.
  • All Famly employees with access to Personal Data have their criminal record checked by Famly in connection with their employment and checked again at least annually during their employment.
  • All product development and bug fixing activities are to the extent possible done on dummy test data and not on actual Customer Data. 

   b. Login, Username and Passwords

  • All employees at Famly and at the Data Centres have unique usernames and passwords. Usernames and passwords are created and altered from generally recognized principles and no username is reused within a period of at least six months since the username was last in use. Provided that a Famly employee has not used their username within a period of three months, the username will automatically be suspended. 
  • After multiple successive failed login-attempts with the same username, the login with the respective username will be blocked. This applies to both employees of Famly and the Customer. The blocking of access in the previously mentioned scenarios can not cause any liability towards Famly. In case a block of a Famly employee account occurs, Famly will conduct a follow-up on the matter as soon as possible.
  • It is not possible to log into the Famly IT Solution by using an anonymous user account or guest account.

   c. Confidentiality

  • All Famly employees with access to Personal Data are subject to strict confidentiality throughout their employment contracts and all employees within the Data Centre are subject to confidentiality.
  • The confidentiality is maintained beyond the termination of the Agreement or if the Agreement with Data Sub-processors ceases. Famly employees are also subject to the confidentiality obligation upon cessation of their employment.

Isolation Control

Data collected for different purposes must also be processed separately.

Measures to provide for separate processing (storage, amendment, deletion, transmission) of data for different purposes:

  • Storing of Data: Within the Famly IT Solution, all Data is stored in the Data Centres. The Customer's Data is stored logically separated from other Customers' Data for whom Famly is carrying out data processing for. All Data is tagged with unique ids which can identify which end-user or Customer the data belongs to.

2. Integrity (Article 32 Paragraph 1 Point b GDPR)

Data Transfer Control 

Aspects of the disclosure of Personal Data must be controlled: electronic transfer, data transmission, etc.

Measures to transport, transmit and communicate or store data on data media (manual or electronic) and for subsequent checking:

  • IT Storage Media: In case of recycling, discarding, repairs or service on storage media used for Personal Data, it is ensured that third parties cannot gain access to data on such media. Such security procedures are conducted either through encryption or by thorough deletion or overwriting to ensure that all previously stored Personal Data cannot be recovered by using a generally recognized specification (e.g. DOD 5220-22-M).
  • Physical Media: All physical media that may contain Personal Data from the Customer's IT solution (e.g. prints), will be discarded in a safe manner when the physical media has fulfilled its purpose. This can be executed through shredding or through other means that ensures that access to Personal Data is not possible.
  • Virtual Private Network: When Famly's employees access the Famly IT Solution, such connections are secured through encryption e.g. in the form of VPN. Any access to the Famly IT Solution requires that the Famly employees register a username, password and two-factor.
  • Electronic Signature: Famly uses 256-bit SSL certificates to the authenticity of Famly towards the end-users.
  • Transport Security: Famly utilizes end-to-end SSL encryption from end-user devices all the way to the database in the Data Centres as well as between internal services on the servers in the Data Centres.

Data Entry Control

Full documentation of data management and maintenance must be maintained.

Measures for subsequent checking whether data have been entered, changed or removed (deleted), and by whom:

  • Any access to Personal Data related to the use of Famly's IT Solution is automatically logged in the Application Log. By logging the time, username, type of application and the person that the data is concerning, or the used search criteria is registered. The log is kept for a minimum of six months and is deleted after a maximum of seven months. 
  • The Customer can gain access to specific information from the Application Log by special request to Famly.
  • Provided that access to the Famly IT Solution is made in connection with technical issues e.g. support, error correction or other technical causes, such access will be logged in the Application Log.

3. Availability and Resilience (Article 32 Paragraph 1 Point b and c GDPR)

Availability Control 

The data must be protected against accidental destruction or loss. 

Measures to assure data security:

  • Fire, Power Outages: Famly's office and Data Centres are secured in the usual manner to protect against fire. The Data Centres are furthermore secured so that the operations can continue even during power outages of a certain duration, protection against loss of communicative connections to the Data Centres has also been established.
  • Backups: Famly secures Data stored in the Famly IT Solution through continuous backups of Data several times daily. The backup is conducted as a mix of full backup and incremental (whereby the changes are stored) backup. Famly regularly conducts restore-tests of previously completed backups to make sure that the backup routines function as intended. Backups are for extra safety reasons also duplicated and stored in another Data Centre from a different provider. 
  • Uninterruptable Power Supply (UPS): The Data Centre electrical power systems are designed to be fully redundant and maintainable without impact to operations, 24 hours a day, and seven days a week. Uninterruptible Power Supply (UPS) units provide back-up power in the event of an electrical failure for critical and essential loads in the facility. Data Centres use generators to provide back-up power for the entire facility. 
  • Climate and Temperature: Climate control is required to maintain a constant operating temperature for servers and other hardware, which prevents overheating and reduces the possibility of service outages. Data centres are conditioned to maintain atmospheric conditions at optimal levels. Personnel and systems monitor and control temperature and humidity at appropriate levels. Electrical, mechanical, and life support systems and equipment are monitored so that any issues are immediately identified. Preventative maintenance is performed to maintain the continued operability of equipment. 

Rapid Recovery

  • In case of a major incident Famly has the ability to quickly recover access to Personal Data by restoring recent backed up files to production environments on new booted servers. This can be done in a matter of hours and ensures that any potential downtime is minimised.

4. Procedures for regular testing, assessment, and evaluation (Article 32 Paragraph 1 Point d GDPR; Article 25 Paragraph 1 GDPR)

Incident Response Management

Security Breach Procedure

  • Provided that Famly detects a security breach or threat hereof in relation to the Famly IT Solution, Famly will seek to locate and identify such breach or threat as well as the scope of the issue as soon as possible, seek to limit the potential or occurred damage to the extent possible, seek to hinder such a security breach in the future and to the extent possible, restore any lost Data. 
  • In the case of a security breach where unauthorized people gain access to the Customer's Data or where loss of Data has occurred, Famly will, when possible, notify the Customer in a written notice about the security breach. Such notifications will contain information about which Data Famly deems to have been accessed unauthorized, whether Famly has initiated special precautions, and the notification will inform whether the Customer, according to Famly's evaluation, must take special precautions. 

Order or Contract Control 

  • Famly has entered into market standard data processing agreements with Data Sub-processors in order to comply with the terms under this Data Processing Agreement.

Audit 

  • Famly will at least annually have an external auditor verify that the procedures specified in this Data Processing Agreement are followed.