TOMS

Technical and organisational standard measures on the protection of personal data

of POC Austria GmbH, hereafter referred to as POC.

Standard Measures. POC provides for the protection of personal data in the context of the following standard processing operations, which

  • include only a limited extend of personal data about criminal records and criminal convictions or special categories of personal data and
  • in other ways as well only pose little or no risk

the following technical and organisational standard measures

  • to ensure the confidentiality of data processing,
  • to ensure the integrity of data processing,
  • to ensure the availability of data processing,

to ensure the resilience of systems and services related to data processing,

  • to ensure the ability for rapid recovery of data processing including availability and access in case of a physical or technical incident,
  • to ensure the regular review and evaluation of the effectiveness of the technical and organizational measures to ensure the safety of the processing

in the following areas:

Organisational Control

  • policies, procedures und guidelines regarding processing and safety
  • operational, maintenance and service contracts including Service Level Agreements
  • regular awareness trainings regarding processing and safety
  • regular, unexpected, controls on compliance with data protection and safety

Entry Control

  • alarm system, time management
  • alarm system, CCTV, turnstile and sentry within security zones

Access Control

  • hard-and software systems for security and defense (FIREWALL / IPS / LOG)
  • password policy (complexity, history; enforced regular change)
  • multi factor authentication for remote access
  • automatic screen lock on inactivity
  • automatic account lockout on attacks
  • monitoring and alerting

Authorisation Control

  • role based authorisation concept
  • policies, procedures and guidelines

Redistributal Control

  • written procedure logging (legitimacy, confirmation, etc.)
  • enforcing strong encryption on storage device archiving, transport and transmission
  • usage of strong encryption on mobile devices
  • multi factor authentication for remote access
  • cyclic review on used procedures and technologies

Input Control

  • automatic plausibility tests
  • logging and evaluation systems
  • documentation and contracts

Order Control

  • detailed regulations of the order and the entire order process
  • formalized order (order form / receipt)
  • order execution checked and documented


Availiability Control

  • environmental monitor
  • application management
  • fire extinguishers in the office rooms
  • fire containment system within security zones
  • overtemperature signalling and automatic emergency shutdown within security zones
  • redundant UPS and generators within security zones
  • redundant AC within security zones
  • Operational, Maintenance and Service contracts including Service Level Agreements
     

Separation Controls

  • regulations and measures for the separation of data with different contracts / processing purposes
  • segmentation of the processing systems (production, test, development)