Security Measures

Last Updated: June 6, 2025

Capitalized terms not otherwise defined herein have the meanings set forth in the applicable agreement.

1. Physical access control.

Technical and organizational measures to prevent unauthorized persons from gaining access to the data processing systems available in premises and facilities (including, without limitation, databases, application servers and related hardware), where Personal Information is processed, including at least:

  • Establishing security areas, restriction of access paths; 
  • Establishing access authorizations for employees and third parties;
  • Access control system (ID reader, magnetic card, chip card); 
  • Key management, card-keys procedures;
  • Door locking (electric door openers etc.);
  • Security staff, janitors;
  • Surveillance facilities, video/CCTV monitor (as permitted under local law), alarm system; and
  • Securing decentralized data processing equipment and personal computers.

2. Virtual access control.

Technical and organizational measures to prevent data processing systems from being used by unauthorized persons including at least:

  • User identification and authentication procedures;
  • ID/password security procedures (special characters, minimum length, change of password);
  • Automatic blocking (e.g., password or timeout);
  • Monitoring of break-in-attempts and automatic turn-off of the user ID upon several erroneous passwords attempts; and
  • Creation of one master record per user, user master data procedures, per data processing environment.

3. Data access control.

Technical and organizational measures to ensure that persons entitled to use a data processing system gain access only to such Personal Information in accordance with their access rights, and that Personal Information cannot be read, copied, modified or deleted without authorization, including at least:

  • Internal policies and procedures;
  • Control authorization schemes;
  • Differentiated access rights (profiles, roles, transactions and objects); 
  • Monitoring and logging of accesses;
  • Disciplinary action against employees who access Personal Information without authorization;
  • Reports of access;
  • Access procedure;
  • Change procedure; and
  • Deletion procedure.

4. Disclosure control.

Technical and organizational measures to ensure that Personal Information cannot be read, copied, modified or deleted without authorization during electronic transmission, transport or storage on storage media (manual or electronic), and that it can be verified to which companies or other legal entities Personal Information is disclosed, including at least:

  • Tunneling; 
  • Logging; and
  • Transport security.

5. Entry control.

Technical and organizational measures to monitor whether data have been entered, changed or removed (deleted), and by whom, from data processing systems, including at least:

  • Logging and reporting systems;
  • Audit trails and documentation; and
  • Rate limiting or reduction in the amount of sub-accounts that can be created or linked to (max 8 recommended).

6. Availability control.

Technical and organizational measures to ensure that Personal Information is protected against accidental destruction or loss (physical/logical) including at least:

  • Backup procedures;
  • Mirroring of hard disks (e.g., RAID technology);
  • Uninterruptible power supply (UPS);
  • Remote storage;
  • Antivirus/firewall systems; and
  • Disaster recovery plan.

7. Separation control.

Technical and organizational measures to ensure that Personal Information collected for different purposes can be processed separately including at least:

  • Separation of databases;
  • “Internal client” concept / limitation of use;
  • Segregation of functions (production/testing); and
  • Procedures for storage, amendment, deletion, transmission of data for different purposes.

8. End Point control.

Technical and organizational measures to ensure that end points involved in touching, storing or accessing Personal Information are protected against unauthorized access or penetration, including at least:

  • Industry standard anti-malware solutions;
  • Encryption of data at rest using AES256 bit as a minimum; and
  • Routing penetration testing and/or vulnerability management and review.