Loading...

Overview of PASERO's personal data handling

When visiting the website, PASERO-MI Ltd. collects Personal Data on its visitors and registered users. We don’t sell your Personal Data to anybody. Read this quick overview or go to the full privacy policy here:

Registration and billing

- To provision you the service
  • Personal data: name, email address, billing information
  • Third Parties used: Amazon Web Services, ProtonMail, online payment&accounting service provider, accountant
  • Retention: 8 years if required by law
  • find out more

Visitors and cookies

- For user experience & statistics
  • Personal data: IP, browser info, webpage usage information
  • Third Parties used: Amazon Web Services, Google Analytics
  • Retention: 90 days
  • find out more

Content

- Personal data you might upload when using the service
  • Personal data: contract signatories and contacts, name and email address of users, e-mail address of your customers, free text within comments and descriptions
  • Third Parties used: Amazon Web Services
  • Retention: until you have an account
  • find out more

Rights and questions

  • Rights regarding Personal Data for Registered users
  • find out more

PASERO contact information

- if you have any questions
  • PASERO-MI Ltd.
  • H-1221 Budapest, Ady Endre ut 87, Hungary
  • privacy@pasero.me
  • find out more

Technical and organizational measures (TOMs): where do they come from and what to do with them?

With the increased adoption of aaS (as-a-Service) solutions, most organizations rely on a large number of vendors for provisioning their services. But supply-chain risk has motivated many companies and data protection law to introduce data protection requirements on vendors, specifically when they receive personal data. These requirements are usually described in documents called TOMs (technical and organizational measures) which may be incorporated or referenced in data processing agreements.

Where do the specific requirements come from?

Most comprehensive data protection regulations include requirements for protecting personal data. The protection of personal data is achieved through various technical and organizational measures. The only specifics that the regulations include about these measures are, that they should be reasonable and proportionate to the risks, "in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data"(GDPR Article 32(2)).

When involving vendors in the processing, these protection requirements need to be part of the agreements that regulate the sharing of personal data (see GDPR Article 28(3)(c) and CPRA Section 4). The way these requirements are phrased can vary significantly based on the maturity of the particular organization's security programs. But more and more organizations take the approach to put specific controls, based on industry good practice, into the agreement and might even require regular third-party attestation of these controls.

Industry good practice and learnings from enforcement actions

Based on past years' data protection related enforcement actions across the globe and the publicly published TOMs of large service providers, it is possible to identify a set of common topics and related practices. Note, however, that the maturity level for these practices varies based on the risks.

Security governance

The basis for a security program are a set of policies, roles, responsibilities, and risk management practices that set the direction for implementing particular controls. These topics should be available in documented format and communicated across the organization.

Network and asset security

Apart from ensuring that all personal data in encrypted in transit, there are a bunch of basic network security practices that are usually referred to, like firewalls, network flow monitoring, and volume based alerting. Unfortunately, these technologies are not plug and play, hence managing these solutions and keeping them compliant with good practices needs to be a continuous activity.

Additionally, assets connected to the network or even exposed to the Internet should regularly be scanned for known vulnerabilities, weak configurations, or open network services. Many attacks start with an unpatched system, so keeping all your assets up to date with software updates is a must.

Systems management

While network management looks at assets from the outside, each of these assets hosts various systems, which all require individual management. Specifically, user management is a topic always looked for and the proper provisioning and configuration of permissions. Often specific requirements are defined in how authentication should be set up.

All these systems produce logs in one way or another. These logs, similarly to those of the network, need to be collected, protected, reviewed and alerted based upon. Logs should also be used to measure the effectiveness of various security controls.

For situations, where a company develops its own software, requirements may apply to the secure development practices applied. Often, minimum strengh of cryptographic algorithms is prescribed and various security tests, including pentests, may be required.

Recovery capabilities

When relying on a vendor, companies most often fear outages they have no control over. Therefore TOMs regularly include specific provisions about recovery capabilities. Not only does a vendor need to have a comprehensive backup strategy. It is also required, that the company knows how to restore service from these backups and has documented and practiced incident and disaster management capabilities.

Are you aware of all the TOMs you are obliged to maintain?

As seen above, there are many disciplines covered in the TOMs, and you may have different TOMs requirements for each of your business relations. How do you find the common denominator? How do you ensure that changes to your operations don't collidate with your agreements?

In PASERO, you can have all your vendor related agreements and documents in one repository. Soon to come, you will also be able to review how common controls are handled differently by each of your agreements. PASERO gives you a bird's eye view of your obligations, allowing you to make quick decisions on how to meet them across your business relations.

Feel free to take a look at our study that goes into more detail what GDPR requires in terms of technical and organizational measures here.

Get a demo!

Book a demo and let us show you, how we can take of the burden of managing your data processing agreements and help meet data protection regulatory compliance.

Book demo

pasero logo