Technical and Organisational Measures

This policy describes technological and organisational security measures that we have implemented across our business to ensure that customer data is processed in accordance with the applicable data protection laws and the data protection agreement in place between us and our customers. This policy is regularly updated to reflect changes made in our security and data protection compliance program.

General Organizational Measures

• Data Protection Officer and Compliance Program. We have appointed a Data Protection Officer who is responsible for coordinating, monitoring and improving our security and data protection compliance program (“Compliance Program“). Our Compliance Program defines clear roles and responsibilities of our personnel. The Data Protection Officer is responsible for coordinating, monitoring and improving the Compliance Program.
• Security Management System and external audits. We have implemented an Information Security Management System certified against international standards ISO/IEC 27001 and ISO/IEC 9001. To confirm our compliance with ISO/IEC 27001 and ISO/IEC 9001, we undergo an external audit once a year, and every third year we undergo a re-certification process. All audits are conducted by external and independent certifying entities.
• Confidentiality. Our entire personnel are subject to confidentiality obligations and may only access personal data as required for them to perform their job role and subject to  prior, written authorization issued by TMC.

Training and Awareness

• Personnel training. We conduct regular, mandatory training sessions (both in-house and via an external provider) for our personnel on data protection compliance  and personnel roles within our Compliance Program. We also inform our personnel about possible consequences of non-compliance.

Physical and Environment Security

1. Physical access to datacenters. Customer data is processed within Microsoft Azure datacenters in the UK. Access to these datacenters is restricted only to identified Microsoft staff members. Our personnel may not physically access these datacenters.
2. Physical access to our facilities. Only identified and authorized members of our personnel may access our facilities. Unauthorized personnel may not access these facilities.
3. Monitoring of facilities. Our facilities are constantly monitored by us and an external security service to prevent unauthorized access. Visitors may only access a designated space of our facilities where no data is processed and only where they have been granted access.
4. Protection from disruptions. We use a variety of industry accepted solutions to protect against loss of data due to power supply failure, fire, natural disaster or line interference.
5. Component disposal. We use industry accepted solutions to delete customer data when it is no longer needed.

Access Control

1. Access authorization. We maintain a record of personnel authorized to access our facilities and information systems. We have implemented a system of controls to make sure that no one can stop working for our organization without having their authentication credentials deactivated and all access rights revoked. Additionally, we conduct regular (at least once every 3 months) audits to make sure that authentication credentials that have not been used are deactivated. De-activated or expired identifiers are not granted to other or new members of our personnel. We maintain industry standard procedures to deactivate passwords that have been corrupted or inadvertently disclosed.
2. Limitation of privileges. Only a small, selected group of personnel may grant, alter or cancel access privileges to our facilities and information systems. The scope of access rights granted to our personnel is limited strictly to assets necessary to perform their functions.
3. Authentication of users. We use industry accepted solutions, such as multifactor authentication, to identify and authenticate users who access our IT systems. Passwords are renewed regularly and must comply with minimum requirements imposed by our security policies. We use various best practices designed to maintain the confidentiality and integrity of passwords when they are assigned, distributed and stored.
4. Monitoring. We monitor our information systems against all attempts of unauthorized access and use of expired or invalid credentials.

Asset and Operations Management

1. Endpoint protection. All computing endpoints are encrypted and protected against malware.
2. Backup copies. We make regular copies of service settings and configuration details and customer data.
3. Access to backups. All backups are automatically created by Microsoft Azure and stored on Azure in the UK region. We have processes in place which ensure that access to backup copies is restricted to the necessary minimum, that backups may not be used outside of Microsoft Azure’s environment, and that no data can be restored without the authorization of senior personnel members.
4. Integrity and confidentiality. Our personnel have to disable all sessions when leaving our facilities or leaving computers unattended. Only a small, selected group of our personnel who require remote access due to the character of their duties may carry mobile devices and use them outside of our premises. All mobile devices are password protected and have encrypted storage.
5. Printing and portable data carriers. We have procedures in place which guarantee that no data can be printed or copied to portable data carriers without our prior authorization. Members of our personnel are prohibited from using unauthorized portable data carriers within our premises.
6. Network controls. Only authorized devices may use our networks. We have controls in place which ensure that unauthorized devices may not be used within our network.
7. Mobile applications. Our mobile applications send all their data encrypted, so that no data can be used outside of our environment.

Incident Management

1. Malicious software. We have anti-malware controls in place to help avoid malicious software gaining unauthorized access to customer data and our information systems, including malicious software originating from public networks.
2. Incident record. We maintain a record of security incidents which include the date and time of the incident, the consequences of the breach and measures implemented to avoid similar situations in the future.
3. Service monitoring. We verify and monitor logs against irregularities and suspicious activity.

Application controls

1. Documentation. We maintain documentation which describes the architecture and features of TMC’s services.
2. Guidelines and policies. We maintain guidelines and policies for developers which ensure that personal data processing principles such as data protection  by design and data protection by default principles are observed while developing our applications.
3. Code review and patch management. We regularly review application codes for errors and issue patches or fixes.