If personal data is stored/sent in Corporater SaaS, it will be encrypted at rest in the database backups and encrypted in transit (HTTPS) between the end user and AWS.
Encryption of Personal Data
Article 32 Paragraph 1 Clause a GDPR
Confidentiality
Article 32 Paragraph 1 Clause b GDPR
Physical Access Control
AWS provides physical data center access only to approved employees. All employees who need data center access must first apply for access and provide a valid business justification. These requests are granted based on the principle of least privilege, where requests must specify to which layer of the data center the individual needs access, and are time-bound.
Requests are reviewed and approved by authorized personnel, and access is revoked after the requested time expires. Once granted admittance, individuals are restricted to areas specified in their permissions.
Remote Access Control
Corporater SaaS platform infrastructure and application layer is accessed remotely by Corporater SaaS department which is ISO 27001 certified. Any employees who have access to Corporater SaaS are using MFA authentication and secure VPN during all operations.
All processing of data in Corporater SaaS is happening inside the customers dedicated VPC, and all resources in it (application server and database) are exclusively used for one customer per VPC.
During upgrades, we offer a separate Sandbox/Test environment in the same VPC.
Availability and Resilience
Article 32 Paragraph 1 Clause b GDPR
Corporater SaaS platform and it’s AWS infrastructure is monitored 24/7 by Corporater staff, to ensure stability of the components in use, scaling based on data growth and up-time towards end-users. This includes prevention of accidental or wilful destruction or loss, backup strategy (online/offline; on-site/off-site), Uninterruptible Power Supply (UPS), virus protection, firewall, reporting procedures and contingency planning.
AWS data centres electrical power systems are designed to be fully redundant and maintainable without impact to operations, 24 hours a day. Backups are taken on a daily base and are kept for 30 days.
Integrity
Article 32 Paragraph 1 Clause b GDPR
Data Transfer Control
All traffic between Corporater SaaS and end-users web-browser accessing the application, is encrypted (HTTPS/SSL) using valid certificates. Any integrations are secured in a manner acceptable by the customer with for example VPN tunnels, or if applicable web-service endpoints on customer`s source system.
Data Entry Control
Access to either maintenance of the platform or configuration of the software is logged in own audit logs. Maintenance of the Corporater SaaS on AWS platform is logged within AWS.
Access and modifications to customer’s configuration is logged within the Corporater platform and is at all times available to customer’s administrators.
Procedures for Disaster Recovery
Article 32 Paragraph 1 Clause c GDPR
Corporater has, as part of the ISO 27001 certification and our internal control system, created and defined an escalation process which notes who is to be informed in the case of any sort of network, storage, or compute malfunction which results in service degradation and/or data loss. The goal of this escalation process is for all staff to be in a state of readiness in the case that disaster recovery procedures or data recovery needs to be undertaken, so as to restore systems as quickly as possible. In addition, AWS data center and services are designed in a way that Corporater can provide disaster recovery scenarios matching the needs of customers from small businesses to large enterprises.
Procedures for regular testing, assessment and evaluation
Article 32 Paragraph 1 Clause d GDPR; Article 25 Paragraph 1 GDPR
Corporater’s Data Protection Organization will perform, as part of our internal control procedure, training, assessments and evaluation that align with the competencies of specific job roles/departments and locations. The purpose of this is to make sure and check that the existing procedures are adapted to the actual situation, that the procedures are followed by all employees or third parties who have access to personal data and that any security breaches are reported to the responsible person.
