TOM

Technical and Organizational Measures

Privacy Policy/ Security Concept

The Data Controller's and Processor's privacy policies (including any relevant security policies) address the security of personaI data.


Organizational security measures

The internal organization is appropriately designed to meet the specific requirements of data protection.

  • Policies and procedures are in place and are checked regularly.
  • Risks are evaluated and documented.
  • Information is classified according to a policy.
  • A security manager has been appointed.
  • Appropriate measurements for the performance and effectiveness of security management are in place.

Security measures for changes in service

The change management process includes a data protection impact analysis and information security risk evaluation.

Personal data may only be utilized for process or system development activities and the testing associated therewith if they have been anonymised prior to their utilization or otherwise protected.


Security measures in user management

Measures prevent data processing systems from being used by unauthorized persons.

  • Passwords are managed with a password manager.
  • A password policy is in place and enforced through the password manager and a Mobile Device Management system.
  • Two-factor authentication is enforced where required by our policy.

Security measures for logical access

Logical access to personal data is restricted.

Measures ensure that persons authorized to use the data processing systems may only access data for which they are authorized.

  • Access is granted based upon the need-to-know principie (Principie of Least Privilege).
  • Access is granted/revoked upon request. Revocation may also happen automatically after a set timeframe, or manually after a review was conducted.
  • We have an authorization request process in place, with documentation of the user that needs access, the system, the requested permissions, the requester and the authorizer.
  • As part of the HR on boarding process and HR off boarding process, access rights will be granted/revoked as well.
  • We conduct regular reviews of logical access on all aur systems, depending on the classification of information and document those reviews.

Separation of mandates

Customer data is logically separated and separated from each other by security mechanisms.

ln addition, there are tests and staging systems that are completely separate from the productive system.


Deleting Data

Data is deleted from the database or storage after 90 days.


Security measures for physical access

Physical access to personal data in any format is restricted.

Personal data, in any format, is protected against accidental disclosure due to natural disaster and environmental hazards.

Personal data on portable media or devices is protected against unauthorized access. Storage media security measurement prevent unauthorized reading, copying, modification or removal of storage media.

Exoscale Data Center (Geneve & Zurich, Switzerland)

DAYquiri GmbH Office Schaffhausen (CH) & Stuttgart (DE)

  • Access to the office premises is secured with locks and only possible with the appropriate keys, which are only in the hands of DAYquiri employees. Keys are issued to DAYquiri employees upon signing of the contract, and keys are withdrawn upon termination of employment.
  • Guests or visitors will not be received in the 2 offices of DAYquiri GmbH.
  • The company network of DAYquiri GmbH is protected by a state-of-the-art firewall.

Security measures for storage

There are measures in place to prevent unauthorized input and unauthorized evaluation, modification, or deletion of stored personal data. These also include protection against malware.

  • Cloud storage
    • Access to personal data is thoroughly managed, see “Security measures for logical access.
    • Computer resources in the cloud are automatically checked for vulnerabilities.
    • Encryption is used for all data access workloads.
    • Daily backups kept for one week, after which they are deleted.
    • Weekly backups kept for 90 days after which they are deleted.
  • Employee devices
    • All employee devices are full disk encrypted. A firewall and Antivirus protection is present. Automatic screen locks are activated.
    • Stolen or lost devices can be remotely locked or wiped.
    • Only authorized repair shops can be used to repair company owned devices. Computers are only bought at authorized resellers.
    • Storage of data on removeable media is not allowed.

Secure Development

A secure development policy is in place to make sure insecure code is not introduced, existing code and third party libraries are regularly checked for vulnerabilities.

  • Measurements are in place to detect insecure code (static code analyses).
  • Development needs to adhere to our secure development policy
  • All application code is peer reviewed.
  • Used libraries are automatically scanned for known vulnerabilities.

Security measures for data input

There are measures in place to ensure that it can be verified what persona! data has been entered into data processing systems, by whom and when.


Control over processed information

The data subject has the possibility to obtain information on the processing of his/her persona! data, to have such data corrected and deleted.

Data is deleted online directly in the database or in the online storage and then disappears from the back-ups after 2 weeks as soon as they are renewed.


Security measures during processing

There are measures in place to ensure that, in the case of commissioned processing of personal data, the data is processed strictly in compliance with the Data Controller's instructions.


Security measures for transfer of data

There are measures in place to prevent unauthorized reading, copying, modification or deletion of personal data during the transmission or transport of storage media.

  • All connections to our data centers are encrypted in transit with state of the art TLS. Supported ciphers are regularly checked for deprecation.
  • Third parties that process personal data have appropriate security controls in place.
  • Unencrypted email attachments do not include confidential or sensitive information.

Availability and Resilience

See certificates of the data center:


Security measures in the event of incidents

  • A documented procedure for the management of data protection incidents and violations has been implemented.
  • Employees are regularly trained on preventing security incidents but also on how to react to such incidents, including the possible need to quickly report incidents to authorities and inform users.
  • Employees are encouraged to report incidents.

Assessment of security measures

Assessments and tests of the effectiveness of the key organizational, technical, and physical safeguards protecting personaI data are conducted according to our policies, containing but not limited to:

  • External vulnerability scans and penetration tests are conducted at least once a year
  • External infrastructure audits are conducted at least once a year.
  • External code audits are conducted when deemed necessary.
  • Internal architecture and security audits are conducted at least once a year.

The results of the analyses are documented.