DPA - Data Processing Agreement

DPA

General provisions

Security measures

Interested parties Rights' Protection

Final provisions

Data sheet

Protection measures adopted by the data controller

A) Organizational measures
A-1) Adoption of an information security management policy and a policy for the protection of personal data in compliance with the privacy policy, based on risk analysis, in order to guarantee the confidentiality, availability and integrity of the data personal to protect the rights and freedoms of the interested parties;
A-2) Procedures for accessing the physical structures, duly protected, only to authorized subjects subject to suitable recognition;
A-3) User Policy and Disciplinary: Detailed policies and regulations are applied, to which all users with access to IT services must comply to guarantee the security of the systems;
A-4) Logical access authorization - All computer systems are accessible only with access profiles for what is necessary for the task performed. The authorization profiles are identified and configured prior to access;
A-5) There is an accident management procedure connected to technical monitoring tools of the systems to which specialized personnel are proposed, with identification, in the event of an accident, of the interventions to be prepared in a logically determined order, to guarantee the service restoration in the shortest possible time, as well as verify the consequences, draw up a report, on the outcome of which additional protection measures depend, in any case without prejudice to the verification of the adequacy of the protection systems in place;
A-6) Assistance management procedure - Assistance interventions are managed through a procedure that verifies the authenticity of the request and delivers the support by minimizing the processing of personal data, through duly trained personnel and technical tools respecting the standards of safety. Also through a ticket system service made available to the CLIENT, it will always be possible to know the details of the intervention, duration, date and the operator (through a unique code assigned to him), as well as to verify, by the data controller, the authenticity of the request for support;
A-7) In any case, the levels of access to the CLIENT's systems to provide technical assistance will be assigned only to some specifically authorized employees with authentication credentials conforming to international standards;
A-8) Commitment to the confidentiality of all employees in writing prior to accessing the systems;
A-9) Each employee can only process the information for which he has been authorized concerning the duties performed and duly trained, through periodic updates, to process the data with the utmost confidentiality and security, in compliance with the privacy legislation;
A-10) Internal regulations for employees, regarding the use of IT tools and potential employer controls;
A-11) Procedures for protecting against attacks through social engineering with the related specific training of personnel;
A-12) Procedures for choosing suitable suppliers focused on checking the quality, safety and compliance with the current legislation of the goods or services offered;
A-13) Procedure for verifying the need for a DPIA, Data protection impact assessment concerning the IT systems used according to the privacy legislation;
A-14) Data Breach - There is a procedure for managing incidents that may affect personal data, based on the distribution of roles according to competence, verification of the potential prejudice (presumed or ascertained), management of countermeasures as well as the methods of sharing with the CLIENT of information relating to violations of personal data and for the adoption of the related obligations required by the privacy legislation;
A-15) Procedures for the disposal of analog documentation and IT systems potentially containing information, using suitable tools (such as document shredders and certified disposal companies);
A-16) Update of the organizational measures that will be verified every six months;
B) Technical measures
B-1) Authentication credentials - Access to systems is based exclusively on unique authentication credentials, based on a confidential PIN or access key and with security measures compliant with international standards;
B-2) Management of access passwords according to best practices, based on the length, complexity, expiration, robustness entrusted to subjects duly instructed on its use and storage;
B-3) System Administrators - For users with the role of System Administrators, whose duties are attributed with specific nominations and in writing, a non-alterable log management system is implemented, properly configured to track the activities carried out and allow subsequent monitoring to verify the regularity of transactions. A procedure is then activated for verifying the work of system administrators as part of the information security plan developed internally and for compliance with privacy legislation and also to improve protection measures;
B-4) Use of encryption systems based on computer algorithms and protocols compliant with international standards;
B-5) IDS / IPS Intrusion Detection System and Intrusion Prevention System as intrusion detection systems, to detect cyber attacks in advance;
B-6) Adoption of Firewall systems as perimeter defense components of computer networks and to protect communication lines;
B-7) Antivirus and Malware updated periodically against the risk of intrusion and illegal action of programs;
B-8) Logging systems for system monitoring, storage of events that have occurred and identification of accesses;
B-9) Backup & restore systems, with relative management procedure;
B-10) Business continuity for the resilience of systems in the event of an accident;
B-11) Vulnerability Assessment & Penetration Test - System vulnerability analysis activities are periodically performed both concerning infrastructural and application areas, as well as periodic Penetration Tests, assuming different attack scenarios, with the aim of verifying the security level of applications/systems/networks and therefore based on the relative reports, improve the security measures;
B-12) DATA CENTER choice with TIER 4 standard;
B-13) Constant updating of IT systems, technical measures, as technology changes and with constant verification according to pre-established times as well as constant verification, from reliable sources, of the security problems of the IT products and services in use for the relative update.

Legal notices

Document information

Document title: DPA
Document version: V.1.2
Date of last adjustment: 19/11/2024