The following sections define NT-ware's current technical and organizational measures. NT-ware may change these at any time without notice so long as it maintains a comparable or better level of security. Individual measures may be replaced by new measures that serve the same purpose without diminishing the security level protecting personal data.
Physical access control:
Unauthorized persons are prevented from gaining physical access to premises, buildings or rooms where data processing systems that process and/or use personal data are located. uniFLOW Online is a SaaS offering hosted completely within Microsoft Azure Data Centers. The security and controls of these data centers is managed by Microsoft and employs industry-leading security, resilience, redundancy, and compliance measures. Further information can be found at Azure infrastructure security | Microsoft Docs (https://docs.microsoft.com/bs-latn-ba/azure/security/fundamentals/infrastructure) and a full compliance listing is available from Microsoft Compliance in the trusted cloud | Microsoft Azure (https://docs.microsoft.com/en-us/azure/compliance/).
- All NT-ware offices have implemented security and intrusion detections with 24/7 monitoring.
- All buildings have access controls unique to each individual. Privileged access to server rooms, network and infrastructure, and any PII (Personally Identifying Information) is restricted to 'Need to Know' personal only. Changes and additions to this system is managed within our IT change control and HR onboarding procedures.
- Access by contractors to any of our buildings will be supervised unless the security clearance assessment has already been performed.
System access control:
Data processing systems used to provide the NT-ware service must be prevented from being used without authorization.
- Authorization to critical systems or sensitive information is strictly maintained in accordance with NT-ware security policies.
- All personnel access NT-ware systems with a unique identifier (user ID).
- NT-ware follows a strict change control and monitoring of any access requests to critical systems. In case personnel leaves the company, their access rights are revoked.
- NT-ware has established a password policy that prohibits the sharing of passwords, governs responses to password disclosure, and requires passwords to be changed on a regular basis and default passwords to be altered. Personalized user IDs are assigned for authentication. All passwords must fulfil defined minimum requirements and are stored in encrypted form. In the case of domain passwords, the system forces a password change every twelve months in compliance with the requirements for complex passwords. Each computer locks after a period of inactivity.
- The company network is protected from the public network by firewalls.
- NT-ware uses up–to–date enterprise antivirus software at access points to the company network (for e-mail accounts), as well as on all file servers and all workstations.
- Security patch management is implemented to provide regular and periodic deployment of relevant security updates. Full remote access to NT-ware's corporate network and critical infrastructure is protected by strong authentication multi-factor VPN infrastructure.
Data access control:
Persons entitled to use data processing systems gain access only to the personal data that they have a right to access, and personal data must not be read, copied, modified or removed without authorization in the course of processing, use and storage.
- As part of the NT-ware Security Policy, personal data requires at least the same protection level as "confidential" information according to the NT-ware information classification standard.
- Access to personal data is granted on a need-to-know basis. Personnel have access to the information that they require in order to fulfil their duty.
- All production servers are operated in the data centers or in secure server rooms. Security measures that protect applications processing personal data are regularly checked. To this end, NT-ware conducts internal and external security checks and penetration tests on its IT systems.
- NT-ware does not allow the installation of software on server infrastructure containing sensitive information that has not been NT-ware IT approved.
- NT-ware follows security policies for the deletion and destruction of data carriers no longer required.
Data transmission controls:
Except as necessary for the provision of the NT-ware services in accordance with the relevant agreement, personal data must not be read, copied, modified or removed without authorization during transfer. Where data carriers are physically transported, adequate measures are implemented at NT-ware to provide the agreed-upon service levels (for example, encryption and lead-lined containers).
- Personal data in transfer over NT-ware internal networks is protected according to NT-ware Security Policy. Network segmentation is in place to ensure isolation between low and high security infrastructure.
- When data is transferred between NT-ware and its customers this is always conducted across secure encryption transport protocols. In any case, the customer assumes responsibility for any data transfer once it is outside of NT-ware-controlled systems (e.g. data being transmitted outside the firewall of the NT-ware infrastructure).
Data input controls:
It will be possible to retrospectively examine and establish whether and by whom personal data have been entered, modified or removed from NT-ware data processing systems.
- NT-ware only allows authorized personnel to access personal data as required in the course of their duty.
- NT-ware has implemented a logging system for input, modification and deletion, or blocking of personal data by NT-ware or its subprocessors within the NT-ware service to the extent technically possible.
Job control is required to ensure that personal data processed on behalf of others are processed strictly in compliance with the customer's instructions.
- As part of NT-ware's Security Policy, personal data requires at least the same protection level as "confidential" information according to the NT-ware information classification standard.
- All NT-ware employees and contractual subprocessors or other service providers are contractually bound to respect the confidentiality of all sensitive information including trade secrets of NT-ware customers and partners.
- For support services, NT-ware customers have control over their remote support connections at all times. NT-ware employees cannot access a customer system without the knowledge and consent of the customer.
Personal data will be protected against accidental or unauthorized destruction or loss.
- NT-ware employs regular backup processes to provide restoration of business-critical systems as and when necessary.
- NT-ware uses uninterrupted power supplies (for example: UPS, batteries, etc.) to protect power availability to server and network infrastructure.
- NT-ware has defined business continuity plans for business-critical processes.
- Emergency processes and systems are reviewed regularly.
Data separation control:
Personal data collected for different purposes can be processed separately.
- NT-ware uses appropriate technical controls to achieve customer data separation at all times.
- Customer (including its approved controllers) will have access only to their own data based on secure authentication and authorization.
- If personal data is required to handle a support incident from customer this data is stored in dedicated support systems.
- For the exchange of data in the course of a support session this can be provided over an NT-ware managed secure file exchange. All information related to a support case that contains personal information in alignment to European and GDPR regulations is deleted at the end of a support ticket where practical.
Data integrity control:
Personal data will remain intact, complete and current during processing activities.
- NT-ware has implemented a multi-layered defense strategy as a protection against unauthorized modifications. In particular, NT-ware uses the following to implement the control and measure sections described above.
- Security monitoring tools
- Antivirus software
- Backup and recovery
- External and internal penetration testing and vulnerability assessments