APPENDIX NO. 3.

TECHNICAL AND ORGANIZATIONAL MEASURES

1. Information Security Program. META-INF will maintain an information security program (including the adoption and enforcement of internal policies and procedures) designed to (a) help Customer secure Customer Data against accidental or unlawful loss, access or disclosure, (b) identify reasonably foreseeable and internal risks to security and unauthorised access to the META-INF Network, and (c) minimise security risks, including through risk assessment and regular testing. META-INF will designate one or more employees to coordinate and be accountable for the information security program. The information security program will include the following measures:

1.1 Network Security. The META-INF Network will be electronically accessible to employees, contractors and any other person as necessary to provide the Services. AWS will maintain access controls and policies to manage what access is allowed to the META-INF Network from each network connection and user, including the use of firewalls or functionally equivalent technology and authentication controls. AWS will maintain corrective action and incident response plans to respond to potential security threats.

1.2 Physical Security

1.2.1 Physical Access Controls. Physical components of the META-INF Network are housed in nondescript facilities (the “Facilities”). Physical barrier controls are used to prevent unauthorised entrance to the Facilities both at the perimeter and at building access points. Passage through the physical barriers at the Facilities requires either electronic access control validation (for example, card access systems, etc.) or validation by human security personnel (for example, contract or in-house security guard service, receptionist, etc.). Employees and certain contractors are assigned photo-ID badges that must be worn while the employees and contractors are at any of the Facilities. Visitors and any other contractors are required to sign-in with designated personnel, must show appropriate identification, are assigned a visitor ID badge that must be worn while the visitor or contractor is at any of the Facilities, and are continually escorted by authorised employees or contractors while visiting the Facilities.

1.2.2 Limited Employee and Contractor Access. META-INF provides access to the Facilities to those employees and contractors who have a legitimate business need for such access privileges. When an employee or contractor no longer has a business need for the access privileges assigned to him/her, the access privileges are promptly revoked, even if the employee or contractor continues to be an employee of META-INF or its affiliates.

1.2.3 Physical Security Protections. All access points (other than main entry doors) are maintained in a secured (locked) state. Access points to the Facilities are monitored by video surveillance cameras designed to record all individuals accessing the Facilities. META-INF also maintains electronic intrusion detection systems designed to detect unauthorised access to the Facilities, including monitoring points of vulnerability (for example, primary entry doors, emergency egress doors, roof hatches, dock bay doors, etc.) with door contacts, glass breakage devices, interior motion-detection, or other devices designed to detect individuals attempting to gain access to the Facilities. All physical access to the Facilities by employees and contractors is logged and routinely audited.

2. Continued Evaluation. META-INF will conduct periodic reviews of the security of its META-INF Network and adequacy of its information security program as measured against industry security standards and its policies and procedures. META-INF will continually evaluate the security of its META-INF Network and associated Services to determine whether additional or different security measures are required to respond to new security risks or findings generated by the periodic reviews.

1.) Confidentiality

a) Access control to premises and facilities

Technical and organizational measures to control access to premises and facilities, particularly to check authorization:

  • infrastructure in AWS private cloud, access is given only to authorised individuals, infrastructure access only possible in multi level security steps

b) Access control to systems

Technical (ID/password security) and organizational (user master data) measures for user identification and authentication

  • Password procedures (incl. special characters, minimum length, change of password)
  • Encryption of data media

c) Access control to data

Requirements-driven definition of the authorization scheme and access rights, and monitoring and logging of accesses:

  • Differentiated access rights (profiles, roles, transactions and objects)
  • Change
  • Logging of system access events

d) Disclosure control

Measures to transport, transmit and communicate or store data on data media (manual or electronic) and for subsequent checking:

  • Encryption / tunneling (VPN = Virtual Private Network)
  • Logging
  • Transport security

e) Segregation control

Measures to provide for separate processing (storage, amendment, deletion, transmission) of data for different purposes:

  • Storage

f) Pseudonymisation and Encryption

  • Database and file system encoding, keys at AWS and META-INF

2.) Integrity

a) Disclosure control

Measures to transport, transmit and communicate or store data on data media (manual or electronic) and for subsequent checking:

  • Password procedures (incl. special characters, minimum length, change of password)
  • Encryption of data media

b) Input control

Measures for subsequent checking whether data have been entered, changed or removed (deleted), and by whom:

  • Logging and reporting systems

3.) Availability and Resilience

a) Availability control

Measures to assure data security (physical/logical):

  • Backup procedures
  • Mirroring of hard disks, e.g. RAID technology
  • Disaster recovery plan

b) Resilience of the Systems

  • ongoing Monitoring of the parameter of the data center and the uses of applications
  • usage of fault tolerant systems
  • contingency plan

c) Rapid Recovery:

  • recovery
  • control of contingency plan

4.) Procedures for regular testing, assessment and evaluation

  • Data Protection Management
  • Incident Response Management
  • Training of employees
  • Data Protection by Design and Default (Article 25 Paragraph 2 GDPR)
  • Order or Contract Control (Article 28 GDPR)

Tartalom