Processing of Personal Data
Processing of Personal Data
CLIENTS WHO TRUST OUR WORK
Personal Data Processing Agreement
A. Applicable Data Protection Legislation allows a Data Controller to appoint a natural or legal person, public authority, agency or any other body or entity to act as its Processor with respect to Processing of Personal Data.
B. The Subcontractor to be appointed must provide sufficient guarantees, due to its experience, skills and reliability, of carrying out appropriate technical and organizational measures, such that the Processing activities it must carry out satisfy the requirements of Data Protection Legislation Applicable and ensure the defense of the rights of Data Subjects, including with regard to security issues.
C. This Personal Data Processing Agreement, including its Annexes (“DPA”), is signed between the Customer and Mixlife Lda . The Customer and Mixlife will be jointly referred to as the “Parties”, and each individually as a “Party”. This DPA is signed between the Parties to formalize their agreement regarding their Personal Data Processing relationship, in accordance with Applicable Data Protection Legislation.
D. Mixlife Lda currently provides the Customer with services (“Services”) activated by the Customer under the terms of the applicable General Service Conditions, as well as other relevant particular conditions, available at: https://mixlife.pt/legal (“Conditions ”). As part of the provision of Services, Mixlife Lda may Process Personal Data on behalf of the Customer, under the terms of this DPA.
E. The purposes of the Processing of Personal Data to be carried out by Mixlife Lda within the scope of the provision of Services are described in Annex 1 of this DPA.
F. The Parties entered into this DPA to ensure their compliance with Applicable Data Protection Legislation to establish guarantees and procedures for the lawful Processing of Personal Data between them. The Customer confirms that the provisions established in this DPA reflect the obligations that the Applicable Data Protection Legislation imposes on Mixlife Lda with regard to the Processing of Personal Data carried out by it in the scope of the provision of Services. In turn, Mixlife Lda undertakes to comply with the provisions of this DPA.
G. This document, once downloaded, will be completed, signed and sent by the Customer to [email protected] . It will then also be signed by Mixlife Lda and the Client. Once signed by both Parties, this DPA will fully replace any other agreement previously concluded between the Parties with the same scope.
The above recitals form an integral part of the DPA.
All capitalized terms used in this DPA will have the meaning given to them in the Conditions, unless they are specifically defined in this Clause. The terms of this DPA regarding the Processing of Personal Data will prevail over any conflicting or inconsistent provisions of the Conditions.
“Control Authority”: any public authority responsible for monitoring the application of Applicable Data Protection Legislation in relation to the Processing of Customer Personal Data;
“Special Categories of Personal Data”: Personal Data that reveals racial or ethnic origin, political opinions, religious or philosophical convictions, or trade union membership, as well as the Processing of genetic data, biometric data to identify a person unequivocally , health data or data relating to a person's sex life or sexual orientation: This definition also includes Personal Data relating to criminal convictions and offenses or related security measures;
“Standard Contractual Clauses”: the standard contractual clauses applicable to the transfer of Personal Data to third countries in accordance with the Regulation, approved by the European Commission in its Implementing Decision (EU) 2021/914, of 4 June 2021;
“Customer”: the entity that purchases the Services;
“Conditions”: the applicable General Service Conditions, as well as other relevant specific conditions, available at: https://mixlife.pt/legal;
“Personal Data”: any information relating to a Data Subject;
“Customer Personal Data”: Personal Data Processed as part of the provision of Services;
“Adequacy Decision”: a legally binding decision issued by the European Commission regarding a third country, considered adequate in terms of Personal Data protection guarantees by the European Commission, which allows the transfer of Personal Data from the EEA to that country;
“Data Subject Rights”: the rights recognized to the Data Subject by Applicable Data Protection Legislation. To the extent that the Regulation is applicable, this includes, for example, the right to access, the right to rectification, the right to erasure, the right to limit processing, the right to data portability and the right to object;
“DPA”: this Personal Data Processing Agreement, including its Annexes 1, 2 and 3;
“EEA”: the European Economic Area;
“Data Exporter” has the meaning established in the Standard Contractual Clauses;
“Data Importer” has the meaning established in the Standard Contractual Clauses;
“Applicable Data Protection Legislation”: in EU Member States, means the Regulation and other privacy/Personal Data protection legislation of EU Member States, including any guidelines and/or codes of practice issued by Supervisory Authorities from the EU; in other countries, any applicable privacy/data protection legislation;
“List of Sub-subcontractors”: the list of Sub-subcontractors that can be obtained upon written request to [email protected] ;
“Regulation”: Regulation (EU) 2016/679 of the European Parliament and of the Council, of 27 April 2016, on the protection of natural persons with regard to the processing of personal data and the free movement of such data, and which repeals Directive 95/46/EC;
“Responsible for Processing”: a natural or legal person, public authority, agency or other body that, alone or jointly with others, determines the purposes and means of Processing Personal Data;
“Non-EEA Data Controller”: a Data Controller to whom Mixlife Lda provides the Services who is established in a country outside the EEA, and who is not subject to the Regulation in accordance with its article 3, paragraph 2 ;
“Services”: the services activated by the Customer under the Conditions; “Services with Non-EEA Sub-processors”: Registration and management of gTLD, ccTLD or ngTLD.
“Subcontractor”: a natural or legal person, public authority, agency or other body that Processes Personal Data on behalf of a Data Controller;
“Sub-Subcontractor”: an entity hired by Mixlife Lda to assist in the Processing of the Customer's Personal Data under the terms of this DPA, listed in the List of Subcontractors and whose hiring was approved by the Customer under the terms of Clause 5 of this DPA;
“Non-EEA Sub-processor” means a Sub-processor that Processes Customer Personal Data in a country outside the EEA, and that is not subject to the Regulation in accordance with its article 3, paragraph 2;
“Processing”: any operation or set of operations carried out on Personal Data or on sets of Personal Data, by automated or non-automated means, such as collection, registration, organization, structuring, conservation, adaptation or alteration , retrieval, consultation, use, disclosure by transmission, broadcast or any other form of availability, comparison or interconnection, limitation, erasure or destruction. “Processing” means carrying out any of these types of operations, and “Processed” refers to Personal Data that is subjected to any of these types of operations;
“Data Holder”: an identified or identifiable natural person, whose Personal Data is Processed. An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more specific factors of a physical nature, physiological, genetic, mental, economic, cultural or social identity of that natural person;
“EU”: the European Union;
“Personal Data Breach”: a security breach that causes, accidentally or unlawfully, the unauthorized destruction, loss, alteration, disclosure or access to Customer Personal Data transmitted, preserved or subject to any other type of Treatment.
2. Personal Data Processing Functions
2.1. The Parties agree that:
a) The Customer is Responsible for the Processing of the Customer's Personal Data, except when the Customer acts as a Subcontractor on behalf of a third party (who is the Responsible for the Processing of the Customer's Personal Data, or who in turn also acts as a Subcontractor on behalf of third party). The Customer, or the relevant Data Controller, determines the purposes for collecting and Processing the Customer's Personal Data;
b) Mixlife Lda acts, in any case, as a Subcontractor on behalf of the Customer regarding the Processing of the Customer's Personal Data within the scope of the provision of Services; It is
c) This DPA regulates the relationship between the Parties with regard to their respective rights and obligations in relation to the Processing of Customer Personal Data carried out by Mixlife Lda , as Subcontractor, within the scope of the provision of Services.
3. Obligations of Mixlife Lda
3.1. The Customer, or the relevant Data Controller, determines the purposes of the Processing of the Customer's Personal Data in connection with the provision of the Services.
3.2. As part of the provision of Services, Mixlife Lda undertakes to comply with the following obligations, including those defined in Annexes 1 and 2 of this DPA:
a) Mixlife Lda must process the Customer's Personal Data only to the extent necessary for the provision of the Services, in accordance with the written instructions given by the Customer through this DPA;
b) Mixlife Lda must notify the Customer if it considers that a written instruction given by the Customer is in violation of Applicable Data Protection Legislation. Without prejudice to the provisions, Mixlife Lda is not obliged to carry out an exhaustive legal analysis of any written instruction given by the Customer;
c) Mixlife Lda , as Subcontractor, must notify the Customer without undue delay of any contact or communication it receives from a Control Authority regarding the Processing of the Customer's Personal Data. The Parties acknowledge and accept that, to the extent that Mixlife Lda is not legally obliged to respond to such contacts or communications, the responsibility for providing a response lies with the Customer, and not with Mixlife Lda ;
d) Mixlife Lda has implemented operational, technical and organizational measures, including those described in Annex 2 of this DPA, designed to guarantee the security of the Customer's Personal Data. The Customer authorizes Mixlife Lda to implement suitable alternative measures, or use alternative locations for Processing the Customer's Personal Data, provided that the level of security of the measures or locations is maintained or reinforced in comparison to the measures declared in this DPA;
e) If Mixlife Lda discloses Customer Personal Data to its employees who are involved in providing the Services, Mixlife Lda must ensure that such employees: i) have assumed a confidentiality commitment or are subject to appropriate legal confidentiality obligations, and; ii) Process Customer Personal Data under the instructions of Mixlife Lda , in accordance with its obligations under this DPA.
4. Customer Obligations
4.1. The Customer acknowledges and accepts that, in order for Mixlife Lda to provide the Services, the Customer must provide Mixlife Lda with access to the Customer's Personal Data. The Customer undertakes to verify that the security measures listed in Annex 2 of this DPA are adequate taking into account the types of Personal Data contained in the Customer's Personal Data.
4.2. The Customer represents and warrants that:
a) It has an appropriate legal basis (eg, consent, legitimate interests, need for Processing to fulfill a contract, etc.) to Process and disclose the Customer's Personal Data to Mixlife Lda within the scope of providing the Services; It is,
b) The provisions established in this DPA reflect the obligations that the Applicable Data Protection Legislation imposes on Mixlife Lda regarding the Processing of Customer Personal Data within the scope of the provision of Services.
5. Consent to Subcontracting
5.1. The Customer acknowledges, agrees and accepts that, for the sole and exclusive purpose of ensuring the provision of Services and always in accordance with the terms of this DPA, the Customer's Personal Data may be Processed by Mixlife Lda or its Subcontractors, as identified in the List of Subcontractors.
5.2. Pursuant to Clause 5.1., the Customer provides Mixlife Lda with a general authorization to hire Subcontractors, provided that Mixlife Lda :
a) Provide the Customer with information in advance about the identity of the Subcontractors, as identified in the List of Subcontractors, and notify the Customer of any update to the List of Subcontractors, so that the Customer can object to the hiring of new Subcontractors;
b) Enter into agreements with Subcontractors that contain the same obligations regarding the Processing of Customer Personal Data as those established in this DPA;
c) Exercise due diligence in the selection of Subcontractors and remain responsible for the Subcontractors' compliance with the obligations set out in this DPA;
d) At the Customer's request, provide the Customer with details, as far as is reasonable, of measures taken by Mixlife Lda and its Subcontractors to comply, in practice, with the terms of this DPA.
6. Transfers of Personal Data
6.1. If the Customer purchases one or more Services with Non-EEA Sub-processors, Mixlife Lda may, under the terms of Clause 5 above, transfer Customer Personal Data to one or more Non-EEA Sub-processors, who will be considered Data Importers under the terms of the Standard Contractual Clauses. In this case, if there is no Adequacy Decision applicable to a Non-EEA Sub-subcontractor, Mixlife Lda undertakes to sign Standard Contractual Clauses with such Non-EEA Sub-subcontractor, with only the clauses of MODULE THREE: Transfer between Subcontractors (excluding other MODULES).
6.2. No term of this DPA shall be construed as prevailing over any conflicting clause of the Standard Contractual Clauses.
6.3. The Customer may request the opportunity to review the signed Standard Contractual Clauses. To the extent necessary to protect trade secrets or other confidential information, including Personal Data, Mixlife Lda may remove part of the text from the Standard Contractual Clauses before sharing a copy with the Customer.
6.4. The Customer acknowledges that it is the Customer's responsibility to comply with any applicable additional obligations necessary to ensure the lawfulness of Personal Data transfers to Mixlife Lda and Non-EEA Subcontractors, in accordance with Applicable Data Protection Legislation.
6.5. If the Customer is a Non-EEA Data Controller, Mixlife Lda and the Customer accept that the Standard Contractual Clauses are considered to be incorporated into this DPA, being applicable to any transfer of Customer Personal Data carried out by Mixlife Lda to the Customer in scope of the provision of Services. In this case, the following specifications apply to the Standard Contractual Clauses:
(i) Clause 7 applies;
(ii) Only the clauses of MODULE FOUR: Transfer from Subcontractor to Data Controller are applicable (excluding the other MODULES);
(iii) Clauses 14 and 15 are not applicable, as the provision of the Services does not imply the combination by Mixlife Lda of Customer Personal Data received from the Customer with other Personal Data that it collects in the EU;
(iv) Under Clause 17, the laws of Portugal will apply;
(v) Under Clause 18, the courts of Portugal will be competent;
(vi) Annex 1 of this DPA will be applicable as Annex I of the Standard Contractual Clauses.
7. Cooperation and Responsibility Obligations
7.1. The Parties shall collaborate in good faith to ensure compliance with the provisions of this DPA, including, but not limited to, ensuring the correct and timely exercise of Data Subject Rights, as well as managing incidents in the event of a security breach/Breach of Personal Data, in order to mitigate its possible adverse effects.
7.2 The Parties must collaborate in good faith to provide each Party, as well as Control Authorities, with the information necessary to demonstrate compliance with Applicable Data Protection Legislation.
8. Data Subject Rights
8.1. Taking into account the nature of the Processing of the Customer's Personal Data, Mixlife Lda must provide assistance to the Customer through appropriate technical and organizational measures, to allow the Customer to fulfill its obligation to respond to requests for the exercise of Data Holder's Rights. Data.
8.2. Mixlife Lda shall provide the Customer with reasonable cooperation and assistance, and shall provide information that is reasonably necessary for the Customer to respond to the Data Subjects, or to fulfill its obligations in respect of the Data Subject's Rights under the Applicable Data Protection Legislation. The Client acknowledges and accepts that, if such cooperation and assistance requires the expenditure of significant resources by Mixlife Lda , a fee may be charged upon prior notice in agreement with the Client, this fee being calculated based on the administrative costs involved for the Mixlife Lda .
9. Data Return and Erasure
9.1. Mixlife Lda shall, at no cost to the Customer, return or delete Customer Personal Data at any time and without undue delay, as well as after the termination of this DPA, provided that this is requested in writing by the Customer with reasonable notice, unless legal obligations (including, but not limited to, legal obligations arising from Applicable Data Protection Legislation) or binding orders from public authorities (including, but not limited to, orders from Control Authorities), prevent Mixlife Lda from carrying out such return or deletion.
9.2. Customer requests for the return of Customer Personal Data will be met to the extent feasible, subject to commercially reasonable technical and organizational limitations proportionate to the volume, type and quantity of Personal Data Processed.
9.3. The return of the Customer's Personal Data according to the internal procedures defined by Mixlife Lda will be made at no cost to the Customer. Otherwise, the Customer will be charged a reasonable cost.
9.4. If the Customer chooses to delete the Customer's Personal Data, and without prejudice to Clause 9.5, Mixlife Lda will provide a statement guaranteeing that such deletion has been carried out.
9.5. Mixlife Lda may retain Customer Personal Data that (1) is retained in accordance with regular computer system backup operations in accordance with Mixlife Lda disaster recovery and business continuity protocols (see Clause 12), or that ( 2) are necessary to demonstrate compliance with any contractual or legal obligations applicable to the provision of Services by Mixlife Lda , provided that such Customer Personal Data is not actively or intentionally Processed, by Mixlife Lda or its Sub-subcontractors, for any purposes other than the provision of Services or demonstration of such compliance (eg, in relevant judicial and extrajudicial proceedings).
10.1. Personal Data transmitted over the Internet by Mixlife Lda as part of the provision of Services must be reasonably encrypted. The Parties recognize, however, that the security of data transmissions over the Internet cannot be guaranteed. Mixlife Lda does not assume any responsibility for the Customer's access to the Internet, for any interception or interruption of communications made via the Internet, or for changes or losses of Personal Data via the Internet.
10.2. If there is a suspicion of a Personal Data Breach, Mixlife Lda may suspend the provision of the Services via the Internet immediately pending an investigation, provided that Mixlife Lda notifies such suspension to the Customer as soon as reasonably possible, takes all reasonable steps to promptly restore the provision of the Services via the Internet and cooperate with the Customer to ensure continued provision of the Services through other communication channels where possible.
10.3. The Customer must take all necessary, appropriate and reasonable measures to ensure the confidentiality of the names and passwords for accessing the Services of its employees. The Customer will be responsible for any misuse of the Services by any of its employees.
11. Personal Data Breaches
11.1 The Customer acknowledges and accepts that Mixlife Lda will not be held responsible for any Personal Data Breach that is not attributable to Mixlife Lda , at least through negligence.
11.2 If Mixlife Lda becomes aware of a Personal Data Breach, it must:
a) take appropriate measures to contain and mitigate such Personal Data Breach, including notifying Customer without undue delay, to enable Customer to promptly implement its response programs. Without prejudice to the foregoing, Mixlife Lda reserves the right to determine the measures it will take to comply with its obligations under Applicable Data Protection Legislation or to protect your rights and interests;
b) cooperate with the Customer to investigate: the nature of the Personal Data Breach, the categories and approximate number of Data Subjects affected, the categories and approximate number of Personal Data records affected, and the likely consequences of any Data Breach Personal, depending on the severity and general impact of the Breach on the Customer and the provision of Services under this DPA;
c) where Applicable Data Protection Legislation requires notification of the Personal Data Breach to a relevant Supervisory Authority and/or affected Data Subjects, and to the extent Customer Personal Data has been affected, request and follow the instructions given by the Customer, as the Customer has the exclusive right to determine the measures to be taken to comply with Applicable Data Protection Legislation or to mitigate any risks, including, but not limited to:
i. Decide whether to notify any individuals, regulators, public authorities, consumer protection agencies or others as required by Applicable Data Protection Legislation, or at the Customer's discretion; It is
ii. Decide the content of such notifications, as well as whether any type of compensation should be offered to affected Data Subjects and, if so, the type and extent of such compensation.
12. Disaster Recovery and Business Continuity
12.1 Mixlife Lda maintains commercially reasonable disaster recovery and business continuity protocols, which differ between each Service provided. A summary of such protocols will be provided to Customer upon request. Mixlife Lda may change such protocols at its discretion, provided that the changes do not reduce its disaster recovery capacity below the capacity existing at the date of signing this DPA.
13.1 By signing this DPA, including its Annexes 1, 2 and 3, the Customer explicitly authorizes Mixlife Lda to carry out, on the Customer's behalf, the activities described in Clause 5.
13.2 By signing this DPA, Mixlife Lda accepts the mandate, which will be exercised without economic remuneration as it is granted within the scope of the provision of Services, and confirms, for due legal purposes, that it has read and understood the instructions given to it .
By the Customer
Name / Firm:
Date and place:
By Mixlife Lda
NIPC: 507 851 870
Date and place:
1. DATA SUBJECTS
The Customer's Personal Data, depending on the specific Services that have been contracted, under the terms of the Conditions, may relate to the following categories of Data Subjects (the specific categories are not determinable by Mixlife Lda a priori):
• The Client and/or the Client's employees;
• Customer Suppliers;
• Customer Users;
• Customers of the Customer;
• Data Subjects whose Personal Data is processed by the Customer through the Services.
2. CATEGORIES OF PERSONAL DATA PROCESSED BY SERVICE
The Customer's Personal Data that may be processed within the scope of the provision of Services to the Customer (which are not determinable by Mixlife Lda a priori) will only include Personal Data in accordance with Article 4, paragraph 1 of the Regulation, being The Processing of Special Categories of Personal Data and Personal Data related to criminal convictions and offenses is expressly excluded.
Specifically, the following categories of Personal Data may be Processed/transferred:
• Contact details (name, email address, postal address, telephone number…);
• Date of birth;
• Other categories of Personal Data that are processed by the Customer through the Services.
3. SPECIAL CATEGORIES OF PERSONAL DATA
Customer Personal Data does not include Special Categories of Personal Data or Personal Data relating to criminal convictions and offences.
4. PERSONAL DATA PROCESSING OPERATIONS
The Customer's Personal Data may be processed/transferred only for the provision of the Services in accordance with the Conditions, or as permitted under the legislation applicable to the Processor.
5. NATURE OF PROCESSING OF PERSONAL DATA
The nature of the Processing operations varies according to the specific Services that have been contracted, under the terms of the Conditions.
6. FREQUENCY OF PERSONAL DATA PROCESSING
The frequency of Processing operations varies according to the specific Services that have been contracted, under the terms of the Conditions.
7. DURATION OF PERSONAL DATA PROCESSING
The Customer's Personal Data will be retained as long as the provision of the Services remains active, or as permitted under the legislation applicable to the Subcontractor.
Description of Technical and Organizational Security Measures
Information about security measures
See the information available at https://mixlife.pt/legal
For the company's other Services, the applicable security measures are listed below:
Information security procedures
Separate roles and responsibilities were defined for information security and were assigned to those responsible in the company for processing activities (hereinafter also referred to as “users”), in order to avoid conflicts of interest and prevent inappropriate activities.
Human resources security
Mobile devices and teleworking
There is a security policy for the use of all company devices, in particular mobile devices, and appropriate controls are in place.
Conclusion or changes to the employment relationship
Upon termination of a user's collaborative relationship within the organization or in the event of a significant change in their roles, access permissions are updated immediately, while business tools are returned and reset physically and logically.
Company resource management
Responsibility for company resources and assets
All of the company's tools and assets are carefully inventoried and their allocation to the various users responsible for their security is monitored. A policy has been defined for its correct use.
All information is classified and cataloged by the respective users, in accordance with security requirements, as well as processed appropriately.
Storage media management
Information stored on storage media is managed, controlled, modified and used in a way that does not compromise its content and is deleted appropriately.
Access control requirements
The company's organizational requirements for monitoring access to information resources are documented in a policy and implemented in practice through an access control procedure; meaning that network access and connections are limited.
User access management
The allocation of user access rights is controlled from initial user registration through the removal of access rights when they are no longer needed, including special restrictions on privileged access rights and the management of “secret authentication information”, and is subject to periodic reviews and checks including updating access rights when necessary. In access management, the criterion of minimizing access rights is used, as they are issued to grant the user only access to the data necessary for their function and business activity. Additional access rights require specific authorization.
Users are aware of their responsibilities also by maintaining the effectiveness of access controls, for example by choosing complex passwords, whose complexity is checked by the system, and keeping them confidential. Access control systems and applications Access to information is subject to restrictions in accordance with the access control policy, through a secure access system and password management, as well as controls over privileged users and limited access to all source codes.
There is a Policy in place regarding the use of encryption of storage media and user data. Authentications are encrypted.
Physical and environmental security
Physical and environmental security measures are in place to prevent illegitimate or accidental access, loss or dissemination of data.
Secure areas: Data center
The company's services are provided and hosted in several neutral national Datacenters, made available by suppliers under the service provision format. All Datacenters, within the supply chain, offer complete redundancy of all electrical, cooling and network circuits. All Datacenters have perimeter lighting, as well as a presence detection system with CCTV cameras, providing the building's private security, with a 24/7 security team present in the Datacenters.
Physical access is regulated and controlled by authorization, recognition and registration procedures and is limited, thanks to the access control system, to areas for which authorization exists.
There is a policy for scrapping unused equipment in order to safely destroy any information that may be contained on it.
Operational procedures and responsibilities
IT operational responsibilities are documented and changes to IT facilities and systems are tracked. Development systems, verification systems, and operating systems are separate. There are users responsible for the proper functioning of the procedures. On the other hand, the management of the logical security of operating systems and applications installed by the customer is the responsibility of the customer of the individual services provided by the Company (hereinafter also referred to as “customer”).
Virus and malware control is active on company devices and there is appropriate user awareness.
With regard to Virtual Server or Dedicated Server services, the customer is responsible for installing antivirus and anti-malware software and – if the related service has not been purchased – a firewall. Regarding the hosting service, there is real-time protection on the frontend machines.
With regard to the email service, email traffic is analyzed in real time, both incoming and outgoing, to detect viruses, malware and to identify and filter spam. The analysis is automated and is based on the nature of the content, the interrogation of international databases and the reputation acquired due to a series of parameters.
Periodic backups are carried out, excluding services for which the customer has not subscribed to a backup service and is consequently responsible for maintaining and managing their backups. For hosting and mail services, periodic backups are performed which, for hosting services, can also be accessed by the customer. Additional backups, not accessible by customers, are performed for the sole purpose of disaster recovery.
Authentication and Monitoring
Authentication and Synchronization
All activity and events related to information security, carried out by system users and administrators/operators, occur after entering their authentication credentials or identity certificates. The clocks of all equipment are synchronized.
Operational software control
The installation of software on operating systems is controlled and monitored. Regarding Virtual Servers and Dedicated Servers, the operating systems available to customers are provided with updated installation images. It is also the customer's responsibility to update the applications or software installed by the customer.
Network security management
Online networks and services are also secured through separation and segregation. The network is monitored 24/7 both in terms of metrics and automatic alarming.
Agreements regarding the transfer of information to and from third parties are in place.
System acquisition, development and maintenance
Security in development and support processes
The rules that govern the security of software and system development are defined in a Policy. Changes to the system (for applications and for operating systems) are tracked. The security of the system is tested and eligibility criteria, which include security aspects, are defined.
Annex 3 (List of Sub-subcontractors) must be requested by email to [email protected]