TOM Documentation
Date of last processing: May 16, 2018
Documentation of technical and organizational measures (TOM) for data protection compliance at the Ereader Store
Preliminary note
As a data processor, the Ereader Store has a special responsibility for the data that Ereader Store customers collect.
This documentation describes the technical and organizational measures for compliance and implementation of data protection at the Ereader Store.
data Categories
There are two categories of (personal) data to distinguish. For both categories of data it is assumed that no personal data of the special categories in accordance with. EU GDPR (Art. 9).
customer data
As part of a valid license agreement, customers of the Ereader Store are responsible for collecting or transmitting data via SSL-secured connections to the software applications mentioned in the preamble.
For technical maintenance there is the possibility of access to the customer data through the Ereader Store. In the case of separate commissioning by the Ereader Store with simultaneous passing on of corresponding system passwords, this possibility theoretically also exists for the data center operator, as long as its help for the technical maintenance should be indispensable.
When referring to customer data in this document, it refers to the information described in this section. Only the customer data are the subject of order data processing.
management data
All data collected by the Ereader Store to manage the customer relationship or billing with the customer, typically provided by the customer through SSL-secured web pages, are hereinafter referred to as administrative data. These are essentially:
● Company name of the customer including legal form
● Salutation, title, first name and last name
● Address (s) of the customer (for example billing address, delivery address)
● Products purchased from Ereader Store
● Ereader Store invoices and credits to the customer as database records in the database (structured)
For technical maintenance, the Ereader Store can provide the data center operator with access to the administrative data when appropriate system passwords or keys are provided if data center assistance is needed to maintain the system.
Access control Access control prevents unauthorized access to data processing systems that process or use personal data. At the premises where the data processing equipment is located, a distinction must be made between the data center, the business premises of the Ereader Store and the backup center
Data Center
The data center houses the servers on which both the customer data and the administrative data are stored and processed centrally. Access control to the servers is therefore of particular importance. The data center is not operated by the Ereader Store, but by an EU vendor that closed my contract data processing contract.
Access to the data center is controlled by the data center operator, with access control meeting a very high standard. More detailed information about these standards can be found on the website of the current provider https://www.server4you.de/
Business premises of Ereader Store
With business premises on the one hand the premises at the headquarters of the Ereader Store in Detmold meant and on the other hand other places of work of the employees of the Ereader Store eg mobile home workstations.
If employees from outside work for the Ereader Store (external workstations), this is done via a secure VPN connection of the employee to the offices of the Ereader Store.
Only when such a VPN tunnel is established can employees, in principle, access data in the business premises or, via the fixed-IP WAN connection of the Ereader Store business premises, access the maintenance access of the servers in the data center.
Direct access to the servers in the data center from external workstations is not possible.
As a rule, there are no unencrypted customer data or administrative data in the business premises.
Most of the business premises have video and alarm monitoring and are locked outside of office and working hours.
Backup center
The backup center is another data center that is geographically separate from the data center where the customer data and administration date are stored and managed.
Backups are stored here only in compressed form and encrypted. The key itself varies and is only for the management and administration of the system administration at the
Ereader Store known. In this respect, the readout of backup data by employees in the backup center is excluded.
access control
Access control prevents data processing systems from being used by unauthorized persons.
Server in the data center
Only on the servers in the data center are the customer data and administrative data stored centrally and unencrypted. Access control to these servers is therefore of particular importance.
The servers in the data center have appropriate system users for administration. The servers are administrated via the Internet exclusively via an encrypted protocol (https and ssh).
The passwords and keys for these user accounts are known only to the management and administration of Ereader Store IT. If necessary, employees of the data center are commissioned separately (ticket system) and receive temporary access.
The data center servers and networks are protected by the data center operator through hardware-based firewalls that are constantly monitored, updated, and maintained by the data center. The servers in the data center itself each have their own software-based firewall, which is administered by the Ereader Store.
Both firewalls are configured to only allow the traffic that is required to operate the software applications. Furthermore, the Ereader Store ensures that maintenance access (especially via ssh) to the server is only possible from dedicated sources or networks.
Access to other data processing systems
Access to the computers in the offices of the Ereader Store is controlled by user accounts.
For this purpose, each employee has their own password-protected user account both for the local computer, as well as for the management software, with which the customer data (when activating the service user s.u.) and administrative data in the context of support can be accessed controlled (see Access Control).
Passwords are at least 12 characters long. Furthermore, strict password guidelines and the obligation to change passwords apply every 6 weeks.
Workstations automatically lock themselves after a few minutes, should employees leave work or be inactive.
Access to the server in the backup data center is limited to members of the executive board and, if necessary, the management of the IT administration.
access control
The access control ensures that the authorized users of a data processing system can only access the data subject to their access authorization, and that personal data can not be read, copied, changed or removed without authorization during processing, use and after storage.
Access to customer data through Ereader Store Support
Support staff always only have access to the customer data they need right now as part of their job. The possibility of simultaneous access to all customer data is reserved to the management.
To control access to customer data, each customer has the option to enable access for the so-called (virtual) service user. This service user can be activated solely by the customer in the application software. If the customer activates the service user in their application, an Ereader Store employee who has a valid user account in the Ereader Store management software may link through the management software for the period until the customer deactivates the service user ( but no longer than 24 hours from the date of activation) in the customer's software application and work in the software application as the customer.
Access but above all manipulation of customer data as a service user is logged by the Ereader Store using the user name of the employee from Ereader Store support. For some rare more specialized support tasks, it is necessary to access customer data at a technical level (for debugger debugging, for example). In this case, a member of the executive board or the head of the IT administration logs on to the server in the data center and makes the customer data of the affected customer available to the Ereader Store support staff as a local copy. The customer data is stored exclusively in password-protected and encrypted directories on the workstation of the support employee. Thus, a readout of the data in case of loss of workstation is excluded in principle. Such activities are only carried out on the premises of the Ereader Store and not on external workplaces.
Employees are instructed to delete the local data copy immediately after completing the support activity.
All employees of the Ereader Store are trained in data protection and data security and have been instructed in writing about their confidentiality obligations.
Access to backup copies
Backup copies are generally encrypted using a standard and secure method on the servers in the data center. The password for decrypting the backup copies is known only to the members of the management and administration of the IT administration. This ensures that only authorized persons have access to the backup copies of customer data and administrative data, even if unauthorized persons should gain access to or access to a backup copy.
Relay control
The tracking control ensures that personal data can not be read, copied, altered or removed during the electronic transmission or during its transport or storage on data carriers, and that it is possible to check and determine to which places the transmission of personal data by means of Data transmission is provided.
Redistribution control at the Ereader Store is ensured by reducing the storage of unencrypted customer data and administrative data to storage in the data center and restrictive access and access control to that location.
The unauthorized reading, copying, alteration or removal of data stored in the data center by the data center operator is contractually excluded. The data is only transmitted in encrypted form to the outside of the data center or stored in encrypted form outside the data center.
The password for decrypting the data is known only to the members of the management or the head of the IT administration, so that an unauthorized disclosure can be excluded.
Only protected data protocols are used on the transmission paths themselves (https, SSH).
The data center ensures that defective hard disks are safely destroyed and disposed of, so that subsequent read-out is not possible.
entry control
The input control ensures that it is possible to subsequently verify and determine whether and by whom personal data has been entered, changed or removed in data processing systems.
The control of the input regarding the customer data, the customer takes over, since only he has control over the accesses. If the customer grants access to the support by activating the service user, these accesses are documented by the Ereader Store.
On the other hand, customers have the option of seeing in their program which user last changed a record (for example, customer) at which time.
If the customer has the justified suspicion of an inexplicable manipulation of his customer data, this can be checked on the basis of the retrograde backups (10 days).
job control
The order control ensures that personal data processed in the order can only be processed in accordance with the instructions of the client.
The data center operator is the only data processor with possible access to the data.
The data center operator has a written order data processing agreement that ensures that the data is processed only in accordance with the instructions of the Ereader Store.
Any use or disclosure of the data by data center employees is contractually excluded.
Support orders are placed with the data center operator only by employees of the management of the Ereader Store or the head of the IT administration in the order system of the data center operator. The orders of the Ereader Store to the data center are thus available in writing and can be checked afterwards.
Furthermore, the data center receives passwords only in the context of such a separate individual order to access. Therefore, access outside a separate individual order is excluded in principle. The validity or usability of such passwords for the data center is limited in time to the necessary extent.
Note on classification: The on-site data center support activity is usually limited to deployments for server or network server hardware failures or servers to the Internet. As such, the scenario of passing support passwords to the data center is more theoretical than practical.
Availability control
Availability control ensures that personal information is protected against accidental destruction or loss.
The availability of administrative data as well as customer data is ensured by various measures.
RAID system
The servers of the Ereader Store in the data center have a mirrored hard disk system (at least RAID1). A defective hard disk can be replaced during operation (HOT-Plug capability). Functionality and error rates of the storage media are permanently monitored during operation.
Daily full backup
Once a day, a full backup of the server is performed. The backup data is compressed and stored in encrypted form. From the backup data, in the worst-case scenario, a stand-by server could be expected to be recovered in less than 4 hours and made accessible via the Internet.
Transfer backup
After successful completion of the full backup, the encrypted backup data is transferred to the backup center via secure transfer protocols. From the backup data, the entire server system including customer data and administrative data can be retrieved 14 days retroactively
Copy of the backup data
Optionally, an encrypted backup copy is also stored at sporadic intervals in the offices of Ereader Store.
Equipment data center
In the data center, fully air-conditioned security rooms offer protection against gas, water and fire. The additional storage location in the backup data center also protects against major accidents.
Preparation for possible failure scenarios
Furthermore, the availability of the systems is increased by the Ereader Store itself
● trained recovery scenarios
● Restore servers from backup files to ensure backup quality at sporadic intervals
● Parallel system operation with test data in another data center, which could in principle be populated with the customer and administration data from the backups and would be ready for use shortly by means of panning the DNS record
● Automatic monitoring and monitoring of vital signs: all servers have state-of-the-art monitoring software that notifies defects (RAM, hard drives, temperature, etc.) in good time as well as capacity problems (data storage, utilization) before the operation is permanently disturbed.
Separate processing
The separate processing ensures that data collected for different purposes can be processed separately.
Separate processing is of particular importance to the Ereader Store, since many customers' customer data are processed simultaneously on one server. At the same time, contract data from the Ereader Store is also stored or processed on the same server as the customer data or at least in the same data center.
Customer data and administrative data on Ereader Store servers are never stored in a database. The different databases are secured by different users with secure passwords.
To ensure separate processing of the customer data, the unstructured data (e.g., PDF documents such as invoices, pictures) from different customers are stored separately on the server for directories, i. There is a separate directory for each customer, in which only the documents of this one customer are stored.
Databases where customer data is stored have a unique and unique identifier (customer attribute) in all datasets. All read and write accesses to records are designed in the server-side data access layer of the applications so that access without filter use of the unique customer attribute is not possible. Thus, it is excluded in principle that requests by a customer read or change customer data in records of another customer.
On the same principle, a customer accesses his administrative data stored at the Ereader Store.
Access Only The Ereader Store itself has user and password access to administrative data through its management software without the use of the customer attribute.