Technical Organization Measures
Learn more about our security practices such as procedures, policies, risk management, security auditing and controls for protecting our clients and their data.
1.0 General Considerations
This document describes the technical and organizational measures implemented for secure and compliant processing of personal data.
Gira Group deals with the following types of personal data:
-
Business to Business Clients who have procured our services.
-
Individual customers who have procured our training services.
-
Employee data
2.0 Confidentiality
Entry Control
Gira Group office premises that are not freely accessible. They are locked when employees are away. Gira Group implemented the following measures:
-
Locked building
-
Locked office
Gira Group does not maintain servers or server rooms. List if our third part providers is available on Sub-processors page.
Access Control
Gira Group has implemented the following measures for access to software systems:
-
For every employee, a personally assigned user is set up with a password bound to strict requirements.
-
Passwords must be unique and may not be used for other accounts.
-
Central authentication with username and password, incl. mandatory 2-factor authentication. Every user has to verify the account at least every 30 days.
-
Access is monitored and logged, including unsuccessful login attempts.
-
Access is automatically blocked by the system after 5 failed attempts.
-
Only employees get access to the majority of files and systems and the extent of access can be determined selectively.
Usage Control
Gira Group has implemented following measures when working within software systems:
-
The password rules for access control must also be followed for usage control.
-
Administrative user profiles are kept to a minimum.
-
User-dependent authentication with username and password.
-
The use of personal data is limited, so that only authorized individuals can use the personal data necessary for their task (De Minimis Principle).
-
Logging of usage and changes.
-
Paperless work by principle and compliant destruction of paper documents with a shredder where applicable.
3.0 Integrity
Input Control
Gira Group has implemented the following measures for its software systems:
-
Traceability of inputs, changes, and deletions by personalized users
-
Traceability in assigning, changing, and deleting user authorizations
This applies to most cloud working environments (e.g. MS Sharepoint, etc.).
Transfer Control
Transfer control shall ensure that only authorized individuals can inspect personal data. Employee mobile devices must be encrypted if personal data is stored on them.
-
The use of single USB flash drives or related data carrier tools is not allowed.
-
Information should only be printed out if absolutely needed. Printed copies must be shredded immediately as soon as they are no longer needed.
4.0 Availability and Reliability
-
Employees are provided latest and updated equipment.
-
Personal data is processed on data processing systems that are subject to regular and documented patch management. No systems may be linked on the network that are outside of the manufacturer’s maintenance cycles (e.g. no Win95, XP, etc.). Automatic updates are activated on the computers.
-
Continuous availability of high-speed internet is ensured. (Cloud system services can be used with any internet connection.)
-
Continuous availability of data is guaranteed by means of redundant storage media and backups of systems according to the latest technical standards.
-
Gira Group does not maintain servers or server rooms. List if our third part providers is available on Sub-processors page.
-
Cloud provider data centers and server rooms are state of the art (temperature control, fire protection, water penetration, uninterrupted power supply (UPS) ensuring controlled shutdown without any loss of data).
-
5.0 Employee Workplace
The company has implemented the following measures:
-
Employees must encrypt their hard drives with state-of-the-art encryption.
-
The email account provider applies a default virus, spam and phishing filter to detect malicious software and avert cyber-attacks.
-
Employees are obligated to clean their desk of any documents containing sensitive data, especially when accessible by others.
-
The default option for screen savers must be set at the shortest time period until activation. When temporarily leaving the workplace and hardware, employees should always lock their devices.
6.0 Procedure for Regular Review, Assessment and Evaluation
Data protection and IT security within the company is reviewed regularly and based on these assessments, continuously improved. Internal auditing may include data privacy requirements such as:
-
Obligation of employees to maintain data secrecy, training and education.
-
Regular auditing of data processing procedures.
-
Procedures in case of data breaches and the protection of data subjects’ rights
The company has implemented the following internal measures:
-
Regular auditing of procedures
-
Regular review of technical advancements in accordance with Article 32 GDPR
Last Updated on February 12, 2024