Table of content

Physical access control

Unauthorized persons are prevented from gaining physical access to premises, buildings, or rooms where data processing systems that process and/or use personal data are located. uniFLOW Online is a SaaS offering hosted entirely in Microsoft Azure Data Centers. The security and controls of these data centers are managed by Microsoft and employ industry-leading security, resilience, redundancy, and compliance measures. 

Further information on Azure infrastructure security is available, and a complete compliance listing is available in the Azure compliance documentation

 

Measures:
  • All NT-ware offices have implemented security and intrusion detection with 24/7 monitoring.
  • All buildings have access controls unique to each individual. Privileged access to server rooms, network and infrastructure, and any PII (Personally Identifying Information) is restricted to "Need to Know" personnel only. Changes and additions to this system are managed within our IT change control and HR onboarding procedures.
  • Access by contractors to any of our buildings will be supervised unless the security clearance assessment has already been performed.

System access control

Data processing systems used to provide the NT-ware service must be prevented from unauthorized use.

Measures:
  • Authorization to critical systems or sensitive information is strictly maintained in accordance with NT-ware security policies.
  • All personnel access NT-ware systems with a unique identifier (user ID).
  • NT-ware follows a strict change control and monitoring of any access requests to critical systems. In case personnel leave the company, their access rights are revoked.
  • NT-ware has established a password policy that prohibits the sharing of passwords, governs responses to password disclosure, and requires passwords to be changed on a regular basis and default passwords to be altered. Personalized user IDs are assigned for authentication. All passwords must fulfil defined minimum requirements and are stored in encrypted form. For domain passwords, the system requires a password change every 12 months to comply with complex password requirements. Each computer locks after a period of inactivity.
  • The company network is protected from the public network by firewalls.
  • NT-ware uses up–to–date enterprise antivirus software at access points to the company network (for e-mail accounts), as well as on all file servers and all workstations.
  • Security patch management is implemented to provide regular and periodic deployment of relevant security updates. Full remote access to NT-ware's corporate network and critical infrastructure is protected by a strong multi-factor VPN infrastructure that requires strong authentication.

Data access control

Persons entitled to use data processing systems gain access only to the personal data that they have a right to access, and personal data must not be read, copied, modified, or removed without authorization in the course of processing, use, and storage.

Measures:
  • As part of the NT-ware Security Policy, personal data requires at least the same protection level as "confidential" information according to the NT-ware information classification standard.
  • Access to personal data is granted on a need-to-know basis. Personnel have access to the information they require to fulfil their duties.
  • All production servers are operated in the data centers or in secure server rooms. Security measures that protect applications processing personal data are regularly checked. To this end, NT-ware conducts internal and external security checks and penetration tests on its IT systems.
  • NT-ware does not allow the installation of software on server infrastructure containing sensitive information that has not been approved by NT-ware IT.
  • NT-ware follows security policies for the deletion and destruction of data carriers no longer required.

Data transmission controls

Except as necessary for the provision of the NT-ware services in accordance with the relevant agreement, personal data must not be read, copied, modified, or removed without authorization during transfer. Where data carriers are physically transported, NT-ware implements adequate measures to ensure the agreed-upon service levels (e.g., encryption and lead-lined containers).

Measures:
  • Personal data in transfer over NT-ware internal networks is protected according to NT-ware Security Policy. Network segmentation is in place to ensure isolation between low and high-security infrastructure.
  • When data is transferred between NT-ware and its customers, this is always conducted across secure encryption transport protocols. In any case, the customer assumes responsibility for any data transfer once it leaves NT-ware-controlled systems (e.g. data transmitted outside the NT-ware infrastructure firewall).

Data input controls

It will be possible to retrospectively examine and establish whether and by whom personal data have been entered, modified, or removed from NT-ware data processing systems.

Measures:
  • NT-ware only allows authorized personnel to access personal data as required in the course of their duty.
  • NT-ware has implemented a logging system for input, modification and deletion, or blocking of personal data by NT-ware or its sub-processors within the NT-ware service to the extent technically possible.

Job control

Job control is required to ensure that personal data processed on behalf of others is processed strictly in compliance with the customer's instructions.

Measures:
  • As part of NT-ware's Security Policy, personal data requires at least the same protection level as "confidential" information according to the NT-ware information classification standard.
  • All NT-ware employees and contractual sub-processors or other service providers are contractually bound to respect the confidentiality of all sensitive information, including trade secrets of NT-ware customers and partners.
  • For support services, NT-ware customers have control over their remote support connections at all times. NT-ware employees cannot access a customer's system without the customer's knowledge and consent.

Availability control

Personal data will be protected against accidental or unauthorized destruction or loss.

Measures:
  • NT-ware employs regular backup processes to provide restoration of business-critical systems as and when necessary.
  • NT-ware uses uninterrupted power supplies (for example: UPS, batteries, etc.) to protect power availability to the server and network infrastructure.
  • NT-ware has defined business continuity plans for business-critical processes.
    Emergency processes and systems are reviewed regularly.

Data separation control

Personal data collected for different purposes can be processed separately.

Measures:
  • NT-ware uses appropriate technical controls to achieve customer data separation at all times.
  • Customer (including its approved controllers) will have access only to their own data based on secure authentication and authorization.
  • If personal data is required to handle a support incident from a customer, this data is stored in dedicated support systems.
  • For the exchange of data in the course of a support session, this can be provided over an NT-ware-managed secure file exchange. All information related to a support case that contains personal information in alignment with European and GDPR regulations is deleted at the end of a support ticket, where practical.

Data integrity control

Personal data will remain intact, complete, and current during processing activities.

Measures:
  • NT-ware has implemented a multi-layered defense strategy as a protection against unauthorized modifications. In particular, NT-ware uses the following to implement the control and measure sections described above.
  • Firewalls
  • Security monitoring tools
  • Antivirus software
  • Backup and recovery
  • External and internal penetration testing and vulnerability assessments