This document describes the technical and organizational measures implemented by Legito to meet legal and contractual requirements when processing the personal data of the individuals from the European Union according to GDPR.
The Legito measures described in this document shall meet the following Legito obligations:
- the pseudonymization and/or encryption of personal data;
- the ability to ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems and services;
- the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
- a process for regularly testing, assessing, and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing.
The following measures apply to all data processing activities that are under the control of Legito, or where Legito is a data processor on behalf of another data controller if a separate agreement between Legito and the relevant customer does not say otherwise.
1) Access control
Access to the Legito IT systems is controlled by the use of User IDs (in particular, email addresses), passwords, and/or tokens. All User IDs and passwords are to be uniquely assigned to named individuals and consequently, individuals are accountable for all actions on the Legito’s IT systems. Employees or any third-party users are only granted access necessary to perform their activities.
All the access rights granted are reviewed regularly and in case of any change updated or withdrawn immediately.
Access to the network and its services is controlled by technical and physical security measures. Remote access is controlled through identification and authentication mechanisms.
2) Physical access control
Access to the company’s facilities is physically restricted in a reasonable and appropriate manner.
All network equipment (routers, switches, etc.) and servers located in the corporate office and in all facilities must be secured when no (Legito) personnel, or authorized contractors, are present. Physically secured is defined as locked in a location that denies access to unauthorized personnel using multiple security equipment (CCTV, magnetic window locks, motion sensors). All the offices must remain locked after the last person leaves the office.
Access to the building is done through reception and only using a chip registered on the name of the employee. Dealing with visitors and deliveries also has its procedures and is mainly held by the landlord (reception of the office building).
3) Logical access control to processing systems
Every system used is equipped with a secure authentication mechanism. Procedures are used to authorize any access to the system using the need-to-know principle. For admin access, there are special procedures in place.
For authentication in the systems, a secure password policy is used. Also, an on-premise password manager to manage passwords for users is being used.
A “Clean table rule” is also implemented, all devices must be locked (screen lock) when leaving the workplace. Automatic activation of screen lock must be also turned on (in case of inactivity).
4) User activity control
Every employee has to attend mandatory training on information security and data privacy on at least an annual basis. Participation in the training is recorded. Every new employee is trained on information security and data privacy policies relevant to them at the start of their employment. All important user activities are logged to the extent required, also administrative activities on systems are logged. Regular backups are performed daily.
5) Segregation control
Within the multitenant solution, it is ensured that all the data are separated logically and can’t be mixed up by any circumstances.
6) Data carrier and mobile device control
Personal data are stored only in secure locations that prevent access to it. No personal data are stored out of the data center where the system resides or internal cloud storage.
Individuals are allowed to use their mobile phones for access to the company’s communication channels (such as email) if such devices are protected by a password and the screen is automatically locked.
All the computers used must be encrypted.
Use of external data storage for customer data (USB, CD, etc.) is strictly prohibited.
7) Pseudonymization and anonymization
The system has a standard Anonymization feature that allows users with given permissions to irreversibly delete data. Other measures for pseudonymization/anonymization of personal data are implemented to the necessary extent.
8) Transfer and dissemination control
All the communication must be done using HTTPS protocol (and “TLS 1.2”). Monitoring and logging activities are also in place. The robust intrusion detection system is also being implemented while the system resides in the world’s leading data center with proven capabilities of securing the data.
To secure the data transmission a “data-at-rest” encryption and AWS Key Management Service are used.
All the services used in the company that is accessible via the internet or that are facing sensitive data must use secured encrypted technologies to prevent any data security threats in compliance with other established policies. All the testing environments are accessible only via an internal VPN.
9) Input control
Controls over who entered changed or removed what data are implemented. Systems used to collect or process personal data have their access categorized and recorded. A log of those actions for every workspace in the system is also in place.
10) Availability control
Database backups are stored on separate (non-production) servers. Data centers where servers reside are hosted by a leading service provider. Business continuity and Disaster recovery policies are also in place.
All user-level and system-level information maintained by Legito are backed up periodically. The backup media shall are stored with sufficient protection and under proper environmental conditions.
Physical access controls implemented at offsite backup storage locations must meet or exceed the physical access controls of the source systems. Additionally, backup media must be protected in accordance with the highest sensitivity level of information stored.
A process to verify the success of the Legito electronic information backup is implemented.
Selected backup copies of operating systems and other critical information system software are stored in the same location as the operational software.
The system backup information is provided with protection from unauthorized modification and environmental conditions.
Backups are periodically tested to ensure that they are recoverable. To confirm media reliability and information integrity, the backup information is tested at a specified frequency.
Backups are performed for each server location where Legito is running at the relevant local time.
12) Job control and subcontracting
The subcontractors are selected with the objective of ensuring that there are no risks in compliance with data protection objectives.
Depending on their role and access to personal or confidential data, subcontractors have to acknowledge and comply with Legito policies (confidentiality, data protection, security). All subcontractors are being periodically evaluated.
Legito also performs security checks on all of its employees prior to hiring them.
(13) Review, assessment, and evaluation
The entire Q&A team is established to perform manual and automatic testing of the system. Any potential technical vulnerabilities or errors are evaluated and a process to resolve them is established. Critical patches to the system and other applications in use are deployed when necessary.
The internal and external audit program is in place that covers regular system, IT security, process, and data protection processes.
See also the Security at Legito page.