1 - Pseudonymisation and Encryption of Personal Data (Art. 32 Para. 1 Clause A GDPR)
Your password and account data is encrypted as is all data that is stored within our billing portal and client area portal. We do not store any other billing related material on our servers (i.e. credit card data) and we use 3rd party PCI compliant companies to handle payments and accounting operations.
2 - Confidentiality (Art. 32 Para. 1 Clause B GDPR)
Datacenter
Our data center facilities ( Arctur - Nova Gorica and Kpnqwest - DC4 ) have physical entry control systems with a log, a high security perimeter fence. Distribution of keys to their employees and collocated customers is controlled and logged. Access to the building including guests is strictly controlled and logged. Data center staff are present twenty-four hours a day. The sites are monitored by CCTV at all entrances and exits, and server rooms are protected with security door interlocking systems.
Access Control to Customer’s VPS and Servers
After initial deployment of servers, root passwords can be reset by the customer and are not known to DomainRegister unless requested in order to login and offer support. Passwords must meet a minimum length and new passwords must be changed on a regular basis. While DomainRegister shall try to prevent unauthorized access to his infrastructure by applying security policies and udpates regularly, the responsibility for access control is incumbent upon the customer.
Access Control to DomainRegister's internal systems
For DomainRegister’s internal administration systems, we prevent unauthorized access by applying security updates regularly, by keeping critical systems off of the public facing internet and accessible only via VPN and/or 2FA access, and by creating a compulsory process for allocating authorization for employees.
Transfer Control
Upon termination, hard disks that are decommissioned, are swiped multiple times (deleted) in accordance with data protection policies. The swiped (deleted) hard disks are only reused after thorough testing and defective drives are destroyed and environmentally sensibly recycled in specialised facilities.
Isolation Control
DomainRegister’s internal administration systems data is physically isolated from customer data. Also, networking is separated from customer networks.
3 - Integrity (Art. 32 Para.1 Clause B GDPR)
Data transfer control
In accordance with Art. 32 Para. 4 GDPR, all DomainRegister staff is trained and obliged to ensure that personal data is handled in accordance with data protection regulations. This means that customer data is wholly deleted after termination of a contract, in accordance with data protection regulations. Furthermore, encrypted data transmission is also provided as standard in our client area portal.
Data Entry Control
All data changes made by DomainRegister staff in internal administration systems are logged. For customer’s servers, the responsibility for input control is incumbent upon the customer.
4 - Availability and Resilience (Art. 32 Para. 1 Clause B GDPR)
DomainRegister internal administration systems are backed up daily and are also protected by the employment of security processes which include but are not limited to, firewalls, intrusion detection systems (IDS), intrusion protection systems (IPS), website application firewalls (WAF), spam filters, and virus scanners. Furthermore, all internal systems are monitored using http and snmp monitoring protocols. Data resilience is enhanced by employing hardware RAID across any hard disk in operation.
Client server backups are included as a courtesy, but data backups are incumbent upon the client. DomainRegister provides a uninterruptible and redundant power supply systems, redundant cooling systems, high availability networking (WAN/LAN and Storage via FC).
5 - Procedures for Disaster Recovery (Art. 32 Para. 1 Clause C GDPR)
DomainRegister has created and defined an escalation process which notes who is to be informed in the case of any sort of network, storage, or compute malfunction which results in service degradation and/or data loss. The goal of this escalation process is for all staff to be in a state of readiness in the case that disaster recovery procedures need to be actioned as to restore systems as quickly as possible.
6 - Procedures for Regular Testing, Assessment, and Evaluation (Art. 32 Para. 1 Clause D GDPR; Art. 25 Para. 1 GDPR)
As part of the procedure for regular testing of our GDPR preparedness process staff will undergo regular "drill" to prove beyond any doubt readiness to react swiftly and effectively in the case of service degradation. Employees are regularly trained in data protection law and are expected to be familiar with the procedural and user guidelines for data processing on behalf of clients also with regard to the client's right of instruction.
- GDPR
- 3 Users Found This Useful