LoyJoy

Technical and Organizational Measures Article 32 GDPR

LoyJoy GmbH implements the following technical and organizational measures (TOMS) to ensure compliance with the provisions of the General Data Protection Regulation (GDPR). Annex 1 to the DPA.

Confidentiality (Art. 32(1)(b) GDPR)

Physical access control

Measures suitable to prevent unauthorized persons from gaining access to data processing facilities where personal data are processed or used.

Technical measures

  • Exclusive hosting with ISO 27001-certified cloud infrastructure providers with the strictest physical access controls
  • No operation of own data centers

Organizational measures

  • Visitors accompanied by employees
  • Regular review of security certificates and physical access protection evidence of the sub-processors deployed

System access control

Measures suitable to prevent data processing systems (computers) from being used by unauthorized persons. System access control refers to preventing the unauthorized use of facilities.

Technical measures

  • Login with email address and access token
  • Login with a security key in the FIDO2 standard
  • Firewall
  • Encryption of storage media (state of the art, e.g. AES)
  • Encryption of smartphones
  • Automatic desktop lock
  • Encryption of laptops/tablets
  • Management of endpoints via Mobile Device Management
  • Blocking access to the LoyJoy Platform after too many failed attempts

Organizational measures

  • Managing user permissions
  • Creating user profiles
  • “Clean desk” policy
  • Visitors on business premises accompanied by employees
  • General data protection and/or security policy
  • Instruction: “manual screen lock”
  • Use of external storage media prohibited by policy

Data access control

Measures to ensure that persons authorized to use a data processing system can access only the data that are subject to their access authorization, and that personal data cannot be read, copied, modified, or removed without authorization during processing, use, and after storage.

Technical measures

  • Logging of access to applications, specifically on input, modification, and deletion of data

Organizational measures

  • Use of authorization concepts
  • Process for granting and revoking permissions
  • Minimal number of administrators with extensive system rights
  • Administration of user rights by the controller’s administrators within their tenant

Separation control

Measures to ensure that data collected for different purposes can be processed separately.

Technical measures

  • Separation of production and test environments
  • Logical separation (systems / databases / data carriers) through strict tenant architecture
  • Multi-tenancy capability of relevant applications incl. service providers

Organizational measures

  • Control via authorization concept
  • Definition of database rights

Pseudonymization (Art. 32(1)(a) GDPR; Art. 25(1) GDPR)

Processing is carried out in such a way that data is processed without identifying attributes and transitions to anonymization after the purpose has ceased to apply.

Technical measures

  • Automated data lifecycle: Implementation of the deletion routines described under “Controller control”. Personal data is irreversibly deleted after expiry of customer-specific retention periods (24 hours to 720 days).

  • Aggregation anonymization: Analytics data is stored in hourly aggregates, so that after the deletion cycle no personal reference can be established.

  • ID-based processing: Internal data processing is carried out primarily via abstract identifiers to minimize direct identifiability in working processes.

Organizational measures

  • Standardized deletion configuration: Definition of retention periods as an integral part of tenant setup (Owner role).

  • Data minimization policy: Internal guideline to avoid storing plain-text data (e.g. phone numbers) unless strictly required for the customer’s specific use case.

Integrity (Art. 32(1)(b) GDPR)

Transfer control

Measures to ensure that personal data cannot be read, copied, modified, or removed without authorization during electronic transmission or transport or during storage on data carriers, and that it can be verified and established to which entities a transmission of personal data is envisaged via data transmission facilities.

Technical measures

  • Logging of access and retrievals
  • Provision via encrypted connections (exclusively TLS / HTTPS)
  • Patches and updates are applied automatically to the LoyJoy infrastructure. Automated updates are enabled on employees’ devices. Effectiveness is reviewed regularly.
  • Only encrypted Wi-Fi networks (at least WPA2) are used.
  • Use of encryption to ensure the integrity of data, software, and IT systems in accordance with the state of the art.

Organizational measures

  • Use of external storage media (e.g. USB drives, external hard drives) is prohibited by internal policy.
  • Use of unauthorized file sharing platforms and cloud storage services is prohibited by internal policy. Data exchange is conducted exclusively through company-approved and encrypted channels.

Input control

Measures to ensure that it can be subsequently verified and established whether and by whom personal data have been entered into, modified in, or removed from data processing systems.

Technical measures

  • Technical logging of the entry, modification, and deletion of data

Organizational measures

  • Traceability of entry, modification, and deletion of data through individual user IDs
  • Assignment of rights to enter, modify, and delete data based on an authorization concept

Availability and resilience (Art. 32(1)(b) GDPR)

Availability control

Measures to ensure that personal data are protected against accidental destruction or loss.

Technical measures

  • Use of certified cloud data centers with state-of-the-art physical protection measures (e.g. fire and flood protection)
  • Automatic availability monitoring with notification in case of unavailability
  • All company computers are equipped with malware protection

Organizational measures

  • No operation of own data centers
  • Documented backup & recovery concept
  • Geo-redundant storage of encrypted backups in separate availability zones of the cloud provider
  • Emergency plans

Rapid recoverability (Art. 32(1)(c) GDPR)

Rapid recoverability is ensured through the comprehensive measures of our sub-processors in line with current technical standards.

In the event of a permanent unavailability of a sub-processor, the processor would, after a reasonable period, switch operations to an alternative cloud service provider. If the processor is responsible for the unavailability, mitigation measures are initiated without delay.

Technical measures

  • Automated, regular backups of databases and application data
  • Geo-redundant data storage across multiple availability zones of the cloud provider
  • Monitoring and automated alerting in case of disruptions

Organizational measures

  • Business continuity plans with defined responsibilities and escalation procedures
  • Regular review of sub-processors regarding their recovery capabilities

Procedures for regular review, assessment, and evaluation (Art. 32(1)(d) GDPR; Art. 25(1) GDPR)

Data protection management

Technical measures

  • A review of the effectiveness of the technical protective measures is conducted at least annually
  • Our infrastructure provider, Google Cloud EMEA, holds ISO 27001 and PCI DSS certifications.

Organizational measures

  • Employees are trained and bound to confidentiality/data secrecy
  • Regular employee awareness-raising, at least annually
  • Data Protection Impact Assessments (DPIAs) are carried out as needed
  • The organization complies with the information obligations under Art. 13 and 14 GDPR
  • A formalized process for handling data subject access requests is in place

Incident response management

Support in responding to security breaches.

Technical measures

  • Use of a firewall and regular updates
  • Use of a spam filter and regular updates

Organizational measures

  • Documented process for the detection and reporting of security incidents/data breaches within LoyJoy’s area of responsibility (infrastructure and platform).
  • Procedure for promptly notifying the controller of personal data breaches (pursuant to Art. 33(2) GDPR), enabling the controller to assess and fulfil its own notification obligations to the supervisory authority.
  • Documentation of security incidents and data breaches, e.g., via a ticket system
  • Formal process and assigned responsibilities for the follow-up of security incidents and data breaches

Privacy-friendly default settings (Art. 25(2) GDPR)

Provision of a system environment that prevents inadvertent data processing through restrictive default settings and supports the controller in adhering to the principles of “Privacy by Design”.

Technical measures

  • Purpose-bound data minimization: The platform is preconfigured so that data for technical error analysis (logging) is retained only for a minimal period.

  • Configurable data persistence: Permanent storage of structured end-user data in databases is function-specific and must be actively configured by the controller for the respective process steps.

  • Prevention of data accumulation: System-level default short deletion cycles technically prevent long-term data collections from arising without explicit configuration by the controller.

  • Selective collection: Controllers can granularly decide, within the scope of platform use, which data categories are collected for the respective business purpose.

Processor control

Measures to ensure that personal data processed on behalf of a controller are processed only in accordance with the controller’s instructions.

Technical measures

  • Technical enforcement of tenant-specific permissions, ensuring that access to personal data is limited to the scope of the respective processing order
  • Technical implementation of automated deletion routines after expiry of defined retention periods
  • API-based data exchange with controllers exclusively through authenticated and encrypted interfaces

Organizational measures

  • Prior review of the security measures implemented by the processor and documentation thereof
  • Selection of the processor with due diligence (especially regarding data protection and data security)
  • Conclusion of the necessary data processing agreement and/or EU Standard Contractual Clauses
  • Commitment of the processor’s employees to confidentiality
  • Obligation for the processor to appoint a Data Protection Officer where required
  • Ensuring the destruction of data after the end of the engagement