This document describes all measures and efforts taken by Accurat to ensure the security and quality of the data it processes via its Accurat service (further “Data”).
Entrance ControlBy applying the following measures, Accurat prevents the entrance of non-authorized persons to data-processing installations in which Data are processed or used: Data is collected and processed by Accurat on two locations:
- For development and testing purposes in the Accurat headquarters in Merelbeke, Belgium, as well as secured development partners contractually controlled by Accurat. All facilities are duly secured by key locks.
- For testing, staging and production purposes on the Google Cloud Platform (GCP) in Belgium (europe-west1) if possible, otherwise in different datacenters around Europe (eg. to ensure disaster recovery and high-availability). Security measures as taken by Google are explained in detail via https://cloud.google.com/security/gdpr/.
Utilization ControlBy applying the following measures, Accurat prevents the utilization of data-processing systems by non-authorized persons. Accurat employs two types of data-processing systems:
- Laptops as local workstations: Every software developer has a laptop assigned to him/her which is used to develop data processing systems. Every laptop is fitted with a personal password-protected user account for the software developer.
- Google Cloud Platform operated by Google: Access to GCP is managed by personal password-protected user accounts with two-factor authentication enabled.
Access ControlBy applying the following measures, Accurat ensures that persons authorized to use a data-processing system will only have access to those data that they have been authorized for and that, neither during the processing nor after storage, Data can be read, copied, altered or removed without a respective authorization: Accurat employees, i.e. software developers, that are authorized to use data processing systems are provided with a personal GCP user account and tokens. Specific accounts are in place to restrict certain access to Data depending on the job content and contribution to the Accurat Platform.
Transmission ControlBy applying the following measures, Accurat ensures that Data cannot be read, copied, altered or removed during electronic data transmission without authorization and that it is possible to check and determine at which points a transmission of personal data by means of data transmission installations is intended: Accurat employs an SSL connection for all data transmission in and out of the Accurat API on GCP. The connection uses TLS 1.2. The connection is encrypted and authenticated using AES_128_GCM and uses ECDHE_RSA as the key exchange mechanism.
Input ControlBy applying the following measures, Accurat ensures that it is possible to check and determine subsequently whether and by whom Data have been entered into data-processing systems, altered or removed: Accurat employs the GCP Stackdriver Logging to monitor any modification to its GCP account.
Order ControlBy applying the following measures, Accurat ensures that Data subject to job processing are processed in strict accordance with the instructions given by the principal: Access to Data and servers is granted to GCP via an encrypted connection and all access is logged and can be traced by Accurat’s technical team. Specific accounts are in place to restrict certain access to Data.
Availability ControlBy applying the following measures, Accurat ensures that Data are protected against accidental destruction or loss: Personal data arriving at the Accurat Platform is consolidated as-is into a Master Dataset which can be interpreted as a log of events. This Master Dataset is stored on a GCP BigQuery (BQ) data warehouse located in Europe. Google BQ provides automatic data replication for disaster recovery and high-availability of processing. Google BQ offers a 99.9% SLA and adheres to US-EU safe harbor agreements. BQ makes it easy to maintain strong security with fine-grained identity and access management control. BQ data is always encrypted, at rest and in transit. For more information, see the GCP BQ homepage: https://cloud.google.com/bigquery/
Separation by PurposeBy applying the following measures, Accurat ensures that Data collected for different purposes can be processed separately: Every integration of the Accurat SDK into a mobile app, i.e. a specific purpose, is required to be provisioned with new app-specific credentials, i.e. app ID and key, even if it concerns different apps of the same client. The Accurat SDK automatically creates a new user account and ID on first use within an app and associates the app-specific token to it. During processing, data is only aggregated by user and by app.
Information security policiesAccurat information security policies are written to take account of the specific needs of providing cloud services including:
- Extensive use of modern IT Solutions
- The multi-tenanted nature of our services
- Risks from authorized insiders
- Protection of cloud customer personal data
- The need for effective communication with our customers
Human resource securityA comprehensive program of awareness training is delivered on an ongoing basis to all Accurat employees to emphasize the need to protect customer personal data appropriately. We also require our contractors to provide appropriate awareness training to all relevant employees.
Supplier relationshipsIn the use of certain services, Accurat makes use of peer cloud service providers. These suppliers are subject to regular second party audit to ensure that they have defined objectives for information security and carry out effective risk assessment and treatment practices. All supplier relationships are covered by contractual terms which meet the requirements of the GDPR.
Information security incident managementWhere Accurat deems it appropriate to inform its customers about an information security event (before it is determined whether it should be treated as an incident), we will do so within the legal time limits. Similarly, the customer can report security events to our support or privacy email address, where they are registered and the right action is taken. Information on the progress of such events can be obtained via our support address.
Accurat will report information security incidents to the customer when it believes that customer service or data have been or will be affected. We will do this as soon as reasonably practicable and will share as much information as we can about the consequences and the investigation of the incident as we deem necessary for an effective and timely resolution of the incident. An incident manager is appointed on a case by case basis to act as the contact point of Accurat for the incident, including matters relating to the recording and retention of digital evidence if necessary.
We prioritise incident management activities to ensure that the timescale requirements of the GDPR for notification of breaches affecting personal data are met.
Last modification: July 25, 2018