Annex 2 - Security Measures

1. Availability and Resilience

1.1 Availability control

Areto Labs has established backup policies and related measures. These policies involve continuous monitoring of operational parameters relevant to backup operations. Additionally, in Areto Labs' cloud deployment, there is an automated backup procedure. The company conducts regular checks to verify the feasibility of recovery from backups as needed and applicable.

1.2 Insurance of resilience

Areto Labs will promptly detect and respond to incidents, such as viruses and other malware, that pose a threat to the continuous availability of assets, systems, and information.

2. Integrity

2.1 Transfer control

The transfer of the Controller's data is tightly controlled through a range of technical and organizational security measures. One key aspect of these measures is that the Processor refrains from storing the Controller's data outside the computer centre. Employees at the computer centre operator are deliberately restricted from having physical or technical access to the Controller's data, preventing them from accessing, deleting, or altering the data. Data backups are stored exclusively in encrypted form, and there is no transport of the Controller's data on physical data carriers. In the context of invoicing for services, billing data is transmitted securely to the Processor's accounting systems through an encrypted connection.

2.2 Input control

Ensuring transparency and/or documentation of data processing is a key responsibility of the Processor. To fulfill this obligation, the Processor diligently logs all entries made into the systems and applications. These logs are archived and, in adherence to legal requirements, deleted once their purpose is fulfilled. 

3. Confidentiality

3.1 Physical access control

Acknowledging the crucial role of physical security controls in its overall security strategy, Areto Labs has instituted methods, procedures, and controls for physical access. These measures are designed to thwart unauthorized access to data, assets, and restricted areas. Robust processes are in place to withdraw access to physical resources when no longer needed by an individual. Given that Areto Labs does not maintain physical offices, discussions about access to the Areto Labs office and associated privileges in the production environment are irrelevant.

Areto Labs’ physical infrastructures is hosted by Google Clouds data centres and utilizes the GCP technologies. Google Cloud and Google Workspace have received an accredited ISO/IEC 27701 certification as a PII processor after undergoing an audit by an independent third party.

3.2 Equipment access control

As per 3.1

3.3 Data access control

It is incumbent upon the Processor to thwart unauthorized activities within data processing systems. As a result, data access is limited to the respective Controller and a specifically identified group of administrators. Technical measures are implemented to safeguard against a Controller viewing, modifying, or erasing data from other controllers. In an Areto Labs instance, access is regulated through an extensive role-based access control and authorization framework.Access to the Controller’s data by the Processor’s billing support is limited to master data and billing data necessary for the performance of their customer service functions and invoicing hosting services. Customer service representatives do not have access to customer data within an OpenProject instance.

4. Unlinkability by designation of purpose

4.1 Purpose of use control / separation control

The Processor, Areto Labs, takes explicit measures to assign and technically separate all data records processed or used by its systems and applications. Each set of data is clearly assigned to the respective Processor, maintaining technical isolation from other data. Areto Labs' data processing systems are purposefully designed for limited processing tied to a specific purpose and client, ensuring that technical access to another client's data is not feasible.   

4.2 Pseudonymisation

Pseudonymization measures at Areto Labs are in place to ensure that the identification of data subjects affected by data processing is either impossible or significantly more difficult.

5. Regular testing, assessment and evaluation

5.1 Data protection management

Areto Labs adheres to privacy-friendly technology design and settings (privacy-by-design/default) during the development and operation of its software. 

5.2 Incident response management

Contractual obligations mandate all partners to report data protection incidents within specified legal deadlines, and internal processes guarantee the involvement of the Data Protection Officer in case of such incidents.  

5.3 Data protection by default

Appropriate technical and organizational measures are in place to default to processing only the personal data necessary for each specific purpose. Upon the conclusion of the trial period or termination of the contractual agreement, all collected customer data must be expunged within a three-month timeframe. Any generated data is then attributed to an anonymous user after deletion. The development and operation of the software prioritize privacy-friendly technology design and settings, adhering to the principles of privacy by design and default. 

5.4 Order control

To ensure compliance with processing instructions for personal data, the following measures are implemented:

• Issuing written instructions to the contractor, including instructions in text form such as through an order processing agreement.

• Verifying data destruction post-order completion, including the solicitation of appropriate confirmations.

• Securing confirmation from contractors, ensuring their commitment to instruct their employees on proper data handling.