Data Security Standards (DSS)

This Data Security Standard policy (Policy) sets forth Accessy AB’s, a Swedish corporation with address Storgatan 22A, 211 42 Malmö, Sweden(Accessy) technical and organizational security measures for the processing of Service data and Personal Data to ensure a level of security appropriate to risks (Security Standards).

These Security Standards apply to all Personal Data that Accessy receives and process using the Accessy operated services (Service) and Accessy’s App.

This Policy also is also part of the legal framework for Accessy’s processing of personal data, as further outlined in Privacy Policy (PP) and Data Processing Agreement (DPA). Capitalized terms utilized in this Policy and not defined shall have the meaning set forth in the PP and DPA.

Contact

If You have questions or complaints regarding this Policy or about Accessy’s privacy practices, please write to us at info@accessy.com.

Pseudonymization and encryption

Personal Data handled by Accessy shall be encrypted and pseudonymized.

When laptops are used for Personal Data processing, encryption should always take place on fixed and removable storage media.

Access and access control

Accessy has a technical system for access control to the system; to give the right person the right level and scope of access to the system.

Accessy has procedures for how access permissions to the system are granted and removed. All granted access rights are checked at intervals.

Accessy have strong authentication checks and routines.

All usernames are unique and personal.

Accessy’s password management rules ensure a high password quality. All authentication information is stored securely.

Physical access controls

Accessy takes reasonable measures to;

(a)      prevent physical access, such as security personnel and secured buildings, and

(b)      prevent unauthorized persons from gaining access to Personal Data or ensure third parties operating data centres on its behalf are adhering to such controls.

System access controls

Accessy takes reasonable measures to prevent Personal Data from being used without authorization. These measures vary based on the nature of the Processing undertaken and may include, among other;

(a)      controls,

(b)      authentication via passwords and/or two-factor authentication,

(c)      documented authorization processes,

(d)      documented change management processes, and/or,

(e)      log of access on several levels.

Data access controls

Accessy takes reasonable measures to provide that;

(a)      Personal Data is accessible and manageable only by properly authorized staff,

(b)      direct database query access is restricted, and application access rights are established and enforced to ensure that persons entitled to use a data processing system only have access to the Personal Data to which they have privilege of access, and

(c)      Personal Data cannot be read, copied, modified, or removed without authorization while Processing.

Transmission controls

Accessy takes reasonable measures to ensure that it is possible to check and establish to which entities the transfer of Personal Data by means of data transmission facilities is envisaged so Service Data cannot be read, copied, modified or removed without authorization during electronic transmission or transport.

Input controls

Accessy use commercial best efforts to provide that it is possible to check and establish whether and by whom Service Data has been entered into data processing systems, modified, or removed.

Accessy takes reasonable measures to ensure that;

(a)      the Personal Data source is under the control of the Data Controller; and

(b)      Personal Data integrated into the Service is managed by secured transmission from Accessy for interactions with Accessy’s User Interface (UI) or Application Programming Interface (API).

Protection against malicious software

Accessy have active and updated antivirus solutions on the devices used in personal data processing.

Accessy performs continuous monitoring of protection against malicious software.

Data backup

Back-ups of the databases in the Service are taken on a regular basis, are secured, and encrypted to ensure that Personal Data is protected against accidental destruction or loss.

Accessy have documented procedures for recovery.

Testing of restoration of personal data is carried out at intervals and the results documented.

Accessy have documented procedures for deleting obsolete or old Personal Data.

Log

Accessy is logging events that takes place during all processing activities of the Personal Data. All logs are checked at intervals.

Accessy have documented procedures for handling security logs and a system for protecting logs.

Logical separation

Personal (Service) Data from different Licensees and their respective Licensee is logically segregated on systems managed by Accessy to ensure that Personal Data that is collected by different Licensees is segregated from one another.

Physical safety

Equipment, portable data media and the like that are not under the supervision of the personal data tree are locked to be protected against unauthorized use, influence, and theft.

Procedures for investigation

Accessy have both technical and practical prerequisites for investigating suspicions of unauthorized access and other forms of unauthorized use of the Personal Data.

Computer equipment repair and service

In the event of repair and service of computer equipment used for processing the Personal Data and performed by someone other than Accessy, Accessy will enter into a special confidentiality agreement with the service provider.

At the service provider’s visit, service must be done under the supervision of Accessy.

***