This Technical and Organizational Data Security Measures articulates the technical and organizational security measures implemented by Trusted Data Solutions LLC and the wholly owned subsidiary, Trusted Data Solutions UK Limited (together and collectively referred to as “TDS”) to protect the data customers entrust to us as part of the services TDS provides is customers such as digital data (including voice and audio files) conversion, restoration, migration, and any related managed services that may apply.
Within this document, the following definitions apply:
- “Customer” means any party that is a party to or the subject matter to the provision of a TDS service.
- “TDS Service” means the provision of any service TDS in accordance with a Statement of Work or other contractual document our Customer and TDS has expressly agreed to.
- “Customer Data” means any information provided or submitted by the Customer that is processed by the TDS service.
- “Personal Data” means any information relating to an identified or identifiable natural person.
- “Personnel” means TDS employees and authorized individual contractors/vendors, if applicable.
- “Sensitive Personal Data” means Personal Data (1) consisting of an individual’s first name and last name, or first initial and last name, in combination with some other data element that could lead to identify theft or financial fraud, such as a government issued identification number, financial account number, payment card number, date of birth, mother’s maiden name, biometric data, electronic signature, health information, or (2) consisting of log-in credentials, such as a username and password or answer to security question, that would permit access to an online account or an information system; or (3) revealing the personal health information (PHI) of a natural person.
- “Security Framework” refers to the collection of TDS’s policies and procedures governing information security, including, but not limited to, policies, trainings, education, monitoring, investigation and enforcement of its data management and security efforts.
- “Strong Encryption” means the use of industry standard encryption measures.
This document is a high-level overview of TDS’s technical and organizational measures.
TDS may change these measures from time to time to adapt to the evolving security landscape and where required will notify customers of these changes.
1. Organization Of Information Security
To outline TDS’s information security structure.
a) TDS has appointed Senior Management Personnel responsible for information security.
b) The information security function reports directly to the TDS Entire senior leadership team.
c) TDS has a comprehensive set of information security policies, approved by senior management and disseminated to all Personnel.
d) All TDS Personnel have signed legally reviewed confidentiality agreements.
e) All TDS Personnel are given training in information security.
f) The Technical and Organizational Data Security Measures TDS has implemented and maintains a security program that leverages the ISO/IEC 27000-series of control standards as its baseline.
2. Information Security Management System
To demonstrate TDS’s commitment to manage the assessment and treatment of these risks and to continually improve its information security.
a) TDS has deployed an ISMS (Information Security Management System) that serves as the foundation of our information security practices.
b) TDS and its ISMS has been and continues to be assessed by an independent, external auditor and currently receives attestations under
1. ISO 27001
2. ISO 27018
c) Customers can request copies of these assessments.
3. Physical Access
To protect the physical assets that contain Customer Data.
a) The TDS Service operates all its own production data centers with a defined and protected physical perimeter, strong physical controls including access control mechanisms, controlled delivery and loading areas, 24-7 surveillance.
b) Each Data Center is audited for compliance to TDS security controls.
c) Only authorized Personnel have access to the data center premises processing Customer Data and access is controlled through a security registration process requiring a government issued photo ID.
d) Power and telecommunications cabling carrying Customer Data or supporting information services at the production data centers are protected from interception, interference and damage.
e) The production data centers and their equipment are physically protected against natural disasters, unauthorized entry, malicious attacks, and accidents.
f) Equipment at the production data center is protected from power failures and other disruptions caused by failures in supporting utilities and is appropriately maintained.
4. System Access
To ensure systems containing Customer Data are used only by approved, authenticated users and prevent its data processing systems from being used by unauthorized persons.
a) Access to TDS production and administrative systems are granted only to TDS Personnel and/or to permitted employees of TDS’s subcontractors and access is strictly limited as required for those persons to fulfill their function. The production and administrative systems are kept separate and air gapped.
b) TDS has established a password policy that prohibits the sharing of passwords, uses Two-Factor Authentication, and requires passwords to be changed on a regular basis and default passwords to be altered. All passwords must fulfill defined minimum complexity requirements and are stored in encrypted form.
c) TDS has a comprehensive process to deactivate users and their access when Personnel leaves the company or a function.
d) Access to host servers, applications, databases, routers, switches, etc., is logged.
e) Continuously monitoring infrastructure security and regularly examining security risks by internal employees.
h) Issuing and safeguarding of identification codes.
5. Data Access
To ensure Personnel entitled to use systems gain access only to the data processing systems that they are authorized to access that will contain Customer Data.
a) As a matter of course, TDS Personnel do not access Customer Data and where access is required to operate the service or assist in a customer issue, the request for access must be formally justified/tracked and approved by the customer.
b) The TDS Services do not require TDS to access Customer Data below the Metadata level and rarely is that required. This does not mean that the Customer Data cannot be accessed, and should that occur, it is protected in compliance with GDPR.
c) TDS restricts Personnel access to Customer Data strictly limited to production personal specifically assigned to the Customers project, which is on a "need-to-know” basis based on this justification.
d) Each such access and its subsequent operations are logged and monitored.
e) Personnel training covers access rights to and general guidelines on definition and use of Customer Data.
6. Data Transmission/Storage/Destruction
To ensure Customer Data is not read, copied, altered or deleted by unauthorized parties during transfer/storage.
a) TDS uses Strong Encryption for data at rest in the production of Customer Data within our production data centers. Customer data itself is never transmitted between any TDS processing facility and resides on a closed, air gapped server.
b) Each Customer is assigned a unique Strong Encryption key and that key is used
1. To encrypt Customer Data and store it in an encrypted format at rest within the TDS Service.
2. To decrypt Customer Data when requested as part of the service.
c) TDS equipment or disk media containing Customer Data are always securely erased and wiped from all servers at the end of the provision of TDS service.
d) No TDS equipment or disk is physically removed from the production data center unless securely erased prior to such removal or being transferred securely for destruction at a third-party site.
7. Confidentiality and Integrity
To ensure Customer Data remains confidential throughout processing and remains intact, complete and current during processing activities.
a) TDS has a formal background check process and carries out background checks on all new Personnel.
b) TDS trains its engineering Personnel in application security practices and secure coding practices.
c) TDS has a central, secured repository of product source code, which is accessible only to authorized Personnel.
d) TDS has a formal application security program and employs a robust Secure Development Lifecycle (SDL).
e) Security testing includes code review, penetration testing, and employing static code analysis tools on a periodic basis to identify flaws.
f) All changes to software on the TDS Service are via a controlled, approved release mechanism within a formal change control program.
g) All encryption and other cryptographic functionality used within the TDS Service uses industry standard encryption and cryptographic measures.
To ensure Customer Data is protected from accidental destruction or loss, and there is timely access, restoration or availability to Customer Data in the event of a service incident.
a) Global and redundant service infrastructure that is set up with full disaster recovery sites
b) Each TDS staffed data center can be failed-over/back in the event of flooding, earthquake, fire or other physical destruction or power outage to protect Customer Data against accidental destruction and loss.
c) Selected production data center has multiple power supplies and generators on-site. All TDS processing centers are equipped with battery back-up to safeguard power availability and allow for controlled shut downs at that data center.
d) Constantly evaluating TDS processing centers and Internet service providers (ISPs) to optimize
performance for services in regard to bandwidth, latency and disaster recovery isolation and ensuring a back-up access point to the Internet to safeguard connectivity.
e) Each TDS production data center is monitored 24x7x365 for power, network, environmental and technical issues.
f) TDS maintains a robust Business Continuity/Disaster Recovery program including
1. Well defined updated plans.
2. Regular Testing and retrospectives.
g) Service level agreements from ISPs to ensure a high level of uptime.
h) Systems and processes in place to detect and defend against DDoS attacks.
9. Data Separation
To ensure each Customer’s Data is processed separately.
a) TDS uses dedicated servers that are closed, and air gapped to enforce data segregation between customers.
b) In each step of the processing, Customer Data is always physically or logically separated.
c) All types of customer Sensitive Personal Data and other confidential customer data (e.g. payment card numbers) are encrypted at rest within the system.
10. Incident Management
In the event of any security breach of Customer Data, the effect of the breach is minimized and the Customer is promptly informed.
a) TDS maintains an up-to-date incident response plan that includes responsibilities, how information security events are assessed and classified as incidents and response plans and procedures.
b) TDS regularly tests its incident response plan with “table-top” exercises and learns from tests and potential incidents to improve the plan.
c) In the event of a security breach, TDS will notify Customers without undue delay after becoming aware of the security breach.
To ensure TDS regularly tests, assesses and evaluates the effectiveness of the technical and organizational measures outlined above.
a) TDS conducts regular internal and external audits of its security practices.
b) TDS ensures that Personnel are aware of and comply with the technical and organizational measures set forth in this document.
c) TDS conducts at least semi-annual penetration tests of the TDS Service.