1. Technical & Organization Measures
This notice contains a list of the technical and operational measures which are applicable as a standard. The actual measures taken depend on the Service and the location of processing concerned for reasons that not all measures are relevant for all Services and locations. Sophos Ventures Inc. guarantees it has for all Services and locations the necessary adequate technical and operational measures included in the list below following a Data Protection Impact Assessment. The measures are designed to:
ensure the security and confidentiality of Personal Data;
protect against any anticipated threats or hazards to the security and integrity of Personal Data;
protect against any actual unauthorized processing, loss, use, disclosure or acquisition of or access to any Personal Data
The page also contains a list of subcontractors used by Sophos Ventures to deliver its services. Sophos Ventures ensures that all its subprocessors have provided adequate guarantees on the protection of personal data they process on our behalf.
Sophos Ventures commits to continuous monitoring the effectiveness of its information safeguards and to a yearly compliance internal audit to provide assurance on the measures and controls in place.
2. Technical And Organisational Measures
A. People, awareness and HR:
All recruitments follow a screening process according to the principles of the Sophos Ventures background check policy;
In each contract each employee has Non-Disclosure Agreements clauses;
Code of Ethics awareness training (including a test) is a yearly obligation for all employees and is to be performed through a dedicated e-learning module;
IT Acceptable Use policy or local version, are shared with all employees;
Privacy & Security policy statement is shared with all employees;
Sophos Ventures staff are obliged on a yearly basis to follow the Sophos Ventures Data Protection policy, Information Security and Safety training
Access to systems is provided on a ‘need to have basis’ taken into account segregation of duties;
Regular internal security audits are conducted to verify the security practices.
B. Remote end user device are protected:
The remote users abide by the following security measures:
User management and restricted admin access;
Centrally managed and anti-virus protection;
Management and monitoring of the software to control an authorized software installation;
Login ID and password controls are implemented to access information;
Periodic access review is implemented;
E-mails are automatically scanned by anti-virus and anti-spam software.
C. Remote Access Security
Password authentication is used in general for remote access to the critical Sophos Ventures target systems.
D. Generic security measures are:
Data is only stored in the EU Data Centers
Multiple layers of firewalls & intrusion detection are used.
Access managed according to Role Based Access Control principles.
E. Access control to Personal Data
Employees with access to private data can only access the data that are necessary for the purpose of the activities under their responsibility. Access authorisation is provided based on the ‘need to know’ and ‘need to access’ and is either role based or name based. Access logs are in place and the responsibility for access control is assigned.
Following measures are in place:
Obligation for employees to comply with the applicable Sophos Ventures and local security policies and data protection policies;
Work instructions on handling private data;
User (password) codes for access to Private Data;
Differentiated access regulations (e. g. partial blocking);
Access Logging and control;
Controlled destruction of data media;
Procedures for Checking compliance with procedures and work instructions are in place;
Formalised Control frameworks to take care that not a single person can access, modify or use critical information assets without authorization or detection;
F. Security and confidentiality of personal data
Based on a risk assessment (and if required an additional DPA) Sophos Ventures will ensure a level of security appropriate to the risk, including inter alia as appropriate:
the anonymization, pseudonymisation (e.g. tokenization) and encryption of Personal Data;
the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident;
a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.
ensure a logical separation between its own data, the data of its customers and suppliers
setup a process to keep processed data accurate, reliable and up-to-date.
Process registers according GDPR requirements
Access log systems’ use with relevant for the purposes of being able to detect unauthorized access attempts
Customer Data (including back-ups and archives) will only be storesd for as long as it serves the purposes for which the data was collected unless there is a legal or contractual obligation to retain the data for a longer period of time.
G. Organization control
The Data Processor shall maintain its internal organization in a manner that meets the requirements of the applicable legislation and the Data controller requirements on data security. This shall be accomplished by:
Internal data processing policies and procedures, guidelines, work instructions, process descriptions and regulations for programming, testing and release, insofar as they relate to the Personal Data transferred by the Controller;
Implementing a Data Protection control framework that is audited on compliance on a yearly basis
Having an emergency plan with procedures and allocation of responsibilities in place (backup contingency plan).
3. Used Sub-Contractors
Sophos Ventures uses the following sub-contractors to provide its services:
Amazon Web Services, Inc.
Digital Ocean LLC.