Technical and Organizational Measures

Publitas is ISO 27001 certified.
Publitas takes every reasonable effort to collect and store personal data in accordance with Confidentiality (Art 32(1)(b) GDPR) and the ISO 27001 standard. The following controls are applied, and all controls and security measures are set up according to the ISMS (Information Security Management System), which is an internal manifest of the implementation of the aforementioned standard.

Confidentiality

Data access control

AAA model

Publitas employs the AAA security framework (Authentication, Authorization, Accounting) to control access to computer resources and information systems, to define and enforce policies, and to audit usage. Besides the AAA model, additional measures are taken to protect data from theft and unintentional or malicious data alteration, to maintain data integrity.

Authentication

All information systems and data access processes require authentication, including user/password keypairs with strong password complexity, and multi-factor authentication is used on all critical systems. Authentication principles are a part of the ISMS policies and Information Security Guidelines. Password complexity and multi-factor requirements are revised periodically and proactively. Employees are obliged to use individual accounts at all times. Individual user accounts must not be shared or used jointly with other persons to ensure accountability.

Authorization

Least-privilege
Every access privilege – both access to information systems and data, is assigned by applying the principle that employees and third-party users are only granted the level of access they need to perform their activities (need-to-know basis).

Roles
Access privileges are granted according to predefined roles.
Access requests, assignments, and revocations are logged and audited.
Audit logs are kept for 365 days to ensure accountability.

Accounting
See section “Integrity”.

Separation control

Design

Production infrastructure logical access is protected by zero trust architecture design, including but not limited to logical and physical network and service segregation.

Active Filtering

Packet filters (firewalls) are in place to protect against unauthorized network access.
Web Application Filter (WAF) is employed to protect against external attacks through the web interface.

Environments

Production and test environments are separated, and no interoperability is possible between the different environments.

  • encryption (access keys and administration channels are encrypted)
  • policy definitions and enforcement

Client

All client end-points (workstations) are separated from the test and production infrastructure, only selected personnel have access to VPN (Virtual Private Network), which is required to access the deployment pipeline. Code deployment is not possible without utilizing the standard pipeline.

Data

Data separation for different clients and customers is guaranteed on the code and access level.

Integrity

Authorization

  • Authorization is in place for all system that handles, transfers or stores personal data.
  • Assignment of rights to enter, change, and delete data on the basis of an authorization
    concept

Accounting

  • Logging of data accesses and retrievals
    • Logging of the entry, modification, and deletion of data

Other controls

  • Clear responsibilities are defined for data deletions.
  • Periodic backups are made, and Backup Testing Plans are executed regularly
  • Data backups are stored in a secure, off-site location
  • Bug Bounty Program
    • Publitas has an ongoing vulnerability disclosure (bug bounty) program. Publitas monitors CVE disclosures and acts upon severity and applicability. The results of these processes are fed back into the development team for review and, if applicable, patches are developed and released.

Transfer control

Measures are in place to ensure that data cannot be read, copied, altered, or removed without authorization during electronic transmission or during their transport or storage on data carriers and to ensure verification and establishment of protocols that define how personal data shall be transmitted by data transmission equipment.

Encryption

Encrypted communication over secure networks is ensured in accordance with current security industry standards (provision of data via encrypted connections (SSL/TLS))

Disclosure of Data

Asset classification is a part of the ISMS, whereas forwarding information to external information systems is possible only for “Public” assets. Data related to personal information can never be classified as “Public,” and this rule cannot be overridden.

Pseudonymization and anonymization of end-user data

Any personal data collected for statistics is pseudonymized and anonymized before storage to ensure the data is not traceable back to the end-users

Availability and resilience

Updates

All software and software components are regularly updated in accordance with the ISMS policies and Secure Development Principles

Disaster Recovery

A Disaster Recovery Plan and Disaster Recovery Procedure are in place in accordance with the ISMS.

Regular review, assessment, and evaluation

Data protection management

The following measures are applied to ensure the organization meets the requirements of data protection laws and regulations:

  • Observing the ISMS
  • Obligation of employees to data secrecy
  • Regular security awareness training of all employees
  • Keeping an overview of processing activities (Art. 30 GDPR)
  • Data breach notification process in accordance with Art. 4 No. 12 GDPR to the supervisory authorities (Art. 33 GDPR)
  • Data breach notification process in accordance with Art. 4 No. 12 DSGVO vis-à-vis data subjects (Art. 34 DSGVO)
  • Only personal data is collected that is necessary for the respective purpose of providing services

Organisational measures

Acceptable Use Policy

A code of conduct is in place for information security and employee security awareness.

Supplier and vendor evaluation

A standard process is in place to ensure security measures in place when establishing relationships with vendors and suppliers. GDPR compliance and a signed DPA are mandatory to establish such a relationship.

Consent and compliance

Depending on their role and the scope of access to confidential or personal data, employees, contractors, and subcontractors must acknowledge and comply with policies and regulations on secrecy/confidentiality, as well as data protection (e.g., confidentiality/non-disclosure agreement), and Information Security Policy, Acceptable Use Policy, and the respective parts of the ISMS.