Below is a description of the technical and organisational measures implemented by PingPong to ensure an appropriate level of security. Taking into account the nature, scope, context and purpose of the processing, and the risks for the rights and freedoms of natural persons.
Full details of the Processor’s/Data Importer’s technical and organisational security measures used to protect Personal Data is available at https://www.hellopingpong.com/legal/subprocessors.
The following descriptions provide an overview of the technical and organisational security measures implemented. It should be noted however, that in some circumstances, in order to protect the integrity of the security measures and in the context of data security, detailed descriptions may not be available. It’s acknowledged and agreed that this Security Policy and the technical and organisational measures described herein will be updated and amended from time to time, at our sole discretion. Notwithstanding the foregoing, the technical and organisational measures will not fall short of those measures described in this Security Policy in any material, detrimental way.
| Measure | Description |
|---|---|
| Measures of pseudonymisation and encryption of Personal Data |
We use Amazon’s Key Management Service (KMS Cryptographic Details Whitepaper) for creating, maintaining, and rotating all symmetric encryption keys. We don’t store or maintain cleartext private key material on disk or in-memory. All data in transmission is securely transmitted over HTTPS. All user data at rest is secured by AES 256 industry-standard encryption. |
| Measures for ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and services |
Access to data necessary for the performance of the particular task is ensured within the systems and applications by a corresponding role and authorisation concept. In accordance to the “least privilege” and "need-to-know" principles, each role has only those rights which are necessary for the fulfilment of the task to be performed by the individual person. To maintain data access control, state of the art encryption technology is applied to the Personal Data itself where deemed appropriate to protect sensitive data based on risk. |
| Measures for ensuring the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident |
All our applications are built stateless by using Cloud-formation templates and can be easily recreated in different geographical regions. Data is stored in triplicate across 2 data centres, with 2 separate cross-connections. The data centres can be switched in the event of flooding, earthquake, fire or other physical destruction or power outage to protect Personal Data against accidental destruction and loss. Stateful components like critical data in S3 bucket or database are replicated or backed up to a backup location in a different AV zone. Our default retention period for server backups is 7 days. Our default retention period for database backups is 30 days. Critical services might have custom retention periods assigned that expand beyond the default retention periods. |
| Processes for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures in order to ensure the security of the processing | We conduct quarterly internal audits. We strive to automate audits hence the majority of our monitoring of our infrastructure is automated and running 24/7 and based on various frameworks (CIS, NEST etc.). In addition, a broader mock-up audit is conducted once a calendar year as dictated by the annual events cycle. |
| Measures for user identification and authorisation | All employees are required to use passwordless Google authentication with multi-factor authentication wherever it’s possible. Strong and unique passwords are enforced for processors where Google Auth is not possible. |
| Measures for the protection of data during transmission | Data in transit is protected by Transport Layer Security (TLS 1.2). |
| Measures for the protection of data during storage |
Personal Data is only retained internally, and on the third-party data centre servers, which are covered by AWS certifications. We are using Heroku Postgres and Amazon DynamoDB for storing dynamic data. All our file data and backups are stored by Amazon’s S3 service (Simple Storage Service ). All these solutions are configured to store data in encrypted form using the industry-standard AES-256 symmetric encryption algorithm for the database, backups, snapshots, and logs. Content stored in S3 is also encrypted at rest via server-side encryption integration with AWS KMS. |
| Measures for ensuring physical security of locations at which Personal Data are processed |
The services are hosted on AWS (aws.amazon.com). The physical servers are located within AWS's data centers and access to them is managed by Amazon. For additional information on the security of AWS, visit Cloud Security – Amazon Web Services (AWS). |
| Measures for ensuring events logging | System inputs are recorded in the form of log files therefore it is possible to review retroactively whether and by whom Personal Data was entered, altered or deleted. |
| Measures for ensuring system configuration, including default configuration | The Processor’s system configuration is based on the Security Technical Implementation Guides (STIG). System configuration is applied and maintained by software tools that ensure the system configurations do not deviate from the specifications. Deviations will be fixed automatically and reported to our SOC. |
| Measures for internal IT and IT security governance and management |
Every employee is undergoing regular security education and checkups. All employee devices must be encrypted and secured with antivirus software with daily updates enabled. Employees are instructed to collect, process and use Personal Data only within the framework and for the purposes of their duties (e.g. service provision). At a technical level, multi-client capability includes separation of functions as well as appropriate separation of testing and production systems. The Controller’s Personal Data is stored in a way that logically separates it from other customer data. |
| Measures for certification/assurance of processes and products | We utilise third-party data centres that maintain current ISO 27001 certifications and/or SSAE 16 SOC 1 Type II or SOC 2 Attestation Reports. We will not utilise third-party data centres that do not maintain the aforementioned certifications and/or attestations, or other substantially similar or equivalent certifications and/or attestations. |
| Measures for ensuring data minimisation |
We are only collecting the minimum required data we need for the Services to function. If Personal Data is no longer required for the purposes for which it was processed, it is deleted promptly. It should be noted that with each deletion, the Personal Data is only locked in the first instance and is then deleted for good with a certain delay. This is done in order to prevent accidental deletions or possible intentional damage. |
| Measures for ensuring data quality | We take measures to validate the most important data we collect from our users at the time of data entry and at the time of use. We are also running regular checks to make sure our stored data is correct. |
| Measures for ensuring limited data retention |
All research media data (raw and processed session video and audio recordings) are deleted automatically after 2 years. Raw video and audio files are automatically transitioned to Amazon S3 Glacier archive storage after 14 days. Files in Glacier are not available in real-time. To access these we must first restore a temporary copy of them. The restored object copy is available only for the duration we specify in the restore request. After that, Amazon S3 deletes the temporary copy, and the object remains archived in Amazon S3 Glacier. |
| Measures for ensuring accountability | All of the data processed is provided by the Controller. The Processor does not assess the quality of the data provided by the Controller. The Processor provides reporting tools within its product to help the Controller understand and validate the data that is stored. The Processor also uses a third party managed firewall in front of the server infrastructure which checks data for potential threats and blocks requests as required. |
| Measures for allowing data portability and ensuring erasure | The Services have built-in tools that allow the Controller to export and permanently erase data. The Processor provides an API which can be accessed by the users of an account. This API allows, create, read, update and delete actions on the main account data. API access levels are the same as the user would have within the web-app. |
| Measures to be taken by the (Sub-) processor to be able to provide assistance to the Controller (and, for transfers from a Processor to a Sub-processor, to the Data Exporter). | The transfer of Personal Data to a third party (e.g. customers, sub-contractors, service providers) is only made if a corresponding contract exists, and only for the specific purposes. If Personal Data is transferred to companies located outside the EEA, the Processor provides that an adequate level of data protection exists at the target location or organisation in accordance with the European Union's data protection requirements, e.g. by employing contracts based on the EU SCCs. |
