Natural Language Processing API | Developer Portal | Cortical.io Natural Language Processing API | Developer Portal | Cortical.io

Technical and Organizational Measures V1.0

Preamble

Cortical.io AG makes every appropriate effort – in accordance with the most recent standards in its branch – to ensure an appropriate level of security for the personal data to be processed.

This document outlines the technical and organizational measures (TOMs) taken by Cortical.io AG and is an Annex to an Agreement on Commissioned Data Processing (“DPA”) using the Cortical.io API (api.cortical.io). As part of the API service provided by Cortical.io, it cannot be excluded, that Cortical.io will handle personal data for which the Customer acts as the controller within the meaning of the applicable data protection provisions.

When selecting the measures, the exemplary objectives of article 32 paragraph 1 GDPR were considered.

1. Confidentiality (Article 32 Paragraph 1 lit. b GDPR)

1.1. Physical Access Control

Unauthorized persons are to be denied access to data processing premises where personal data is processed and used. Physical access control is realized through the following measures:

  • Access to offices controlled via intercom system
  • Security locks
  • Determination of persons with access authorization
  • Key regulation and current key list
  • No unauthorized access to building and offices
  • External persons accompanied and supervised by an employee during their visit / performance of their work
  • Security cabinets
  • Locking of office doors and closing of windows during absence / outside of office hours

1.2. Electronic Access Control

The objective of electronic access control is to prevent data processing systems from being used by unauthorized persons. Electronic access control is realized through the following measures:

  • Role-bases access control
  • Identification and authentication with user and password
  • Two-Factor Authentication
  • Use and regular update of firewall
  • Use and regular update of spam filters
  • Use and regular update of software security patches
  • Authorization concept (need-based access rights)
  • User rights management by administrators
  • Password policy
  • Assigned user IDs are up to date (following the procedure for on-boarding/off-boarding of employees)
  • On/offboarding process for employees
  • Screen and computer locking routines
  • Clean desk policy
  • Controlled destruction of data media
  • Non-disclosure agreements with all employees and third parties
  • General data protection and security policy

1.3. Internal Access Control

Internal access control must ensure that authorized users of a data processing system can access data exclusively referring to their access rights and that data cannot be read, copied, modified or removed unauthorized during processing, use and after storage. Internal access control is realized through the following measures:

  • Authorization concept (need-to-know-based access rights and limited to the minimum required to perform the authorized persons’ duties and functions)
  • Centralized access management
  • Minimum number of administrators
  • Logging of access to applications, specifically when entering, modification and deletion of data
  • Controlled deletion of data carriers / rewriting before reuse of data carriers
  • Document shredder
  • Data safe
  • Monitoring and logging of general user activity
  • On/offboarding process for employees

1.4. Isolation Control

It must be ensured that data collected for different purposes can be processed separately. Isolation Control is realized through the following measures:

  • Control via authorization concept
  • Separation of sandbox and productive systems
  • Separation of application and administration

2. Encryption (Pseudonymization) (Article 32 Paragraphe 1 lit. a GDPR)

Pseudonymization of personal data is not necessary as protective measure and thus not the subject of the service to be provided by Cortical.io.

When using external networks for transmission of personal data, encryption methods are available e.g., TLS, HTTPS, SSH

3. Integrity (Article 32 Paragraph 1 lit. b GDPR)

3.1. Data Transfer Control

It must be ensured that personal data cannot be read, copied, modified, or removed by unauthorized persons during electronic transmission, during storage to data carriers and that it can be verified to which locations or sites a transmission of personal data is provided for by means of data transfer. Data Transfer Control is realized through the following measures:

  • Use and regular update of spam filters
  • Use and regular update of virus protection
  • When using external networks for transmission of personal data, encryption methods are available e.g., TLS, HTTPS, SSH, SFTP
  • Electronic data transmission is logged and controlled
  • Determination of the persons authorized for transmission
  • Controlled deletion of data carriers / rewriting before reuse of data carriers
  • Document shredder
  • Security cabinets

3.2. Data Entry Control

The possibility to subsequently verify and determine whether, and by whom, personal data was entered into, changed or removed from data processing systems must be ensured. Data Entry Control is realized through the following measures:

  • Documentation of the data recipients and the duration of the planned transfer or deletion periods (traceability and logging of input)
  • Ticket system

4. Availability and Resilience (Article 32 Paragraph 1 lit. b and c GDPR)

Cortical.io undertakes regular system penetration tests to ensure customer data is protected.

4.1. Availability Control (Article 32 Paragraph 1 lit. b GDPR)

Personal data must be protected against accidental destruction or loss.

  • Use and regular update of firewall
  • Use and regular update of spam filters
  • Use and regular update of virus protection
  • Backup & recovery concept
  • Data backup in a secure, outsourced location
  • Execution of regular backups
  • Data safe

4.2. Rapid Recovery (Article 32 Paragraph 1 lit. c GDPR)

The following measures are taken to restore data in the event of loss, destruction or undesired changes to personal data.

  • Backup & recovery concept
  • Automatic system recovery
  • Update or patch management
  • Backup systems to restore lost data
  • Data backup in a secure, outsourced location
  • Testing of restoration

5. Procedures for regular testing, assessment and evaluation (Article 32 Paragraph 1 lit. d GDPR)

5.1. Data Protection Management

  • Central documentation of all procedures and regulations on data protection with access for employees
  • Obligation of secrecy by all employees and other third parties (if applicable)
  • Training and instructions of employees
  • Formalized process for handling requests for information from data subjects
  • Reporting / notification of security incidents
  • Data protections standards and technical and organizational measures are regularly reviewed

5.2. Incident Response Management

  • Use and regular update of spam filters
  • Use and regular update of virus protection
  • Reporting / notification of security incidents
  • Documentation of security incidents and data breakdowns
  • Process and responsibilities for follow-up on security incidents and data breaches

5.3. Data Protection by Design and Default (Article 25 Paragraph 2 GDPR)

  • A base protection level is defined by Cortical.io’s Information Security Policy that defines generic standards and measures which have to be applied
  • Only personal data which is necessary is collected
  • When using external networks for transmission of personal data, encryption methods are available e.g., TLS, HTTPS, SSH

5.4. Order or Contract Control

Commissioned data processing in accordance with the order and the instructions must be guaranteed.

  • Clear structure and execution of agreements
  • Delimitation of responsibilities and obligations between contractor and customer
  • Procedures are in place to ensure data is destroyed after the processing on behalf of the customer is completed