Cortical.io AG makes every appropriate effort – in accordance with the most recent standards in its branch – to ensure an appropriate level of security for the personal data to be processed.
This document outlines the technical and organizational measures (TOMs) taken by Cortical.io AG and is an Annex to an Agreement on Commissioned Data Processing (“DPA”) using the Cortical.io API (api.cortical.io). As part of the API service provided by Cortical.io, it cannot be excluded, that Cortical.io will handle personal data for which the Customer acts as the controller within the meaning of the applicable data protection provisions.
When selecting the measures, the exemplary objectives of article 32 paragraph 1 GDPR were considered.
Unauthorized persons are to be denied access to data processing premises where personal data is processed and used. Physical access control is realized through the following measures:
The objective of electronic access control is to prevent data processing systems from being used by unauthorized persons. Electronic access control is realized through the following measures:
Internal access control must ensure that authorized users of a data processing system can access data exclusively referring to their access rights and that data cannot be read, copied, modified or removed unauthorized during processing, use and after storage. Internal access control is realized through the following measures:
It must be ensured that data collected for different purposes can be processed separately. Isolation Control is realized through the following measures:
Pseudonymization of personal data is not necessary as protective measure and thus not the subject of the service to be provided by Cortical.io.
When using external networks for transmission of personal data, encryption methods are available e.g., TLS, HTTPS, SSH
It must be ensured that personal data cannot be read, copied, modified, or removed by unauthorized persons during electronic transmission, during storage to data carriers and that it can be verified to which locations or sites a transmission of personal data is provided for by means of data transfer. Data Transfer Control is realized through the following measures:
The possibility to subsequently verify and determine whether, and by whom, personal data was entered into, changed or removed from data processing systems must be ensured. Data Entry Control is realized through the following measures:
Cortical.io undertakes regular system penetration tests to ensure customer data is protected.
Personal data must be protected against accidental destruction or loss.
The following measures are taken to restore data in the event of loss, destruction or undesired changes to personal data.
Commissioned data processing in accordance with the order and the instructions must be guaranteed.