Measures for ensuring accountability. Commvault has implemented suitable measures to monitor, in accordance with applicable privacy laws, access restrictions of Commvault’s system administrators and to ensure that they act in accordance with instructions received. This is accomplished by: • Individual appointment of system administrators; • Adoption of suitable measures to register system administrators’ access logs to the infrastructure and keep them secure, accurate and unmodified for a reasonable period of time; • Regular audits of system administrators’ activity to assess compliance with assigned tasks, the instructions received by Controller and applicable laws; and • Keeping an updated list with system administrators’ identification details (e.g., name, surname, function or organizational area) and responsibilities. Processes for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures in order to ensure the security of the processing Commvault has implemented annual testing of the SaaS Solution and relevant processes including security incident response tests, Business Continuity and Disaster Recovery tests, Penetration testing. Measures for certification/assurance of processes and products For relevant certifications refer to: xxxxx://xxxxxxxx.xx/trust and xxxxx://xxxxxxxxxxxxx.xxxxxxxxx.xxx/commvault/ ANNEX III List of sub-processors The Customer has authorized the use of the following sub-processors:
Measures for ensuring accountability. 16. Opatření pro zajištění odpovědnosti: o Data importer maintains records of data processing and has performed a transfer impact assessment. o Dovozce údajů vede záznamy o zpracování údajů a provedl posouzení vlivu předávání. o Regular site and system access control reviews and reconciliation processes ensure access is controlled to only required personnel. o Pravidelné revize kontroly přístupu na pracoviště a do systému a slaďovací procesy zajišťují, že přístup je řízen pouze pro požadovaný personál. o Systems maintain activity logs to track system access and usage. o Systémy vedou záznamy o činnostech, aby bylo možné sledovat přístup k systému a jeho používání. o ICF patient consent and date logs are maintained - verified by CRAs and other onsite staff. o Jsou vedeny záznamy souhlasů pacientů s formulářem informovaného souhlasu a datové protokoly – ověřeny oddělením monitorování a dalším personálem na pracovišti. o Clinical trial subject data may be re-identified only by the data exporter, which is done only under rare circumstances, such as upon a regulatory request, and all such requests are maintained in logs. o Údaje subjektů klinického hodnocení mohou být znovu identifikovány pouze vývozcem údajů, což se provádí pouze ve výjimečných situacích, např. na žádost regulačních orgánů, a o všech takových událostech jsou vedeny záznamy.
Measures for ensuring accountability. Adoption and implementation of data protection policies; • Execution of written agreements with Domo sub-processors who may have access to Subscriber Data; • Implementation of intrusion prevention and detection systems to monitor and log system resources for potential unauthorized access and generate alerts on attempted attacks; • Adoption of retention policies for logs, audit trails and other documentation that provides evidence of security, systems, and audit processes and procedures related to Subscriber Data; • Annual employee security and privacy awareness training.
Measures for ensuring accountability. Pleo has adopted measures for ensuring accountability, such as implementing Data protection policies across the business, maintaining documentation of processing activities, recording and reporting Security Incidents involving Personal Data, and appointing a Data Protection Officer.
Measures for ensuring accountability. All critical devices, systems, datastores, and applications have event logging enabled. Logging events must contain what occurred, who or what caused the event, when the event occurred (i.e. timestamp), and the associated system applications or data affected by the events. Where possible, the following system, datastore, and application types of events should be logged: ● All authentication events (success and fail) ● Account or role creation, modification, or deletion ● Changes to system or application configuration ● All alerts raised by the access control system ● Administrator or operator activities Centrally collected event logs from systems, datastores, and applications. Access to centrally collected event logs is controlled by these teams and limited to “need to know” scenarios. Centrally collected event logs are retained for a period of no less than 12 months. Tonic uses AWS Control Tower to manage our AWS accounts and aggregate logs into audit and security environments to prevent tampering. Tonic has alarms on logging systems that ensure unexpected behavior is brought to the attention of staff. Measures for allowing data portability and ensuring erasure Erasure Requests: Tonic has implemented procedures for account deletion requests. End-users wishing to have their Personal Information should contact xxxxxxx@xxxxx.xx For transfers to (sub-) processors, also describe the specific technical and organisational measures to be taken by the (sub-) processor to be able to provide assistance to the controller and, for transfers from a processor to a sub-processor, to the data exporter Tonic performs initial and annual due diligence activities on our sub-processors to ensure they provide an equivalent or greater level of security and data protection assurance than our own systems.
Measures for ensuring accountability. A. User has performed a data mapping exercise that is compliant with Data Protection Laws and has created an appropriate record of Processing activities in relation thereto.
