Loading...
 

Applied Security

Xeerpa meets the strict mandatory Security measures in the automated High Level files. In this section it is explained how Xeerpa provides solution to the features requested under Spanish Royal Decree 1720/2007, similarly to EU regulations. Also, this document also describes the requirements that Xeerpa’s Client must meet when setting up the file, under the Spanish Data Protection Agency. Please refer to your local legislation for indications.

Xeerpa works with two certified hosting providers. The choice of one provider or another by Xeerpa’s Client is simply based on the Client’s preference. One of the providers will keep the data in Spain, and the other one will store the data in the Cloud, in servers located in the EU. Please consult with us for options in other territories such as the Americas or Asia.

These are Xeerpa’s available hosting providers:

Data center in Spain (default and recommended option) and The Netherlands: through the Stackscale provider (http://www.stackscale.com) with the following details:

Nervia Digital S.L. Signed up in the Merchant Registration in Madrid, Volume 26.226, Folio 1, Section 8, Sheet M-472541 and Tax ID Number B85537108.

We rely on Interxion’s (http://www.interxion.com/) data center in Madrid with the following details:

To provide the services of space hosting and its security, and the electricity and refrigeration to host the servers, Nervia Digital S.L. hired Interxion España, S.A.U. Signed up in the Merchant Registration in Madrid, Volume 14.952, Folio 161, Section 8, Sheet M -249071, Inscription 7 y Tax ID number A82517731.

Interxion holds multiple certifications and awards related to security, among which stand out the ISO 27001 and BS25999. http://www.interxion.com/why-interxion/awards-accreditations-memberships/

In order to safeguard the security backups, they are stored in a different location. In this case, data is periodically sent to The Netherlands through the same provider, Stackscale.

Microsoft Azure (https://azure.microsoft.com/en-us/) has its own data centers as well as with a great amount of certifications which ensure the privacy of the data: https://azure.microsoft.com/en-us/support/trust-center/

Microsoft Azure also counts with several certifications in relation to Security: http://azure.microsoft.com/en-us/support/trust-center/compliance/

 

We separate the security measures applied by Xeerpa in ten different sections:

 

1.- Personnel functions and obligations

Article 89 of the Royal Decree 1720/2007

In the security file of the automated files, the functions and obligations of the personnel with access to the personal details must be clearly defined, meeting these terms:

  1. The functions and obligations of each user or employee with access to the personal details and the information systems will be clearly defined and specified in the security document. The control functions or authorizations deputized by the person responsible for the file or its treatment, will also be defined.

  2. The person responsible for the file or its treatment will adopt the necessary measures for the personnel to comprehensibly acknowledge the security rules affecting the completion of their functions, as well as the consequences they could face in case of breaking them.

 

WHAT DOES XEERPA DO IN RELATION TO THIS SECTION?

Xeerpa will exclusively give access to the Client’s data to the personnel of Xeerpa that requires it is necessarily in order to provide the service.

Xeerpa will grant access to the data to the following users:

  • The user which will be able to access the Control Panel (Dashboards). The Client will be able to manage access for other users from the Xeerpa Dashboards’ interface, including options to limit the data each user can actually see, as well as options to only see aggregated data and not individual personal data. The Client can also configure which users can export data.

  • The user which will have access to the Relational Database if the Client subscribes to the Xeerpa Enterprise BI service.

 

2.- Incidents Log

Articles 90 and 100 of the Royal Decree 1720/2007

Every automated file will have an associated log with a register of any and all problems relating to the access and security of the data, under the following terms:

  1. There will be a procedure of notification and management of the incidences affecting the personal details, and establishment of a registry displaying the type of the incidence, the moment in which it happened or, if applicable, when it was detected, the person who is logging the notification, to whom it is being communicated, the effects that may derive of it and the corrective measures that have been applied. Also, the person who executed the corrective process, restored the data and, if applicable, which data has been necessary to manually save in the restoration process, will be mentioned.

  2. An authorization form by the person responsible for the file will be necessary for the execution of the data restoration procedures.

 

WHAT DOES XEERPA DO IN RELATION TO THIS SECTION?

Every incident detected by Xeerpa in the Client’s data will be notified to the Client in order to be registered in the Incidents Log document.

 

3.- Access Control

Articles 91 and 103 of the Royal Decree 1720/2007

Every automated file must be implemented with a mechanism that controls the access of the users to the personal details under the following terms:

  1. The users will only have access to the resources necessary for their role functions.

  2. The person responsible for the file will make sure that there is a list matching the users and the users’ profiles, and the authorized accesses of each one of them.

  3. The person responsible for the file will establish mechanisms to limit the access of the users in order to prevent them from accessing resources with different authorizations.

  4. The personnel exclusively authorized in the security document will be able to concede, change or override the authorized access of the resources, matching the requirements established by the subject responsible.

  5. If there are additional personnel apart from the subject responsible, that have access to the resources, they will need to be submitted to the same security conditions and obligations as the main subject or personnel.

  6. On each access attempt, at least the following details will be saved in the log: user ID, date and time of the day, accessed file, access type and whether the access was authorized or not.

  7. In the event of an authorized access, it will be mandatory to save the information which allows the identification of the accessed registry.

  8. The mechanism which allows the accesses registry will be under the direct supervision of the person responsible for the security, not being able to cancel or manipulate it.

  9. The minimum period of conservation of the registered data will be two years.

  10. The person responsible for the security will check, at least once every month, the registered control information, and will develop a report of the reviews and the detected problems.

 

WHAT DOES XEERPA DO IN RELATION TO THIS SECTION?

Xeerpa is committed to exclusively grant access to the data of its Clients to the employees of Xeerpa who require access to provide our service. Only the personnel from Xeerpa will be allowed to access the data, and Xeerpa will not grant access to the data to the personnel from the Xeerpa’s hosting or other external providers.

Xeerpa will track and control which user tried to access the data, whether he was successful or not and the date and time of the event.

The data will be stored while the Client still has an active contract with Xeerpa. If the contract is ended, Xeerpa will hand over the data for its conservation.

 

4.- Supports and documents management

Articles 92 and 97 of the Royal Decree 1720/2007

In all the automated files, their physical storage and related documents which contain personal details will be performed under the following terms:

  1. The files and documents which contain personal details must allow the information type to be identified and logged, and must be accessible only by the personnel authorized in the Security Document. An exception on these obligations will be permitted when the physical characteristics of the support preclude their fulfillment, notating this exception in the Security Document.

  2. The export or handling of files and documents which contain personal details, including the ones attached to an e-mail, out of the workplace or areas controlled by the person responsible for the files or treatment, will need to be authorized by the subject responsible or be correctly authorized in the Security Document.

  3. The identification of the files which contain personal details, considered specially sensitive by the organization, will be able to be performed using comprehensible and meaningful tagging systems which allow the authorized users to identify their content, and will hinder the identification for the rest of the people.

  4. It’s mandatory to establish an input logging system which allows, in a direct or indirect way, to identify the type of document or support, the date and time of the day, the issuing entity, the number of documents or files included, the type of information included in them, the way of delivery and the person responsible for the reception, who will need to be correctly authorized.

  5. It’s mandatory to establish a file output logging system which allows, in a direct or indirect way, to identify the type of document or file, the date and time of the day, the receptor, the number of documents or files included, the type of information included in them, the way of delivery and the person responsible for the delivery, who will need to be correctly authorized.

  6. During the transfer of the documentation, the measures destined to avoid the abstraction, loss or unauthorized access of the information will be adopted.

  7. Upon the discard of any document or file containing personal details, it will need to be deleted or erased, applying the proper measures to unable the access to the information or the later restoration of it.

 

WHAT DOES XEERPA DO IN RELATION TO THIS SECTION?

Our data storing systems are composed by multiple elements, such as servers which act as “filers”, disc boxes “JBODS”, the actual hard drives, controllers, network components, etc.

All the physical components that compound these storing systems will be perfectly labeled, identified and logged in an internally developed software tool, including the proper hard drives which will be identified by the code SAS. All the volumes stored in these systems will be cataloged as well.

The Databases where the data is stored will be encrypted on an operating system level with LUKS or EFS, protected by an encryption password.

The transfer of the physical files will only be performed after obtaining the Client’s authorization. This transfer will be either physically performed (through encrypted hard drives brought by a person from the source to the destination) or over the Internet (following the security measures for the transfer of the information of the backups).

The drives will be erased through the DoD 5220.22-M algorithm of the United States Defense Department, which consists of multiple full writings of the discs with random data to prevent the information from being later restored.

 

5.- Identification and Authentication

Articles 93 and 98 of the Royal Decree 1720/2007

In relation to the automated files, the person responsible for the file will need to adopt a mechanism which guarantees the correct identification (acknowledgment of the user’s identity) and authentication (checkup of the user’s identity) of the people who access the personal details under the following terms:

  1. The person responsible for the file or treatment will adopt the measures which guarantee the correct identification and authentication of the users.

  2. The person responsible for the file or treatment will establish a mechanism which allows the unequivocal and personalized identification of each user who may try to access the information system, and the verification of the authorization.

  3. In cases where the authentication mechanism is based on the use of passwords, there will be a process of assignment, distribution and storing of the password which will guarantee its confidentiality and integrity.

  4. The Security Document will establish the time limit, which will never be of any period above one year, for the passwords to be changed, which will be unintelligibly stored while they are active.

  5. The person responsible for the file or treatment will establish a mechanism to limit the possibility of repeated unauthorized access attempts to the system.

 

WHAT DOES XEERPA DO IN RELATION TO THIS SECTION?

The access to the Client’s information will be granted through usernames and passwords. The passwords will be encrypted through bcrypt. The Client itself will provide tools which will allow the creating or revoking users and their passwords.

Any failed access attempt repeated up to three will set the account as disabled.

 

6.- Backups and automation

Articles 94 and 102 of the Royal Decree 1720/2007

In every automated file, the person responsible for the files must establish a process to perform weekly backups of the personal details in a file which allows the later restoration in case it is needed. This process must meet the following requirements:

  1. It will be mandatory to establish processes to perform at least one backup every week, unless there is no data update during that period.

  2. A processes for the data restoration, which will guarantee their recovery in the same state they were when the data loss or deletion happened, will be established. If the loss or destruction affects files or treatments partially automated, and only if the existence of documentation allows to meet the objective described in the previous paragraph, the data will need to be manually input, logging this event in the Security Document.

  3. The person responsible for the file will verify the correct definition, functioning and appliance of the backup and data restoration processes, every six months.

  4. The tests previous to the implementation or modification of the information systems that treat files with personal details, will not be performed with real data, unless the security level corresponding to this treatment is guaranteed and this action is logged in the Security Document. If it is intended to do the tests with real data, a previous backup must be performed.

  5. A backup of the data and the restoration processes will need to be preserved in a different place than where the equipment that treat this data is stored, and which will need to meet all the security measures required by this title, or utilize any element to guarantee their integrity and the possibility of restoration of the information.

 

WHAT DOES XEERPA DO IN RELATION TO THIS SECTION?

Xeerpa performs weekly backups of the details of each Client. These backups are stored in the source server and in another location. The online transfer of the data between the source server and the destination is performed with a point to point access with a secret shared key (cypher ED25519 SHA3) between the source and the destination. The communication between each machine is performed through an encrypted channel using the session key AES-18 and the data are encrypted with a saving key AES-128. The choices of the second location are:

  1. Stackstale: Our local hosting provider also provides service with a data center in The Netherlands, which provides the same security measures as the main one, with the following details:

TelecityGroup Southeast AMS5 Datacenter

Schepenbergweg 42

1105 AT Amsterdam, The Netherlands

      2. Microsoft Azure: Using Microsoft’s cloud, the data can be stored in Scotland.

After each backup, the data are checked to guarantee their functionality.

 

7.- The person responsible for the security

Article 95 of the Royal Decree 1720/2007

One or more people responsible for security will need to be established in the Security Document, under the following terms:

  1. One or more people responsible for the security will need to be assigned in the Security Document, in charge of the coordination and control of the defined measures displayed on itself. This designation can be unique for all the files or personal data treatments, or different between each treatment system, being this circumstance mandatory to be logged in the Security Document. This designation will never entail the exoneration of responsibility of the person responsible for the file or treatment according to this regulation.

 

WHAT DOES XEERPA DO IN RELATION TO THIS SECTION?

Xeerpa considers the person responsible for the security, the person of contact who will be alerted about every detected anomaly or incidence.

 

8.- Auditories

Article 96 of the Royal Decree 1720/2007

An audit, which will verify that the information systems and the installations where the personal data are stored meet the security measures displayed on the Regulation LOPD, will need to be performed every two years, under the following requirements:

  1. The information systems and the data storage and treatment installations will be, at least every two years, subject to an internal or external audit, as long as the information system has been modified with relevant updates which may interfere with the fulfillment of the implemented security measures, in order to verify their adaptation, adequacy and efficiency.

  2. The report of the audit will dictate the adequacy of the measures and controls to the Law and its regulated functioning, identify their deficiencies and advise about the corrective or necessary complimentary measures. It will also need to include the data, facts and observations on which the conclusions and recommendations are based.

  3. The reports of the audit will be analyzed by the person responsible for the security, who will escalate the conclusions to the person responsible for the file or its treatment in order to adopt the adequate corrective measures, and will be available for the Spanish Data Protection Agency or, in any case, for the authorities of control of the local territory.

 

WHAT DOES XEERPA DO IN RELATION TO THIS SECTION?

Xeerpa considers the security one of the most important elements of its service. Xeerpa performs regular internal and external audits which guarantee that the security measures are not obsolete and are being fulfilled, and that the Client’s data is safe. This document will be regularly updated to include the detected enhancements and the applied corrections.

 

9.- Physical Access Control

Article 99 of the Royal Decree 1720/2007

The person responsible for the file will set up the adequate resources to restrict the access to the locations where the equipment that supports the personal data treatment is physically installed, to the authorized personnel listed on the Security Document. Only the personnel listed on the Security Document will have access to the locations where the equipment that supports the information systems is installed.


WHAT DOES XEERPA DO IN RELATION TO THIS SECTION?

Xeerpa offers two hosting choices which comply with the most exigent physical security measures to avoid unauthorized accesses to the physical equipment. These are some of the security measures our data centers count with:

  • Building Access Control, only authorized personnel properly identified will be allowed.

  • Doors opening through proximity cards and biometric readers.

  • Rack’s doors protected by code-locks.

  • Security personnel on-site 24x7.

  • CCTV.

  • Intrusion alarm with sensors in the doors and aisles.

  • Early fire detection with automatic extinguisher.

  • Acclimatized rooms and electrical continuity system.

 

10.- Telecommunications

Article 104 of the Royal Decree 1720/2007

The transmission of personal data through electronic communication networks must be unintelligible and inaccessible by third party entities, under the following terms:

  1. The transmission of personal data through public or wireless networks will be performed encrypting the data or utilizing any other mechanism which guarantees that the information cannot be intelligible or manipulated by third party entities.

 

WHAT DOES XEERPA DO IN RELATION TO THIS SECTION?

All the accesses to the Client’s data are made through the https SSL/TLS protocol and therefore the information is always encrypted with a Confidence Certificate, in order to avoid the information to be intelligible in case it is intercepted.

Every access from Xeerpa’s employees to the data of the servers are made encrypted with: TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA with sharing of a private key and one user and password for each employee.

Any data transfer between different machines is encrypted with AES-128.