Technical and organisational measures (TOMs)

Introduction

Apteco apply and maintain appropriate and reasonable technical and organisational measures (TOMs) suitable and sufficient to protect any Apteco Cloud Personal Information against unauthorised or unlawful processing and against accidental loss, destruction, or damage.

Access control

Physical access to data centres is controlled at building ingress points by professional security staff utilising:

  • Surveillance

  • Detection systems

  • Other electronic means

Data centres are certified for compliance with ISO 27001. Production Apteco Cloud servers are logically and physically secured from internal Apteco systems.

Intrusion prevention

Multiple protection measures are in place, and multiple levels of protection, to prevent unauthorised accessed to the Apteco Cloud network, including:

  • Firewalls

  • Hardened operating systems to CIS Level 1 (Centre for Internet Security)

  • Encrypted network traffic

  • Password policies

  • Regular penetration testing by independent, globally renowned security experts that also work with many of the biggest banks and governments.

Unauthorised activities in data processing systems

Multiple protection measures are in place to prevent unauthorised activities happening on Apteco Cloud systems, including:

  • Firewall policies

  • Hardened operating systems

  • Regular monitoring

Apteco Cloud storage, including all customer data in Apteco Cloud, is encrypted using the industry-standard AES-256 algorithm.

Separation control

A customer’s data is held separately to other customers, unless previously agreed in writing. Production, test, development, and internal environments are separated.

Pseudonymisation and anonymisation

The processing of any personal data when running the Apteco Cloud service is done in such a way that the data can no longer be attributed to a specific person. This includes any telemetry data unless the person has specifically approved this, for example, participating in the Apteco Insider Programme. The client is responsible for their own data and whether that can be attributed to a specific person.

Transfer control

Industry standard encryption is used for the transmission of Apteco Cloud data, including any personal data customers may hold in Apteco Cloud. This includes transfer of data uploaded to Apteco Cloud and exported from Apteco Cloud over HTTPS during transit.

Input control

The Apteco Cloud environment and application has auditing in-built capabilities, for both building and administering the system and user activity, with retention periods for auditing/evidence purposes.

Availability control

Backups of Apteco Cloud instances are regularly made, and the recovery process tested. The last three daily backups are retained and the last four weekly backups. The administration of Apteco Cloud has additional measures in place to protect against accidental destruction of data. The Apteco software includes many features that contribute to a secure environment for the application and users’ data. For example, limiting the velocity of data than can be exported.

Resilience and fail-safe control

Apteco Cloud is built on a resilient infrastructure and a hardened operating system that conforms to industry standards defined by the Centre for Internet Security (CIS). Communication channels are maintained with the relevant agencies and suppliers to stay informed about updates and patches. Separate development, test and production environments are maintained. Proactive measures are also taken on code changes to identify risks before they reach production environments.

Control procedure

Apteco Cloud is designed and configured with privacy-friendly settings. Independent security experts scan the Apteco Cloud infrastructure and internal Apteco business systems every week. Application code changes are scanned for vulnerabilities and code reviewed. Extensive penetration testing by independent security experts takes place every year. Application code and security measures are adjusted on a risk-related basis.

Order control

Apteco employee contracts include clauses requiring client confidentiality to be maintained. Apteco do not subcontract the support of Apteco Cloud.