Physical, Organizational and IT Security Measures

Adform’s maintained physical, organizational and IT security measures for data collection, processing, and storage
Corporate Privacy

Adform hereby warrants that Adform has implemented and will maintain the physical, organizational and IT security measures reasonably required for safeguarding data against corruption, loss or access from any unauthorized third party. Details of Physical, Organizational and IT Security Measures currently maintained by Adform are listed below.

Adform reserves the right to make changes and updates to these Physical, Organizational and IT Security Measures to accommodate developments in the industry from time to time. The latest current details of Physical, Organizational and IT Security Measures maintained by Adform can always be accessed at https://site.adform.com/privacy-center/corporate-privacy/physical-organisational-and-it-security-measures/

I. Confidentiality (Art. 32 para. 1 lit b GDPR)

1. Access control of processing areas

Adform has implemented and maintains suitable measures to prevent unauthorized persons from gaining access to the data processing equipment where the Personal Data is processed. This is accomplished by:

  • Access to premises is controlled by security guards staffed 24x7 at the building entrance and magnetic card for access to the data centre. CCTV is constantly used both outside and within the facility; Individuals are only granted access after verification of their identity through government issued identification;
  • Establishing security areas; 24 hours security service provided by property owner;
  • Protection and restriction of access paths;
  • Establishing access authorizations for staff and third parties, including the respective documentation;
  • Swipe cards or biometrics control access to restricted areas;
  • Regulations on card-keys;
  • Restriction on card-keys;
  • All access to the data centre where Personal Data are hosted is logged, monitored, and tracked; and
  • The data centre where Personal Data is hosted is secured by a security alarm system, and other appropriate security measures.

2. Access control to data processing systems

Adform has implemented and maintains suitable measures to prevent its data processing systems from being used by unauthorized persons. This is accomplished by:

  • On-premise storage only;
  • Database security controls restrict access; controlled and audited by internal and external auditors;
  • Users are issued their own logins; passwords must adhere to constraints in length, complexity, aging and history;
  • Identification of the terminal and/or the terminal user to the Adform systems;
  • Automatic time-out of user terminal if left idle, identification and password required to reopen;
  • Automatic turn-off of the user ID when several erroneous passwords are entered, log file of events (monitoring of break-in-attempts);
  • Issuing and safeguarding of identification codes;
  • Dedication of individual terminals and/or terminal users, identification characteristics exclusive to specific functions;
  • Staff policies in respect of each staff access rights to Personal Data (if any), informing staff about their obligations and the consequences of any violations of such obligations, to ensure that staff will only access Personal Data and resources required to perform their job duties and training of staff on applicable privacy duties and liabilities;
  • All access to data content is logged, monitored, and tracked;
  • Use of state-of-the-art encryption technologies.

3. Access control to use specific areas of data processing systems

Adform commits that the persons entitled to use its data processing system are only able to access the data within the scope and to the extent covered by their respective access permission (authorization) and that Personal Data cannot be read, copied, modified, or removed without authorization. This is accomplished by:

  • Staff members of Adform are assigned minimum access rights dependent on their job requirements;
  • Staff policies in respect of each staff member's access rights to the Personal Data;
  • Allocation of individual terminals and/or terminal user, and identification characteristics exclusive to specific functions;
  • Monitoring capability in respect of individuals who delete, add or modify the Personal Data and at least yearly monitoring and update of authorization profiles;
  • Release of data to only authorized persons as required for the provision of the Services;
  • Policies controlling the retention of backup copies; and;
  • Use of state-of-the-art encryption technologies.

4. Separation of processing for different purposes

Adform has implemented and maintains suitable measures to make sure that data collected for different purposes can be processed separately. This is accomplished by:

  • Access to data shall be separated through application security for the appropriate users;
  • Modules within the Adform's data base separate which data is used for which purpose, i.e. by functionality and function;
  • Data of different Adform clients is stored separated logically by software;
  • At the database level, data is stored in different areas, separated per module or function they support; and
  • Interfaces, batch processes and reports are designed for only specific purposes and functions, so data collected for specific purposes is processed separately.

5. Pseudonymization

Adform provides its Services to its clients using pseudonymous Personal Data only. Should Adform services include data processing that is possible to be performed on anonymized Personal Data (e.g. reporting, statistics, etc.), then Adform shall anonymize the Personal Data before such processing.

6. Encryption

The Personal Data is stored on Adform's IT systems and the Personal Data is transmitted to Adform via the Adform's IT infrastructure. Hence, Adform is responsible to ensure encryption of the Personal Data at rest, in use and in transit.

Adform has implemented and maintains suitable measures to make sure that in the course of provision of its Services Adform doesn’t collect, receive or store any Directly Identifiable Personal Data on behalf of clients, unless such data is fully encrypted whereas the key to decrypt is at no point in time available and stored on Adform’s system or is accessible via Adform’s employees. Adform offers client-side data encryption solutions providing one-way (data cannot be decrypted to its original form) or two-way (data can be converted back) encryption models.

II. Integrity (Art. 32 para. 1 lit b GDPR)

1. Input control

Adform has implemented and maintains suitable measures to make sure that it can check and establish whether and by whom personal data has been inputted into data processing systems or removed. This is accomplished by:

  • An authorization policy for the input of data into memory, as well as for the reading, alteration and deletion of stored data;
  • Authentication of the authorized personnel; individual authentication credentials such as user IDs that, once assigned, cannot be re-assigned to another person (including subsequently);
  • Protective measures for the data input into memory, as well as for the reading, alteration and deletion of stored data;
  • Utilization of user codes (passwords) of at least eight characters or the system maximum permitted number and modification at first use and thereafter at least every 90 days in case of processing of sensitive data;
  • Following a policy according to which all staff of Adform who have access to Personal Data processed shall reset their passwords at a minimum once in a 90-day period;
  • Providing that entries to data processing facilities (the rooms housing the computer hardware and related equipment) are capable of being locked;
  • Automatic log-off of user ID's (requirement to re-enter password to use the relevant work station) that have not been used for a substantial period of time;
  • Deactivation of user authentication credentials (such as user IDs) in case the person is disqualified from accessing Personal Data or in case of non-use for a substantial period of time (at least six months), except for those authorized solely for technical management;
  • Proof established within Adform's organization of the input authorization; and
  • Electronic recording of entries.

2. Transmission Control

Adform has implemented and maintains suitable measures to prevent the Personal Data from being read, copied, altered or deleted by unauthorized parties during the transmission thereof or during the transport of the data media. This is accomplished by:

  • use of state-of-the-art firewall and encryption technologies;
  • all data transmissions are logged and monitored;
  • monitoring of the completeness and correctness of the transfer of data (end-to-end check).

III. Availability and resilience (Art. 32 para. 1 lit b GDPR)

1. Availability control

Adform has implemented and maintains suitable measures to make sure that personal data is protected from accidental destruction or loss. This is accomplished by:

  • Redundant uninterruptible power supply (UPS);
  • Use of air-conditioning, temperature and humidity controls (monitored 24x7);
  • Use of state-of-the-art anti-virus and firewall technologies;
  • Disaster recovery plan;
  • Infrastructure redundancy to ensure data access is restored within seven days and backup performed at least daily;
  • Backups are stored off-site and available for restore in case of failure;
  • Regular check of all the implemented and herein described security measures at least every six months;
  • Backups are only re-used if information previously contained is not intelligible and cannot be reconstructed by any technical means; other removable media is destroyed or made unusable if not used;
  • Any detected security incident is recorded, alongside the followed data recovery procedures, and the identification of the person who carried them out (in connection with the notification obligation as per DPA).

2. Resilience

Restore availability and access to personal data in the event of physical or technical incident in a manner as agreed upon in the relevant Service Agreement and/or otherwise communicated by Adform to client.

IV. Process for regularly testing, assessing and evaluating the effectiveness of physical, organizational and IT security measures for ensuring the security of the data processing (Art. 32 para. 1 lit. d GDPR)

1. Data protection management

Adform has implemented and maintains a suitable data protection management in its organization.

2. Incident response management

Adform has implemented and maintains a suitable incident response management.

3. Data protection by default (Art. 25 para. 2 GDPR)

Adform has implemented and maintains a suitable data protection by default in its organization.

4. Job control

Adform has implemented and maintains suitable measures to ensure that the Personal Data is processed in accordance with the instructions of the data controller. This is accomplished by:

  • Binding policies and procedures for Adform's employees.

Adform ensures that if security measures are adopted through external entities it obtains written description of the activities performed that guarantees compliance of the measures adopted with this document. Adform further has implemented and maintains suitable measures to monitor its system administrators and ensures that they act in accordance with instructions received. This is accomplished by:

  • Individual appointment of system administrators;
  • Adoption of suitable measures to register system administrators' access logs and keep them secure, accurate and unmodified for at least six months;
  • Yearly audits of system administrators' activity to assess compliance with assigned tasks (data controller may request said audit report for review maximum once a year free of charge); and
  • Keeping an updated list with system administrators' identification details (e.g. name, surname, function or organizational area) and tasks assigned.

Don't miss out on the latest news and information from Adform

Sign Up
2023 Adform. All rights reserved.