GDPR Infrastructure Compliance

Information security and adequate management policies for data are our priorities and the reason we make continuous investments in technology.

For many sectors, the GDPR [General Data Protection Regulation] represents an important social innovation. In fact, it clarifies and allows individuals to manage their own privacy. EnterpriseAlumni has considerable experience in threat protection, in privacy protection, and in an array of compliance regulations.

We maintain a policy of transparency and aim to provide you with the information you need to feel secure when you use the platform.

Every day we renew our commitment to our principles in terms of trust in the cloud, data protection, and data security.

    • Contractual commitments: Relationships with EnterpriseAlumni are supported by contractual commitments for our services, including security standards, support, and timely notifications in accordance with the new GDPR requirements.
    • Sharing our experience: We will share the information we gather from various data protection authorities and other reputable organizations so that we can adapt what we have learned to help you create the best possible approach for your organization.

As required by regulations, our infrastructure and security policies have been subjected to an assessment for gauging adequacy and preliminary impact on data protection. These assessments will continue to be conducted regularly to keep to the highest standards of data protection compliance.

 

Data Center Located in Europe

To safeguard the confidentiality, integrity, and availability of data, the EnterpriseAlumni platform relies on physical data centers located in Germany. It is NOT accessible by our staff physically nor do we have access to the PaaS / IaaS layer provided by our providers SAP, IBM, Microsoft & Oracle.

 

Data Loss Prevention (DLP)

EnterpriseAlumni believes that data loss prevention features are of critical importance as they prevent sensitive information from being shared without permission.

An organization’s data is fundamental to its success. Data must be immediately available to enable decision making, but at the same time, it must be protected to prevent it from being shared with those who are not authorized to access it.

For this reason, we have implemented a series of organizational and technical measures that allow us to guarantee our customers not only the prevention of unauthorized access but also adequate security – in relation to the classification of the treated data — for all authorized accesses.

 

Mitigation Techniques

The infrastructure is designed to be resilient to DDoS (Distributed Denial of Service) attacks through DDoS mitigation systems that can automatically detect and filter excess traffic by including scalability to handle unexpected traffic volumes using dedicated load balancers.

 

Encryption

    • At the physical level, our vendors protect data through a methodology which, in case of theft of physical memory supports, does not allow the extraction of sensitive data. The technology used to store data on physical media aims to increase
      performance, render the system resilient to the loss of one or more disks, and capable of replacing media without any interruption to service. Vendor specific physical security is referenced at the base of this document.
    • At the application level, we have the possibility to secure the data contained in customer databases with encryption of data at rest.
    • At the transport level, data is vulnerable to unauthorized access while traveling through the Internet or within networks. For this reason, the protection of data in transit has a high priority.
    • We use TLS/SSL cryptographic protocols that employ symmetric encryption based on a shared key to provide secure communications. These ensure data integrity for the network.
    • To provide even greater security, we use a block cipher algorithm within TLS/SSL, which is called AES-256 (Advanced Encryption Standard). This replaces public key cryptography technology DES (Data Encryption Standard) as well as
      RSA 2048.

 

 

Threat Protection

    • We use advanced systems for searching for viruses in email (whether incoming or outgoing), for detecting spoofing (use of fraudulent senders), and we have a clear anti-spam policy.
    • Anti-phishing analysis tools and advanced protections for such threats as spear phishing and any Zero Day Attacks.
    • Identifying and blocking of malicious files in our internal network thanks to the use of antivirus and proxy systems.
    • We regularly and automatically check that all our servers are up-to-date and have the latest security patches installed.

 

 

Multi-Factor Authentication and Firewalls

    • Business infrastructure is protected by several integrated network firewalls.
    • There are also firewalls for web applications and IDS (Intrusion Detection System) devices that are used for monitoring computer resources, i.e., patterns. We meticulously schedule data traffic analysis carried out by our highly specialized staff, it is possible to detect attacks on the network or computers through the “anti-theft” function of the Intrusion Detection System.
    • Multi-factor authentication is an authentication method that requires more than one verification method, where at least a second level of security is added for user access and transactions. This method is used by system administrators and for services
      provided by Google, Microsoft and Amazon.

 

 

Monitoring and Access Control

    • Advanced visibility on API calls.
    • Log aggregation options to optimize surveys and compliance reporting.
    • Definition, application, and management of user access policies across all services.
    • The monitoring of suspicious access attempts makes it possible to detect potential intrusions by means of very solid machine learning functions.
    • Warning notifications that can be programmed if thresholds are exceeded or for event verifications.
    • Employee access rights and levels are based on job and workplace role using the “least-privilege” and “need-to-know” principles, depending on the responsibilities defined for the employee.
    • Requests for greater access follow a formal process that requires approval by the owner of the data, or by the system, or by supervisors or other managers, according to established security criteria.

 

 

Vulnerability Assessment

    • EnterpriseAlumni cyclically performs vulnerability tests on all infrastructure systems and on clients connected to it.
    • We regularly perform security penetration tests, using different suppliers.
    • The tests include high-level server penetration tests, in-depth tests for vulnerabilities within the application, and social engineering exercises.
    • Finally, upon request, it is possible to authorize one vulnerability assessment from third parties.

 

 

Incident Management

    • We have a rigorous incident management process for security events that can affect the confidentiality, integrity, or availability of systems or data.
    • If an incident occurs, the security team records and establishes a priority level based on severity. Events that have a direct impact on customers have the highest priority.

 

 

Physical Security of Data Centers

    • Our data centers are managed directly by our PaaS/IaaS providers (SAP, Oracle, Microsoft, IBM)

 

Availability and Integrity of Personal Data

To ensure data availability, in the event of hardware malfunctions, backup copies are scheduled at least once per day for the most critical servers. This data is saved on systems installed in a dedicated backup site, which is also located within the European Union.

EnterpriseAlumni DOES NOT maintain a backup copy of the databases. Instead, they are maintained by our PaaS/IaaS provider for the time necessary that is specified in the data retention policy and then they are automatically deleted.

Backups are checked periodically, are organized in such a way as to ensure the separation of data for each customer and are securely encrypted to ensure maximum confidentiality of the data.

 

Tracking and Disposal of Hardware

    • Control starts with its acquisition, follows with installation, all the way to its being taken out of service and eventual destruction.
    • For the disposal of the hardware, we rely on a highly qualified and experienced supplier that guarantees the destruction of the disk and the deletion of data. The supplier furnishes a document certifying that the destruction has taken place.

 

 

Partners

Where provided, we use service/partner providers only after verifying that they can provide an adequate level of security, privacy, and specific guarantees on the possibility of managing data processing entirely in Europe.

Our Partners:

 

  • Amazon AWS
    For the provision of network support services and storage of images uploaded by customers, including the Content Delivery Network (CDN) and Web Proxy services.
    Amazon AWS complies with many international and
    industry-specific standards.
    Further information can be found directly at the AWS compliance page
  • SAP Cloud Platform: 
    https://www.sap.com/about/cloud-trust-center/data-center.html

  •  

    Microsoft Azure: 
    https://docs.microsoft.com/en-us/azure/security/azure-physical-security

  •  

    IBM BlueMix: 
    https://www.ibm.com/cloud/data-centers/

  •  

    Oracle Cloud:  https://www.oracle.com/webfolder/s/delivery_production/docs/FY16h1/doc35/2-Yuecel-Karabulut.pdf

  • Microsoft
    Tools for productivity and company security.
    The O365 platform complies with many international and industry-specific standards. Greater information may be found on their pages devoted to security and compliance.