Security Measures

This document entails the technical and organizational security measures implemented by ArtSolution in support of its (Processing) activities, as set forth by the Privacy Legislation.

 

Access Control of Processing Areas (Physical)

Web applications, communications and database servers of ArtSolution are located in secure data centers in the Netherlands and the United States , which are operated by Microsoft Azure. with whom ArtSolution has signed the Windows Azure data processing addendum in order to be compliant with the standards and obligations as set forth in the Privacy Legislation.

 

Access Control to Personal Data Processing Systems (Logical)

ArtSolution has implemented suitable measures to prevent its Personal Data Processing systems from being used by unauthorized persons.

This is accomplished by:

  • Establishing the identification of the terminal and/or the terminal user to the ArtSolution systems;
  • Automatic time-out of user terminal if left idle. Identification and password required to reopen;
  • Automatic lock out of the user ID when several erroneous passwords are entered. Events are logged and logs are reviewed on a regular basis;
  • Utilizing firewall, router and VPN-based access controls to protect the private service networks and back-end-servers;
  • Ad hoc monitoring infrastructure security;
  • Regularly examining security risks by internal employees and third party auditors;
  • Issuing and safeguarding of identification codes;
  • Role-based access control implemented in a manner consistent with principle of least privilege.
  • Access to host servers, applications, databases, routers, switches, etc., is logged;
  • ArtSolution also uses commercial and custom tools to collect and examine its platform and system logs for anomalies.

 

Availability Control

ArtSolution has implemented suitable measures to ensure that Personal Data is protected from accidental destruction or loss.

This is accomplished by:

  • Redundant service infrastructure;
  • Constantly evaluating data centers and Internet service providers (ISPs) to optimize performance
  • for its customers in regards to bandwidth, latency and disaster recovery isolation;
  • Situating data centers in secure co-location facilities that are ISP carrier neutral and provide
  • physical security, redundant power, and infrastructure redundancy;
  • Service level agreements from ISPs to ensure a high level of uptime;
  • Rapid failover capability.

 

Transmission Control

ArtSolution has implemented suitable measures to prevent Personal Data from being read, copied, altered or deleted by unauthorized parties during the transmission thereof or during the transport of the data media.

This is accomplished by:

    • Use of adequate firewall and encryption technologies to protect the gateways and pipelines
    • through which the data travels;
    • Sensitive Personal Data is encrypted during transmission using up to date versions of TLS or
    • other security protocols using strong encryption algorithms and keys;
    • Protecting web-based access to account management interfaces by employees through
    • encrypted TLS
    • End-to-end encryption of screen sharing for remote access, support, or real time communication.

 

Input Control

ArtSolution has implemented suitable measures to ensure that it is possible to check and establish whether and by whom Personal Data have been input into Personal Data Processing systems or removed.

This is accomplished by:

  • Authentication of the authorized personnel;
  • Protective measures for Personal Data input into memory, as well as for the reading, alteration and deletion of stored Personal Data, including by documenting or logging material changes to account data or account settings;
  • Segregation and protection of all stored Personal Data via database schemas, logical access controls, and/or encryption;
  • Utilization of user identification credentials;
  • Physical security of data processing facilities;
  • Session timeouts.

 

Monitoring

ArtSolution does not access Personal Data of the Customer, except

  • To provide the required services under the agreement with the Customer;
  • In support of its Customer experience;
  • As required by law; or
  • Upon request by of the Customer;

 

This is accomplished by:

  • Individual appointment of system administrators;
  • Adoption of suitable measures to register system administrators’ access logs to the infrastructure