Appendix 2: Security Annex
Version v20240925 - last updated on 25-09-2024
NOTE
This Appendix is part of the Data Processing Agreement
The Processor is obligated under the GDPR and Articles 6 and 7 of the Data Processing Agreement to implement appropriate technical and organizational measures to secure the Processing of Personal Data and to demonstrate those measures. This appendix provides a concise description and listing of these measures.
Measures to protect Personal Data against accidental or unlawful destruction, alteration, storage, access, or disclosure
- The Processor has an appropriate policy in place for securing the Processing of Personal Data, which is periodically evaluated and updated as necessary.
- The Processor implements measures ensuring that only authorized employees can access the Processing of Personal Data related to the Data Processing Agreement through an authorization system. Employees are granted no more access to data than is strictly necessary for their role.
- The Processor has appointed an information security coordinator to assess risks related to the Processing of Personal Data, promote security awareness, monitor provisions, and enforce compliance with the information security policy.
- Information security incidents are documented and used to optimize the information security policy.
- The Processor has established a process for communication regarding information security incidents.
- The Processor requires employees to sign confidentiality agreements and adhere to information security protocols.
- The Processor promotes awareness, education, and training related to information security.
Measures to secure Personal Data and ensure continuity of resources, network, server, and application
Below is the report of the BIV classification, the level of compliance, and the explanation of any deviations from the standards. The Processor primarily uses the 'Certification Scheme for Information Security and Privacy ROSA' (available at www.edustandaard.nl) as a reference framework to establish a solid baseline for information security and privacy.
| Subject | Response |
|---|---|
| Assessment type: | Self-assessment, conducted on 07-03-2024 based on the v3.0 assessment framework |
| Assessment performed by: | J. Alkemade, General Director, Ziber B.V. |
| Login page: | www.ziber.eu |
| BIV classification: | Availability = High, Integrity = Medium, Confidentiality = High |
| Category | Measures | Compliance | Explanation |
|---|---|---|---|
| Availability | Design | Compliant | |
| Availability | Capacity management | Compliant | |
| Availability | Maintenance | Compliant | |
| Availability | Testing | Not compliant | We do not conduct load testing but consider expected load during development. We aim to improve this process by applying the 'expected load' in our test environment to identify potential issues. Realization is desirable before doubling the number of platform users. |
| Availability | Monitoring | Compliant | |
| Availability | Recovery | Compliant | |
| Integrity | Traceability (users) | Compliant | Implemented where possible and necessary. |
| Integrity | Backup | Compliant | |
| Integrity | Application controls | Compliant | |
| Integrity | Non-repudiation | Compliant | |
| Integrity | Traceability (technical management) | Compliant | Implemented where possible and necessary. |
| Integrity | Integrity checks | Compliant | |
| Integrity | Non-repudiation | Compliant | |
| Confidentiality | Data lifecycle | Compliant | |
| Confidentiality | Logical access | Not compliant | Accounts are personally identifiable, with MFA and minimum password requirements planned for mid-term implementation (expected Q2 2025). |
| Confidentiality | Physical access | Compliant | |
| Confidentiality | Network access | Compliant | |
| Confidentiality | Environment separation | Compliant | |
| Confidentiality | Transport and physical storage | Not compliant | External transport encryption is compliant. Due to the increasing diversity and sensitivity of data on our platform, we plan to implement storage encryption by mid-term (expected Q4 2025). |
| Confidentiality | Logging | Compliant | |
| Confidentiality | Vulnerability management | Not compliant | Partially compliant. Periodic assessments are not yet conducted; we are exploring feasibility for our platform (more information expected by Q1 2025). |
Agreements on Reporting Security Incidents and/or Data Breaches
The Processor has a procedure in place for monitoring and identifying incidents and for reporting in the event of Data Breaches and/or security-related incidents. In such cases, the Processor will provide the Data Controller with the following information:
- The characteristics of the breach, such as: the date and time of discovery and the duration of the breach; a summary of the breach, including the nature of the breach and a description of the security incident (which security aspect was affected, how it occurred, whether it involved reading, copying, altering, deleting/destruction, and/or theft of Personal Data);
- The cause of the breach;
- How the breach was discovered;
- The measures taken to address the breach and to prevent any (further and future) harm;
- Whether the Personal Data involved in the breach were encrypted, hashed, etc.;
- The group(s) of Data Subjects who may be affected by the incident, including the number and size of the group(s) of Data Subjects;
- The potential consequences of the breach for the Educational Institution and the group(s) of Data Subjects, including, where possible, an assessment of the risk of the consequences for the group(s) of Data Subjects;
- The amount and type of Personal Data involved in the breach (particularly special categories of Personal Data, such as health or religious data, or sensitive data, including access or identification data, financial data, or academic performance data).
In the event of a (suspected) security incident and/or Data Breach, the Educational Institution and Processor can, in principle, contact each other by email using the contact details below or the contact information provided digitally by the Educational Institution via support@ziber.eu.
| Role | Name and Function of Contact Person for Security Incidents/Data Breaches | Contact Details (Email and Phone Number) |
|---|---|---|
| Processor | DPO, Jonathan Apeldoorn | privacy@ziber.eu, +31 (0) 224 290989 |
| Educational Institution | As provided during the Ziber Subscription or later updated via support@ziber.eu | As provided during the Ziber Subscription or later updated via support@ziber.eu |