C1 - Instruction pertaining to the use of personal data

C1 Processing Security

C.1.1 Standard Security:

The Data Processor's processing of personal data on behalf of the Data Controller takes place in accordance with the Service Agreements entered into between the Data Controller and the Data Processor.

The data processor bases its information security management system on ISO27001 framework, and has implemented relevant controls that the standard defines. In the management system, the data processor has also included data protection and the processing of personal data.

The level of security is thus delivered at a generally high level, which reflects the types of data processed and the services provided. The Data Processor has implemented technical and organizational measures in accordance with the ISO27001 standard, where relevant controls from Annex A have been implemented and complied with. In addition, the Data Processor uses controls from the CIS Critical Controls framework as a supplement to ISO27001 for the implementation of technical controls.

The performance and results of the controls are documented on an ongoing basis. Observations from controls and internal audits are used for continuous improvement.

At the time of entering into the agreement, the obligation for the data processor entails implementing security measures and maintaining the level of security described in the document "Organizational and technical measures". The document is available in Legal & Compliance in itm8.

The data processor is also subject to external audits and has assurance reports prepared in the form of ISAE-3000 and ISAE-3402 for the services where it has been decided relevant.

C.1.1.2 Additional security (with purchase):

In addition to the general level of security, the Data Processor offers a number of security services that help to increase the Data Controller's specific IT security. These services are described separately and are provided if they are part of the agreed services.

In addition to the general assurance reports, the Data Processor offers to prepare specific assurance reports on the Data Controller's environment. Specific assurance reports are provided as an optional service.

Procedures for the controller's audits, including inspections, with the processing of personal data is entrusted to the processor

Self-monitoring

The data controller has access to a number of documents for the purpose of carrying out self-monitoring, https://legal.itm8.com example:

• The latest version of the data processor's ISAE 3402 assurance report (published annually).
• Latest version of the data processor's ISAE 3000 assurance report(published annually).
• Latest version of ISO 27001 certificate.
• Description of the organizational and technical measures of the data processor.
• Information security policy.