Technical and Organizational Measures for GDPR Compliance

Introduction

Data Security

• Access Controls
  ‍Access to personal data is restricted to authorized personnel only (least privilege principle). We use a range of authentication methods, including passwords, two-factor authentication, and biometric authentication, to ensure that only authorized personnel can access personal data. Access to personal data is logged and monitored in real-time, and we conduct regular audits to identify and address any potential vulnerabilities. We also perform regular checks on access rights, reviewing access rights and adjusting in line with the least privilege principle.
  
• Encryption
  ‍Personal data is encrypted both in transit and at rest. We use industry-standard encryption technologies, such as Advanced Encryption Standard (AES) and Transport Layer Security (TLS), to ensure that personal data is protected from unauthorized access. Encryption keys are stored separately from the data, and strict access controls are in place to limit access to encryption keys.
  Reveall's servers are hosted by Amazon Web Services (AWS) in Frankfurt, Germany. AWS is ISO 27001 certified and provides strong encryption capabilities, including server-side encryption and client-side encryption. Server-side encryption encrypts data at rest on the servers using AES-256 encryption. Client-side encryption encrypts data before it is sent to the server, ensuring that personal data is protected while in transit.
• Network Security
  ‍Reveall has implemented firewalls, intrusion detection and prevention systems, and other network security measures to prevent unauthorized access to personal data. We use state-of-the-art security technologies and continuously monitor our systems to detect and respond to security incidents.
• Backups
  ‍Personal data is regularly backed up to ensure that it can be recovered in the event of a system failure or other disaster. Backups are stored in a separate location from live data, and access controls are in place to ensure that only authorized personnel can access backup data.
• Physical Security
  ‍Reveall's data centers are physically secured, and access to the data centers is restricted to authorized personnel only. We work with reputable third-party data centers that have strong physical security measures in place, including 24/7 security personnel and video surveillance.
• Business continuity
  Reveall uses multiple availability zones to make sure that all underlying infrastructure of the application is redundantly set up in relation to hardware, power and network.
• Logging
  ‍Reveall logs all API/HTTP(S) requests to the Reveall application for 90 days.
• DDOS Protection
  ‍Our infrastructure mitigates and absorbs all Layer 4 and below (D)DOS attacks, provided via Cloudflare.
• Secure coding
  ‍Our employees are required to take measures to prevent the OWASP top 10 vulnerabilities and to also otherwise implement secure development practices. The production and staging environment of Reveall are separated to make sure that customer data is not used for testing.
• Information security policies
  ‍Reveall has implemented information security policies that cover topics such as reporting of security incidents, password strength, confidentiality requirements of employees, encryption of employee devices and more. All employee devices are encrypted and protected from malware through Bitdefender, in line with corporate policy.

Data Processing

• Data Minimization
  Reveall only processes personal data that is necessary for the provision of its product discovery platform. Personal data is not processed for any other purpose. We regularly review the personal data we process to ensure that we are only processing what is necessary.
  
• Data Retention
  The Reveall application gives customers full control over the retention of personal data through the application itself. This allows customers to retain the data that is necessary for the purposes that they are processing the personal data for and to delete other personal data that they are required to delete under the GDPR. Upon request, custom automation processes for deletion can be set up, free of charge.
  
• Data Subject Rights
  ‍Reveall has implemented processes to enable data subjects to exercise their rights under GDPR, including the right to access, rectify, and delete their personal data. Our customers can easily manage data subject requests through our platform.
  
• Subprocessors
  Reveall has entered into agreements with its subprocessors that require them to comply with GDPR and to implement appropriate technical and organizational measures to protect personal data. We only work with subprocessors that meet our high standards for data protection.
  
• Data Protection Impact Assessment
  Reveall has conducted a Data Protection Impact Assessment (DPIA) to identify and mitigate risks associated with processing personal data. We regularly review and update our DPIA to ensure that it remains relevant and up to date.
  
• Staff Training
  All Reveall employees who handle personal data receive training on GDPR and data protection best practices. Our employees are trained to handle personal data securely and to recognize and respond to potential security incidents.
• Incident response
  Reveall has implemented an incident response plan that includes requirements for employees to report incidents, the designation of a response team and a requirement to inform customers about information security incidents in accordance with our DPA’s.

Conclusion