This document describes all measures and efforts taken by Accurat to ensure the security and quality of the data it processes via its Accurat service (further “Data”).
By applying the following measures, Accurat prevents the entrance of non-authorized persons to data-processing installations in which Data are processed or used: Data is collected and processed by Accurat on two locations:
By applying the following measures, Accurat prevents the utilization of data-processing systems by non-authorized persons. Accurat employs two types of data-processing systems:
By applying the following measures, Accurat ensures that persons authorized to use a data-processing system will only have access to those data that they have been authorized for and that, neither during the processing nor after storage, Data can be read, copied, altered or removed without a respective authorization: Accurat employees, i.e. software developers, that are authorized to use data processing systems are provided with a personal GCP user account and tokens. Specific accounts are in place to restrict certain access to Data depending on the job content and contribution to the Accurat Platform.
By applying the following measures, Accurat ensures that Data cannot be read, copied, altered or removed during electronic data transmission without authorization and that it is possible to check and determine at which points a transmission of personal data by means of data transmission installations is intended: Accurat employs an SSL connection for all data transmission in and out of the Accurat API on GCP. The connection uses TLS 1.2. The connection is encrypted and authenticated using AES_128_GCM and uses ECDHE_RSA as the key exchange mechanism.
By applying the following measures, Accurat ensures that it is possible to check and determine subsequently whether and by whom Data have been entered into data-processing systems, altered or removed: Accurat employs the GCP Stackdriver Logging to monitor any modification to its GCP account.
By applying the following measures, Accurat ensures that Data subject to job processing are processed in strict accordance with the instructions given by the principal: Access to Data and servers is granted to GCP via an encrypted connection and all access is logged and can be traced by Accurat’s technical team. Specific accounts are in place to restrict certain access to Data.
By applying the following measures, Accurat ensures that Data are protected against accidental destruction or loss: Personal data arriving at the Accurat Platform is consolidated as-is into a Master Dataset which can be interpreted as a log of events. This Master Dataset is stored on a GCP BigQuery (BQ) data warehouse located in Europe. Google BQ provides automatic data replication for disaster recovery and high-availability of processing. Google BQ offers a 99.9% SLA and adheres to US-EU safe harbor agreements. BQ makes it easy to maintain strong security with fine-grained identity and access management control. BQ data is always encrypted, at rest and in transit. For more information, see the GCP BQ homepage: https://cloud.google.com/bigquery/
By applying the following measures, Accurat ensures that Data collected for different purposes can be processed separately: Every integration of the Accurat SDK into a mobile app, i.e. a specific purpose, is required to be provisioned with new app-specific credentials, i.e. app ID and key, even if it concerns different apps of the same client. The Accurat SDK automatically creates a new user account and ID on first use within an app and associates the app-specific token to it. During processing, data is only aggregated by user and by app.
Accurat information security policies are written to take account of the specific needs of providing cloud services including:
All policies are version-controlled, authorized and communicated to all relevant employees and contractors.
A comprehensive program of awareness training is delivered on an ongoing basis to all Accurat employees to emphasize the need to protect customer personal data appropriately. We also require our contractors to provide appropriate awareness training to all relevant employees.
In the use of certain services, Accurat makes use of peer cloud service providers. These suppliers are subject to regular second party audit to ensure that they have defined objectives for information security and carry out effective risk assessment and treatment practices. All supplier relationships are covered by contractual terms which meet the requirements of the GDPR.
Where Accurat deems it appropriate to inform its customers about an information security event (before it is determined whether it should be treated as an incident), we will do so within the legal time limits. Similarly, the customer can report security events to our support or privacy email address, where they are registered and the right action is taken. Information on the progress of such events can be obtained via our support address.
Accurat will report information security incidents to the customer when it believes that customer service or data have been or will be affected. We will do this as soon as reasonably practicable and will share as much information as we can about the consequences and the investigation of the incident as we deem necessary for an effective and timely resolution of the incident. An incident manager is appointed on a case by case basis to act as the contact point of Accurat for the incident, including matters relating to the recording and retention of digital evidence if necessary.
We prioritise incident management activities to ensure that the timescale requirements of the GDPR for notification of breaches affecting personal data are met.