Technical and Organisational Measures

Natterbox maintains technical and organisational security measures to the ISO 27001:2022 certification standard. Natterbox designs such measures to comply with GDPR, CCPA and other applicable Privacy Regulations and constitute “reasonable security procedures and practises” to protect Personal Information pursuant to the CCPA.

Where a Natterbox supplier based in non-EEA or non EU Commission approved jurisdiction processes personal data, we consider the following technical measures to appropriately safeguard data in accordance with the Schrems ii Ruling.

These measures include:

1. Physical Access Controls. Natterbox implements and maintains measures which prevent unauthorised persons from gaining access to data processing systems with which personal data are processed or used; protection against unauthorised access, in particular, is ensured by controlled physical access to the personal data processing systems in Data Centres and monitoring and auditing of the access control system.
   

   Namely:

   1. Access to locations that house servers or end-user terminals is only granted to authorised personnel

   2. Personnel who are no longer authorised, have their access revoked immediately

   3. Authorisation must be granted on a need-to basis, which should only be required for maintenance and emergency response purposes

   4. Access to locations that house servers requires at least two factor authentication

   5. Access to locations with end-user terminals is protected with appropriate locked doors

   6. An audit trail of access to locations that house servers is kept and inspected at least quarterly for suspicious actions

   7. Natterbox has procedures for decommissioning hardware and data

   8. Server locations are protected using intrusion detection systems and 24/7 monitoring with cameras and/or security personnel
      

2. Storage Controls. Natterbox ensures that the following measures have been implemented to prevent the unauthorised entry of personal data as well as the unauthorised reading, modification and deletion of stored personal data:

   1. All access to the customers services or data is protected using Identity Management Systems (IMS)

   2. The IMS enforces the IT Permissions Concept

   3. The IMS enforces strong authentication through business standard mechanisms

   4. All services with remote access capabilities that grant access to customer data or are otherwise critical require two factor authentication

   5. Call recordings and associated Personal Data are encrypted at rest using 256 bit AES encryption keys held and managed by Natterbox

   6. Personal Data is always encrypted during transit over the public internet.

   7. All other data is either encrypted or protected by architectural security from unauthorised access at rest.
      

3. Denial of Use Controls. Natterbox implements and maintains measures which prevent data processing systems from being used without authorisation; in particular, state of the art authentication and encryption processes are maintained, the network is designed with multiple layers to segregate each service into security zones and firewalls are maintained to only allow traffic to transit between networks only where required.
   

4. Data Access Controls. Natterbox implements and maintains measures which ensure that persons entitled to use a data processing system can gain access only to track the data to which they have a right of access, and that personal data cannot be read, copied, modified or removed without authorisation in the course of processing; in particular, an authorisation concept is maintained, access and use rights are defined, unique user IDs and passwords shall be assigned and state of the art encryption processes shall be implemented.
   

   Namely:

   1. User access permissions to systems and data are requested, changed or revoked on a predefined workflow, including the sign-off by the superior and granting of the access rights,

   2. The process for user access administration is documented, the administration process itself has an audit trail,

   3. Each user account must be given exclusively to a specific user, group accounts (e.g. admin) are not permitted,

   4. Each permission within an IT system must be tied to groups or roles, not to individual users,

   5. All users must be assigned to specific groups,

   6. Access to customer resources must only be granted if the individual requiring or requesting access is authorised to have access to that resource.

   7. In general, access to resources:

      1. is requested by the requester,

      2. is approved by the CIO or CTO,

      3. is granted by the service owner,

      4. is granted only in accordance with the IT Permissions Concept,

      5. is granted only once the identity of the user has been confirmed by authoritative bodies,

      6. is only granted on a need-to-know basis,

      7. is always tied to a unique user account,

      8. must be revoked when the user is no longer authorised to access a resource.
         

5. Data Transmission Controls. Natterbox implements and maintains its own private network infrastructure which ensures that personal data cannot be read, copied, modified or removed without authorisation during electronic transmission, transport or storage and that it is possible to examine and establish to which bodies the transfer of personal data by means of data transmission facilities is envisaged; in particular, state of the art identification, authentication and encryption processes are implemented.
   

   1. All personnel are responsible to ensure that data is only communicated when:

      1. it is done using pre-defined communication technologies,

      2. there is clear lawful or business purpose,

      3. the employee signed NDAs accepting responsibilities for the protect that data,

      4. it is compliant with existing Non-Disclosure-Agreements (NDA),

      5. the recipient is authorised to receive the data,

      6. it does not violate the security principles explained in the security policies and training.

   2. IT personnel are allowed to communicate with servers or applications directly when:

      1. the connection is secured using strong encryption protocols,

      2. the authenticity of the server or application is verified.

   3. All staff acknowledge that Natterbox can and will monitor communication through all hardware, software or systems

   4. Communication of data to non-Natterbox employees or Companies is only allowed if that party can guarantee the security of the sent data

   5. IT infrastructure is protected against unauthorised electronic transmission by using firewalls, data leakage technology, anti-malware systems and active system and security monitoring

   6. IT infrastructure is protected by deactivating not-required ports and transport protocols.
      

6. Data Entry Controls. Wherever possible, Natterbox implements and maintains measures that ensure that it is possible retrospectively to examine and establish whether and by whom personal data have been inserted into data processing systems, modified, or removed; in particular, system activities are monitored, and protocols are maintained for at least three years by Natterbox.

   1. Data processing systems can only be used after strong identification and authorisation controls for the user,

   2. A backup and retention policy exists defining the procedures for data backup and secure storage over the retention time,

   3. Where technically possible, all access to data is logged:

      1. For every login/logout attempt as well as the start and termination of each session, the following must be logged: a timestamp of the event; which userID or username was used; a sessionID if applicable; from which IP the attempt was made; and the result.

      2. When data is viewed, the following must be logged: a timestamp of the event; a sessionID, username or userID; and the type of data that is viewed.

      3. When data is changed, the following must be logged: a timestamp of the event; the type/field of data that was changed; the old and new value; and a sessionID, username or userID.

   4. All log data must be stored on secure servers, access to these servers must be protected by an IMS

   5. Access logs must be reviewed regularly, at least every quarter.
      

7. Contractual Controls. Natterbox implements and maintains measures which ensure that personal data processed on the basis of a data processing agreement are processed solely in accordance with the directions of Data Controller.
   

8. Availability Controls. Natterbox implements and maintains measures which ensure the high availability required by a real time global telecommunications network and that personal data are protected against accidental destruction or loss. Natterbox operate a globally redundant multi-master platform where data is replicated between primary regional data centres in real time, including:

   1. A Business Continuity Plan and Disaster Recovery plan based on a Business Impact Analysis (BIA)

   2. The BIA/BCP includes at a minimum:

      1. Definition of a scope and identification of the assets that are within scope,

      2. Identification of the IT assets, data and control flows and their status, as either existing or planned,

      3. Identification of the threats, the type of threats represented and their sources,

      4. Assessment of the impact that losses of confidentiality, integrity, authenticity and availability may produce,

      5. derived protection measures for these impacts.

   3. Data processing centres have appropriate environmental controls, including:

      1. Automatic fire detection mechanisms,

      2. Protection measures against water damage,

      3. Uninterruptible Power Supply (UPS) units,

      4. Climate and Temperature Control,

      5. Monitoring of environmental conditions of the servers.
         

9. Recoverability. All data is backed up on a schedule adherent to the data’s volatility and perceived risk of loss based on a data window. Data is backed up to alternate data centre location, into secure zones. The backup process incorporates restoration check-points to validate the effectiveness of the process, with automated processes that perform data integrity checks on the backed-up data.
   

   Backups are encrypted with an asymmetric key within the trusted backup zone before they are exported outside of the primary data centre. Decryption of backups may only take place within the secure backup zone.
   

10. Reliability. Natterbox maintains mature processes and procedures to ensure the system is operational and that incidents are reported and handled appropriately, including:

    1. Procedures for an Incident Management Team including escalation procedures and ticketing system

    2. Procedures for Incident Management

    3. Procedures for Security Incident Event Management (SIEM), in case security breaches, information loss or unauthorised disclosure, and other disasters do occur

    4. Standardised Change Management and testing procedures in order to ensure uninterrupted service delivery
       

11. Separation Control. Natterbox implements and maintains measures which ensure that data collected for different purposes or different principals can be processed separately.
    

    All data access to the database for applications that wish to access customer data are routed via the Core API layer which is located in the platform’s Protected Zone that brokers all access to the underlying databases. The Core API layer is built on an MVC (Model, View, Controller) framework, in an object oriented fashion, which exposes a REST based interface. The implementation incorporates base libraries that ensure that the tenancy segregation is validated for every API request based on the presence of a Session Token. The Session Token is generated on initial authentication and is locked to an IP. This Session Token is then used to restrict the data set available by account (tenant), limiting access to the underlying data structures (tables and fields) in the database.
    

    Other measures:

    1. Access to data processing systems only after strong identification and authorisation of Natterbox personal

    2. Standardised testing procedures with separated QA, Staging and Production environments for development, test and production,

    3. Standardised testing procedures for performing functional and non-functional tests

    4. Standardised signoff and error management procedures

       1. is granted by the service owner,

       2. is granted only in accordance with the IT Permissions Concept,

       3. is granted only once the identity of the user has been confirmed by authoritative bodies,

       4. is only granted on a need-to-know basis,

       5. is always tied to a unique user account,

       6. must be revoked when the user is no longer authorised to access a resource.
          

12. User Controls. Natterbox ensures that the following measures have been implemented for the prevention of the use of automated processing systems by means of data communication equipment by unauthorised users:

    1. All services requiring high privileged access such as administrator access with remote access capabilities require two factor authentication. Administrative work on any system component must be done securely and must be auditable

    2. Unsuccessful access attempts are evaluated regularly

    3. All servers have security configurations and are tested continuously for vulnerabilities

    4. All found vulnerabilities and critical updates are dealt with accordingly based on severity

    5. The office network and all workstations and the live infrastructure is protected from viruses and unauthorised changes

    6. Workstations and devices used to access and/or store personal or sensitive information are encrypted

    7. All services require a username and a password that complies with a Password Policy,

       1. A Password Policy is in place with the following requirements:

       2. Passwords must not be shared with anyone. All passwords are to be treated as sensitive, confidential information.

       3. Default passwords must be changed immediately.

       4. All user-level passwords must be changed at least every six months. For critical access, the password must be changed every quarter.

       5. Passwords must contain upper and lowercase letter, special characters and numbers. The minimum length is 12 characters.

    8. A Workplace Policy is in place with the following requirements:

       1. Workplace Access security controls

       2. Security of company IT equipment controls

       3. Clean Desk regarding non-digital information should be protected
          

13. Control of processing instructions. Natterbox ensures that the following measures have been implemented to ensure that personal data can only be processed according to the instructions of the customer:

    1. Regulation of all assignments for processing personal data in written contracts,

    2. Regulation of the basic requirements for liability, assigning of competences, safety requirements and measures, as well as control rights,

    3. Contracting authorities are assisted in the exercise of the control rights by the data protection officer in which the latter acts to ensure compliance with the data protection regulations for the order data processing and data protection of the applications,

    4. Verification of compliance with the contractual obligations