Personal data protection - Subprocessors
1. Technical and organizational measures
Security policy and information security organization
Data protection
A DPO has been appointed who is responsible for coordinating, advising, monitoring, and raising awareness about procedures and guidelines relating to data protection. This officer will receive periodic training to ensure their knowledge and expertise remain up to date.
Contact: privacy@ticketmatic.com
Security responsibilities
Formal policies on data protection have been approved and communicated to staff. Data protection responsibilities are assigned internally.
Risk management
Periodic risk analyses are carried out, from which data protection measures are derived.
Secure HR policies
Confidentiality obligations
Employees are subject to a confidentiality obligation when processing personal data. This obligation is included in the work regulations or a separate non-disclosure agreement.
Awareness
Employees are aware of the importance of data protection and will follow the necessary procedures when processing personal data. Awareness training will be repeated periodically.
Onboarding and offboarding
Access rights of employees are revoked at the end of employment so that unauthorized persons no longer have access to personal data.
Inventory of company assets
An inventory is maintained of all information processing systems used by employees.
Premises
Physical security
Physical access to offices where personal data is processed is strictly limited to identified and authorized persons. Badge readers have been installed, and locks provided where needed, to prevent unauthorized access. The entire building is also equipped with alarm and fire detection systems.
Access control
Access policy
Employee rights are restricted according to the “need-to-know” principle. Additional access beyond what is initially necessary is only possible after formal approval and with a valid reason.
Access authorization
A proper authorization system is in place for access to sensitive information. Each individual receives a unique ID to log in.
Network access
A firewall ensures that access to the network is appropriately protected.
Data center
All data required for operations is centralized in a secure, industry-standard data center. Ticketmatic uses AWS (Amazon Web Services), a proven, reliable provider with over 500 privacy features (see https://aws.amazon.com/compliance/gdpr-center/). AWS is ISO27001 certified. External parties are not allowed access to servers.
Operational security
Backup
The Processor takes extensive measures to protect the Controller’s data. All data is replicated in real time to a second data center as a “standby” replica. This replication is synchronous: all changes are written simultaneously to both primary and secondary sites, ensuring an up-to-date standby system if the primary fails. Additionally, a full backup (including transaction logs) is taken every night, allowing point-in-time recovery for the past 7 days. Additional snapshots are redundantly stored at an external location for up to 100 days.
Passwords and sensitive data
Passwords are cryptographically hashed before storage so the original values cannot be retrieved. Credit card and other payment details are not stored.
Security updates
Security updates and patches are systematically monitored and installed.
Communication security
All personal data transmitted via public or internal channels/networks is adequately encrypted. Access protocols are restricted; for example, FTP access is not possible.
Supplier relationships
Selection of subprocessors/subcontractors
An appropriate selection process is applied when choosing subprocessors/subcontractors, evaluating their personal data security. Only parties meeting current standards of information security and data protection are engaged.
Contractual obligations
A data processing agreement is in place with all suppliers that process personal data.
Incidents
Ticketmatic keeps a register of security breaches with a description, time, consequences, the name of the reporter, and the recipient of the report.
In case of a potential security incident affecting the confidentiality, integrity, or availability of personal data, necessary steps will be taken to inform the Controller in a timely and sufficient manner. When reporting a breach, the Processor will provide:
- Reporter’s contact details (name, position, email, phone number)
- Details of the breach:
- Summary of the incident
- Personal data involved
- When the breach occurred
- Nature of the breach
- Assessment of its consequences
- Measures taken by the Processor to mitigate and prevent recurrence
2. Subprocessors
The following Subprocessor(s) perform services related to personal data on behalf of Ticketmatic:
Amazon Web Services Europe
https://aws.amazon.com
Hosting and infrastructure services (PaaS)
Processing location: EU/EEA (Ireland and Frankfurt data centers)
Postmark
https://postmarkapp.com/
E-mail Service Provider. E-mails triggered from the application are sent via Postmark.
Processing location: US (EU - U.S. Privacy Shield Framework and/or Standard Contractual Clauses (SCCs) active)
https://postmarkapp.com/eu-privacy#gdpr
Intercom
https://www.intercom.com/
Help desk software to communicate with customers. Sometimes these communications contain personal data of end customers.
Processing location: US (EU - U.S. Privacy Shield Framework and/or Standard Contractual Clauses (SCCs) active)
https://www.intercom.com/help/en/articles/1385437-how-intercom-complies-with-gdpr
Loggly
https://www.loggly.com/
Log management to visualize, analyze and monitor application events.
Processing location: US (EU - U.S. Privacy Shield Framework and/or Standard Contractual Clauses (SCCs) active)
Sentry
https://sentry.io/
Application error logging.
Processing location: worldwide (Google data centers) (EU - U.S. Privacy Shield Framework and/or Standard Contractual Clauses (SCCs) active)
Google Analytics
https://www.google.com/
Traffic analytics
Processing location: worldwide
Last update: 10/06/2020
