Technical and Organizational Measures In Accordance with Art. 32 GDPR and Amendments
Pseudonymisation and Encryption of Personal Data
Your password and account data is encrypted as is all data that is stored within our billing portal and client area portal. We do not store any other billing related material on our servers (i.e. credit card data) and we use 3rd party PCI compliant companies to handle these payments.
Datacenter
For our services we use 3 datacenters (Caldera21 in Italy, Serverius DC2 in The Netherlands, M47 in Romania).
Every data center facility has a physical entry control system with a log, a high security perimeter fence. Distribution of keys to their employees and collocated customers is controlled and logged. Access to the building including guests is strictly controlled and logged. Data center staff are present twenty-four hours a day. The site is monitored by CCTV at all entrances and exits, and server rooms are protected with security door interlocking systems.
Access Control
After initial deployment of servers, vps and cloud instances, root passwords can be reset by the client and are not known to Prometeus unless requested in order to login and offer support. Passwords must meet a minimum length and new passwords must be changed on a regular basis. While Prometeus shall try to prevent unauthorized access by applying security udpates regularly, the responsibility for access control is incumbent upon the client.
For Prometeus internal administration systems, we prevent unauthorized access by applying security updates regularly, by keeping critical systems off of the public facing internet and accessible only via VPN, and by creating a compulsory process for allocating authorization for employees.
Transfer Control
Upon termination, hard disks that are decommissioned, are swiped multiple times (deleted) in accordance with data protection policies. The swiped (deleted) hard disks are only reused after thorough testing and defective drives are destroyed and environmentally sensibly recycled in specialised facilities.
Isolation Control
Prometeus internal administration systems' data is physically isolated from customer data. Also, networking is air gapped seperated from customer networks.
Data Entry Control
All data changes made by Prometeus staff in internal administration systems are logged. For client servers, the responsibility for input control is incumbent upon the client.
Availability and Resilience
Prometeus internal administration systems are backed up daily and are also protected by the employment of security processes which include but are not limited to, firewalls, intrusion detection systems (IDS), intrustion protection systems (IPS), website application firewalls (WAF), spam filters, and virus scanners. Furthermore, all internal systems are monitored. Data resilience is enhanced by employing hardware RAID across any hard disk in operation.
Data backups are incumbent upon the client. Prometeus provides an uninterruptible power supply system, high availability networking and storage with software/hardware RAID (or similar). Client must implement backup procedures with adequate retention and replicas (at least one off site on a different facility). In case of any data loss client must use such backups to recover their data. Prometeus is not responsible in any way for client data loss.
Procedures for Disaster Recovery
Prometeus has created and defined an escalation process which notes who is to be informed in the case of any sort of network, storage, or compute malfunction which results in service degredation and/or data loss. The goal of this escalation process is for all staff to be in a state of readiness in the case that disaster recovery procedures ie. data recovery need to be actioned as to restore systems as quickly as possible.
Client must be ready to restore their own backups to recover the data in case of disaster. Prometeus is not responsible in any way for client data loss.
Procedures for Regular Testing, Assessment, and Evaluation
As part of the procedure for regular testing of our GDPR preparedness process staff will undergo regular "drill" to prove beyond any doubt readiness to react swiftly and effectively in the case of service degredation. Employees are regularly trained in data protection law and are expected to be familiar with the procedural and user guidelines for data processing on behalf of clients also with regard to the client's right of instruction.