...
Question | Answer |
|---|---|
“What security and privacy measures has AWS implemented to protect customer data, and how does their Data Processing Agreement (DPA) relate to GDPR compliance?” | AWS has implemented a comprehensive set of security and privacy measures to protect customer data, including data encryption, access control, and audit logging. AWS also offers a Data Processing Agreement (DPA) that incorporates AWS's commitments as a data processor under the GDPR. |
"What are the storage requirements for personal data under the GDPR, and how does it relate to the protection of EU residents' personal data?" | The GDPR does not specify where data must be stored (although it does require that data controllers take appropriate measures to protect the personal data of EU residents). |
“What is the level of GDPR compliance in AWS data centers located in the US, especially in North Virginia, and where can I find up-to-date documentation on this matter?” | All AWS data centers are compliant with DGPR, including the ones in the US in general, and North Virginia in particular. See for example this up-to-date White Paper by AWS: Navigating GDPR Compliance on AWS - AWS Whitepaper (amazon.com) |
“What kind of information Galooli processes? “ | The kind of information Galooli processes is detailed in Galooli's Privacy Policy, especially in the sections “Data,” and “Data Collecting.” The latter reads: "Data is collected under the legitimate business interests of the Asset Owner to enable it to monitor aspects such as, but not limited to: Asset Location, Fleet Optimization, Road and Driver Safety, Environmental Impact, Fuel Usage, Power usage." |
Technical and Organizational Security Measures
Galooli undertakes the following technical and organizational measures, among others, to protect Personal Data from accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access, in compliance with applicable data protection laws:
24/7 Monitoring: Includes pre-configured and customized alarms and notifications for abnormalities.
Access Control: Access to customer data is strictly limited to authorized Galooli personnel and users, enforced through identity and access management protocols within our ISO 27001 certified cloud environment.
Admin Login Notification: Admin login from more than one device triggers a Double-Login Attempt notification.
All Data Transfers: Fully encrypted, utilizing HTTPS and TLS (no less than 1.2) encryption protocols.
Audit Trail and Login Records: Including records of attempted, failed, and successful logins."
AWS IAM: Utilizes Amazon Web Services Identity and Access Management for secure and granular control over user permissions.
AWS Notifications: Includes access to AWS real-time platform status dashboards and AWS Inspector for enhanced monitoring.
AWS Multi-Zone
Block Events Records: Record of blocked events maintained for security auditing.
Crisis Simulation Drill: Conducted periodically by management and the Chief Information Security Officer (CISO).
Data Availability Dashboard and KPIs: Provides real-time insights and key performance indicators to monitor data accessibility.
Data Isolation: Data is separated in distributed databases, with stringent authentication checks at both application and data layers to prevent unauthorized access and ensure data isolation by customer.
Data Deletion: Policies align with Galooli’s Service Level Policy, which permits data storage for a default period of three years. For longer retention, clients should contact Galooli support. Decommissioning processes prevent unauthorized access and ensure secure deletion in line with industry standards.
DDoS Mitigation and Firewall Protection: We employ IP- and port-based firewalls. Our infrastructure is designed to mitigate Distributed Denial of Service (DDoS) attacks through elastic load balancing and resilient DNS services.
Disaster Recovery (DR) Exercises: Conducted at least four times a year to ensure system resilience.
High Availability Setup: Includes a decentralized solution architecture using various database types (e.g., RDS, Redis, NoSQL) and AWS microservices.
MFA for Development Admins: Multi-Factor Authentication is required for development admins to enhance security.
Network Security: Protected by firewalls and boundary devices with carefully configured rule sets and access control lists to monitor and control data flow. Administrative access is restricted and continually verified.
Ongoing Data Replication.
Ongoing Risk Management: Integral to our R&D activities, ensuring continuous identification and mitigation of potential threats.
Open-Source Monitoring: For vulnerabilities: Utilizing NPM (client-side), NuGet (server-side), and AWS Inspector.
Periodic Development Training: For R&D and Product personnel to maintain and enhance product security.
Physical and Environmental Security: Measures in place include secured facility access and environmental controls to protect information systems.
Policy Procedures: Establish clear definitions of roles and authorities.
Pseudonymization and Encryption: Where applicable, data is pseudonymized or encrypted to enhance confidentiality.
Redundancy: Systems and data are duplicated across multiple sites to ensure availability and data integrity.
Segmentation and Compartmentalization: In permission management enhance security.
Split Between Staging and Product Environments: Environments are split between staging and production to safely manage and test changes before deployment.
Wrong Password: Five incorrect password attempts result in user block for 30 minutes.
Password Strength and Policy: Requires a combination of at least 8 letters, numbers, and symbols, changed at least every 180 days, with no reuse of previous passwords.
Predefined default settings for all factors in the system.
Irregularities Reports.
Bulk Configuration of System Assets.
Cloud-Based Managed Anti-Virus.
AZURE Active Directory + InTune.
Normalization of All Stored Data: To ensure consistency and reliability, with no unnecessary data retained.
Online Multi-Zone Replication.
Periodic Backups.
Management of Database Access Logs.
Change Alerts at the Code Level.
Continuous Improvement: Galooli’s security measures are reviewed annually, including independent third-party penetration testing to identify and remediate any potential vulnerabilities.