Skip to Content
Premiera GoTacho juz wkrótce! 🎉
Regulations and privacyPrivacy and personal data protectionData processing agreementTechnical and Organisational Measures (TOMs)

Data Processing Agreement — GoTacho

Technical Measures for the Protection of Personal Data

Authentication and Access Control

  • Requirement to log in using secure authentication mechanisms.
  • Use of role-based access control (RBAC) and the principle of least privilege.
  • Data isolation between clients in a multi-tenant environment.

Data Transmission Encryption

  • Enforcing encrypted data transmission using the TLS/HTTP protocol.
  • Automatic renewal of certificates issued by trusted providers.
  • Blocking of unencrypted connections.

Data at Rest Protection

  • Limiting access to infrastructure storing data to authorized personnel only.
  • Securing servers within a private subnet and using firewalls.
  • Regular backups of data stored in a secure location.

Backups and Business Continuity

  • Regular creation of backups.
  • Periodic testing of data processing procedures.
  • Ensuring the ability to restore the system in the event of a failure.

Event Monitoring and Logging

  • Logging significant security events (e.g., logins, permission changes, administrative actions).
  • Monitoring system activity to detect unusual behavior.
  • Storing logs in a secure environment with restricted access.

Application and Infrastructure Security

  • Implementation of protection mechanisms against common network attacks (e.g., XSS, CSRF, SQL Injection).
  • Use of HTTP security headers.
  • Abuse prevention mechanisms (e.g., CAPTCHA verification).
  • Separation of development, testing, and production environments.

Organisational Measures for the Protection of Personal Data

Policies and Procedures

  • A personal data protection policy tailored to the nature of the business has been developed and implemented.
  • A procedure for handling data breaches has been established, defining responsibilities and reporting methods.
  • Rules for storing and deleting data have been set, including maximum retention periods for each category.
  • A process for granting, verifying, and revoking access rights has been defined.

Personnel Management

  • Data protection training is provided to all persons processing personal data.
  • Regular activities are carried out to reinforce knowledge of data protection.
  • Written authorizations for data processing have been obtained from all authorized persons.

Access Control

  • Access to data is granted only to the extent necessary to perform job duties.
  • Secure passwords are used in accordance with adopted security standards.
  • Access to systems and resources is promptly revoked when no longer required.

Documentation Management

  • Paper documentation is stored in secured locations.
  • Workstations are maintained in a state preventing unauthorized access to data.
  • Data storage devices are protected against unauthorized access through encryption or other appropriate technical measures.

Communication Security

  • Personal data is transmitted only using mechanisms ensuring confidentiality.

Incident Response

  • A designated channel for reporting data protection incidents is in place.
  • An incident register is maintained.
  • A procedure is in place for notifying the supervisory authority and affected individuals of breaches, in cases required by law.

Subprocessor Verification

  • An assessment of subcontractors’ reliability and data protection measures is carried out before cooperation begins.
  • Data processing agreements are concluded in accordance with applicable laws.
  • Supervision over subcontractors’ compliance is maintained, including periodic verification of implemented security measures.

Reviews and Verification

  • Periodic reviews of data protection procedures are conducted to assess their relevance and effectiveness.
  • The list of persons authorized to process personal data is regularly verified.
List of further processorsHistory