These Data Processing Terms, next just (“Terms”), form part of the Terms of Service between santal.at s.r.o. and Merchants (described below) regarding Almirio’s services. These Terms are binding between Almirio and Merchants and establish a data processing agreement. If there is a conflict between these Terms and the Agreement, these Terms will regulate. If you do not agree to these Terms, do not apply or use the Service (both defined below).
At the choice of the Merchant, Almirio will delete or return all Personal Data to the Merchant after the end of the Agreement, and shall delete existing copies, unless an applicable law requires Almirio to store such Personal Data.
These Terms are governed by the laws of the Slovak republic and are subject to the dispute resolution procedure as prescribed by the Agreement.
Almirio reserves the right, at its discretion, to modify these Terms. In case of material changes, Almirio will notify the Merchant in writing, giving the Merchant the right to terminate the Agreement.
Schedule 1
Almirio shall take, among others, the following technical and organizational measures to ensure physical security of Personal Data and control system entry, access, transfer, input, availability and separation of Personal Data:
1. to establish the identity of the authorized persons and prevent unauthorized access to Almirio’s premises and facilities in which the Personal Data are processed:
– All entrances are secured or locked and can only be accessed with the appropriate key / chip card / internal digital keys;
– Premises are protected by an alarm system;
– All visitors are required to identify themselves and are signed-in by authorized staff;
– Video monitoring of premises;
– Visitors are accompanied by Almirio’s personnel at all times;
– Trained security guards are stationed in and around the building 24/7,
2. to prevent unauthorized access to the data processing systems:
– Use of state-of-the-art anti-virus software that includes e-mail filtering and malware detection;
– Use of firewalls;
– During idle times, user and administrator PCs are locked;
– Users are required to setup complex passwords and 2FA in all systems as possible;
– Concept of least privilege, allowing only the necessary access for users to accomplish their job function. Access above these least privileges requires appropriate authorization;
– Starter, mover & leaver housekeeping processes in place which covers access rights depends on job duties;
– RSA/ed25519 2-factor authentication in place for most critical remote connections;
– Vulnerability scanning and remediation in place;
– Data centre and website penetration testing programme in place.
3. to prevent unauthorized activities in the data processing systems outside the scope of any granted authorizations:
– User and administrator access to the network is based on a groupe-based/ role-based access rights model. There is an authorization concept in place that grants access rights to data only on a “need to know” basis;
– Administration of user rights through system administrators or system owners;
– IT governance & controls audits undertaken regularly by external 3rd party;
– Internal control audits undertaken regularly.
4. to ensure that personal data cannot be read, copied, altered or removed by unauthorized persons under their electronic transmission or during their transport or recording on data carriers and to guarantee that it is possible to examine and establish where personal data are or have had to be transmitted by data transmission equipment:
Ⓒ santal 2020