Skip to content
Home Link Logo

Annex 2 to the Standard Contractual Clauses

Effective 4 April 2024

Annex 2 to the Standard Contractual Clauses

Security measures implemented by the data importer

The data importer has implemented and shall maintain the following security measures intended to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access.

Security Measure: Pseudonymisation and Encryption

Practices:

Where data is processed and how it is Secured

The data, systems and applications used are hosted in public cloud services. Use is made of AWS where the systems and data are hosted in Dublin and the UK and Office 365 data is stored within the UK. The native facilities within the cloud platforms are used to encrypt all data at rest and in transit. Key management is undertaken using the in-built platform functionality.

As part of our comprehensive supplier due diligence process, the location and protection of our data that the supplier is storing/processing is addressed. In all cases, data is encrypted in transit, at rest and when backed up.

Where data is stored on an external system (e.g. SaaS provider), we ensure that this is encrypted. The majority of external applications that we use store and process data within the UK and/or EEA. Should data reside in a different jurisdiction, confirmation is obtained that appropriate and approved agreements are in place in compliance with Data Protection Legislation.

Data Protection Controls

Data transmitted between Azets and any external party uses one of the following mechanisms:

Email – our email system is configured to send all emails encrypted by default where supported by the receiving party.We have a secure file exchange facility that can be used to exchange data between an external party and Azets. All data is encrypted in transit and when stored on the file exchange server. A dedicated repository shall be created for the external party to ensure that no unauthorised user is able to gain access to their data. The external party’s users shall be added to the file exchange solution on an individual basis and only the necessary access rights shall be assigned to each user.
Removeable media. This is an option that is rarely used but should it prove necessary, then the following shall apply:

Only IT approved and issued encrypted USB devices can be used. This is controlled via the device control application within our endpoint management software

If we were to receive a USB device from an external party, the recipient’s device would be configured to permit access to the USB device such that they could download the content and then this would be disabled. Our A/V software would automatically scan the device before any data is read from it

Security Measure: Pseudonymisation and Encryption Ongoing Confidentiality, Integrity, Availability and Resilience

Standards

Commercially reasonable and appropriate methods and safeguards are utilised to protect the confidentiality, availability, and integrity of Personal Data.

Confidentiality

Azets ensures that Azets Personnel authorised to access Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

Training

All Azets Personnel with access to Personal Data receive annual training.

Backups

24/7 managed backup services are provided that include Personal Data stored in the primary site backed up on at least a daily basis to a secondary site. Azets provides backup services for all components included in the Services. Backups are maintained for a period of ninety days in the primary data centre, and ninety days in the secondary data centre.

Disaster Recovery

Azets maintains disaster recovery capabilities designed to minimise disruption to the Services. Included within these plans is disaster recovery incident management, procedures for the recovery of access to Personal Data in the secondary data centre, as well as the periodic testing/exercising of the disaster recovery plan.

Security Measure: IT Security Controls

Authentication

Users are forced to use complex passwords (via system configuration settings) with a minimum length of 14 characters. As detailed below, this is supplemented with multi-factor authentication.

Infrastructure Security Controls

The following measures are in place:

All end user devices (EUD) and servers have a hardened build applied to them

Firewalls are enabled on all EUDs and within our server/cloud environment. Additionally, network security groups are also in place

Anti-virus software is installed on all EUDs and servers. These are updated as soon as an update is issued by the vendor and we proactively check for currency of the installed A/V products

With the exception of Microsoft Office, minimal software is installed on the EUD. As Remote Desktop Service (RDS) or Citrix is used to access the servers/line of business applications, any additional software is installed within the respective environment

Whitelisting has been applied on all devices to define what applications users are permitted to run

Users do not have local admin rights to their machines so are limited as to the changes that they can make to their machine

An email gateway scans all inbound, outbound and internal email. If an email fails any of the checks, it is quarantined. In most cases, the email would need to be released by the IT support team (only emails identified as potentially spam can be released by the user)

URL filtering is in place. Certain website categories are blocked unless there is a specific business requirement to access these. The following are some of categories that are blocked: gambling, adult themes, internet file storage services, web-based email. Where exceptions are made, these would be on a per-user basis

We have a managed Extended Detection and Response (XDR) service which monitors all activity within our network, EUDs and servers. If a significant event is identified, this is investigated by the XDR provider and following investigation is either sent to Azets to undertake remedial activity. Logs from all our systems are ingested into the XDR service which also includes integration with AWS, Office365, firewalls and our secure email gateway

Access to our line of business applications is via our RDS or Citrix solutions. Authentication is via the user’s network credentials and if accessing from outside an office, multi-factor authentication (MFA) is required. All data remains within this environment and there is no access to the user’s local hard drive when using an RDS/Citrix session

Every user has their own network account. MFA is also required when accessing externally provided services. To minimise the number of accounts users shall use, single sign-on has been implemented where this is supported by the vendor

Access to Azets systems is obtained solely via a corporate issued device.

Network Controls

The following measures are in place:

Network management of each office is undertaken by the IT department

Firewalls have been implemented in all offices

Minimal IT infrastructure resides within each office, typically just network devices

The guest wireless network has no connectivity to the corporate network

Personal devices (e.g. mobile phones) cannot connect to the corporate wireless network

Within our AWS deployment, extensive use is made of Network Access Control

Test environments are segregated from the production environment

Backup/Resilience Measures

The following measures are in place:

All data within our environment is encrypted at rest and in transit. Various backup methods are in place depending on the system that is being backed up. This includes traditional daily/weekly/monthly backups, 30 minute snapshots and log file shipping

Immutable backups are in place and are stored in a different location to our production systems

Our cloud hosting provider has various resilience facilities in place (i.e. availability zones)

Cloud native backup solutions are in use

All backed-up data is encrypted

The backup solutions are automated and an alert would be generated if there was a failure in any of these. Processes/scripts are in place to restore data should there be a system failure, loss of data or data corruption

Restore testing is undertaken to ensure that the business Recovery Time/Point Objective can be achieved

Access Control

A role-based access control model has been implemented and access is provided on a need-to-know basis based on the user’s role requirements; users are only provided with the minimum level of access required to undertake their job. All application and IT system administration is undertaken by the IT team – users cannot administrate for business applications.

There is an internal service desk system where access requests can be made which requires approval by the line manager and/or the system/ business owner.

System Maintenance and Vulnerability Management

A patching policy and process is in use within the business which includes patching timescales based on severity. This is supplemented with a vulnerability management application which scans devices on a daily and/or weekly basis (dependent on the device type). The security team proactively work with IT to ensure that patches are applied to the devices in a suitable timeframe (in accordance with the process) and based on the severity. Patching progress/mitigation measures are closely monitored by the security team.

Additionally, vendor websites are monitored and/or we receive notifications when vulnerabilities have been identified with their product and their recommended actions shall be followed. The managed XDR service also provides threat information which supplements the vulnerability management measures in place.

Where appropriate, patches are tested on a sample number of systems to ensure that there are no adverse impacts before being rolled out to the rest of the estate. A system management tool is in place which is used to push out software and/or configuration updates to all systems.

Third Party Access

There are very few instances whereby third parties have access to our systems. Where this is in place, it is to provide support services. Access is provided only as and when required and is disabled when no longer needed. Confirmation would be obtained from the third party

Security Measure: Protection of Personal Data During Transmission

Encryption

Personal Data in transit is transferred across encrypted network connections and/or protocols (i.e., hypertext transfer protocol secure (HTTPS) and/or virtual private network (VPN)).

Security Measure: Protection of Personal Data During Storage

Encryption

Personal Data at rest is encrypted using ciphers at least as strong as 256-bit advanced encryption standard (AES).

Encryption of Backups

Backups of Personal Data are encrypted and stored in a secondary data centre.

Security Measure: Physical security

Security Safeguards

Physical security safeguards are maintained at any facilities where Azets hosts Personal Data. Physical access to such facilities is only granted following a formal authorisation procedure and access rights are reviewed periodically.

Facilities

Such facilities are rated as Tier 3 data centres or greater, and access to such facilities are limited to identified and authorised individuals. Such facilities use a variety of industry standard systems to protect against loss of Personal Data due to power supply failure, fire, and other natural hazards.

Security Measure: Event Logging

Network Security

Azets utilises an enterprise-class security information and event management (SIEM) system – which is part of our XDR service – and maintains firewalls and other control measures (e.g., security appliances, network segmentation) to provide reasonable assurance that access from and to its networks is appropriately controlled.

Event Logging

Azets logs access and use of information systems containing Personal Data.

Security Measure: System Configuration

Malicious Software

Anti-malware controls are maintained to help prevent malicious software from causing accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Personal Data.

Asset Inventory

Asset inventories of computing equipment and media used in connection with the processing of Personal Data are maintained. Access to such inventories is restricted to authorised Azets Personnel.

Security Measure: Governance and Management

Information Security and data protection

Information security and associated data protection is taken extremely seriously within the business. The following are in place:

A dedicated Cyber Security team is in place covering all cyber technical, procedural and governance processes. These individuals work across the business to ensure that all processes incorporate adequate security measures and that appropriate technical controls are in place and their configuration is suitably robust. The UK Security Director has overall responsibility for Cyber within the UK.

Data privacy is included within the Risk and Compliance team where the Group’s Data Protection Officer resides. The Privacy and Cyber team work very closely to ensure that both of these aspects are fully addressed across the business. This includes day-to-day operation, projects, third-party suppliers/vendors and regulatory requirements.

Updates pertaining to Cyber and data protection are provided to the Groups monthly Exco forum.

Security Policies

Group-wide security policies are in place along with an Information Governance Framework. These documents are reviewed at least annually and are available to all staff. Supplementary policies and supporting procedures are created on a country basis where necessary.

Risk Management

There is a defined process supporting risk assessments. These are undertaken at the start of a project, prior to any major upgrade and as part of our wider supplier due diligence approach and on a continual basis. Any residual risk is managed and tracked. Risks are regularly reviewed for status, accuracy and change in impact. Major/significant risks are reported to the Exco and the risk & audit committee.

Security Working Group

The security working group meets on a monthly basis. This includes representation from IT, business units, Risk and Compliance, data protection and the security team. This is a critical activity to ensure that all key stakeholders are aware of any security issues and also allows them to raise any concerns that they have become aware of.

Incident Management

A detailed incident management process is in place and shall be followed in the event of a security incident. This incorporates a lessons learned activity which shall capture any remedial activity/recommendations. The process includes details of communications with customers in the event that their data may be affected.

Scenario based tests have and shall continue to be undertaken.

Azets Personnel

Azets maintains written policies and procedures that address the roles and responsibilities of Azets personnel, including both technical and non-technical personnel, who have access to Personal Data in connection with providing the Services.

Security Measure: Certification of Processes

Standards

Azets Holdings and Blick Rothenberg hold Cyber Essential certification.

The details relating to these certifications are:

Azets Holdings

Certificate Number

48c3a727-d40a-4acf-beac-0c72fdb3af45

 Date Obtained

4/05/2023

 Expiry Date

4/05/2024

The AWS and Microsoft data centres that are used by Azets have undergone numerous certifications; details are available on their respective vendor’s Trust Portal.

Independent Assessments

On an annual basis, Azets has an independent third-party organisation conduct an independent assessment of our security environment.

Security Measure: Training of Personnel

Security Awareness Training

Azets uses an externally provided security training and awareness platform which also includes an email phishing component. Security training courses are sent to staff on a frequent basis throughout the year and the completion of such training is monitored and followed up if necessary. Phishing emails are also sent to staff on a monthly basis. Should a user fail a phishing test, details are provided to them of the “red flags” that they should have picked up on. Repeat phishing test failures by a member of staff are followed up by the security team.

In addition to the training platform, security/awareness related information is included in staff bulletins and emails and is also contained on the Intranet.

All staff are required to sign an acceptable use policy. Mandatory training is also undertaken annually covering staff’s responsibility relating to data and GDPR.

All new starters undergo an induction session which includes security and data protection training. This also includes acceptance of the acceptable use policy and undertaking core security training modules.

Regardless of where the member of staff works (office, home), all users receive the same training. The training also reflects the changed working environment and the measures that staff take when working from home.

Security Measure: Accountability

Accountability

Azets defines accountability as holding individuals accountable for their internal control responsibilities.

Control Activities

Specific control activities that Azets has implemented in this area are described below.

An employee sanction procedure is in place and documented to communicate that an employee may be terminated for noncompliance with a policy and/or procedure; and

A performance review of employees is conducted on an annual basis to evaluate the performance of employees against expected levels of performance and conduct and hold them accountable for their internal control responsibilities.

Security Measure: Data Minimisation / Data Quality

Data Minimisation

Azets shall make reasonable efforts to use the minimum necessary Personal Data to provide the Services.

Data Quality

At all times during the applicable Term, Customer shall have the ability to amend Personal Data to assist the Customer with its data quality obligations.

Security Measure: Data Retention

Data Retention

Azets shall retain Personal Data stored in Cozone for ninety (90) days after expiration or termination of the Engagement Letter so that Customer may extract Personal Data. After said 90-day period ends, Azets shall disable Customer’s Cozone account and delete all Personal Data (within thirty (30) days) and, where required by law, shall certify to Customer that it has done so, save to the extent that Azets is required by any applicable law to retain some or all of such Personal Data.

Security Measure: Portability and Erasure

Portability

At all times during the applicable Term, Customer shall have the ability to access, extract, and delete Personal Data in Cozone.

Erasure

Azets destroys, deletes, or otherwise makes irrecoverable Personal Data upon the disposal or removal of storage media. Personal Data for each Customer is logically separated from data of other Azets customers.

 

Effective April 4 2024