Indeemo Technical & Organisational Measures (TOMs)

 
 

Overview

This page outlines the technical and organisational measures (TOMs) that have been implemented by Indeemo to ensure that the Personal Data processed by the organisation is processed in accordance with the requirements of the GDPR. 

This is a high-level overview of Indeemo’s technical and organisational security measures. More details on the measures we implement are available upon request. Indeemo reserves the right to revise these technical and organisational measures at any time, without notice, so long as any such revisions will not materially reduce or weaken the protection provided for personal data that Indeemo processes in providing its various services. In the unlikely event that Indeemo does materially reduce its security, Indeemo shall notify its customers.

The TOMs will be reviewed annually and approved by the Senior Management Team of Indeemo.

TOMs and Policy

Governance

Management demonstrates commitment to implementing appropriate policies, procedures and TOMs in such a manner that processing of Personal Data meets the requirements of the Data Protection (DP) Laws and ensures the protection of the rights of data subjects. Indeemo defines clear Data Protection roles and responsibilities in the organisation.  

Accountability

Data Protection Policy and related policy documents: Indeemo documents appropriate data protection policies, procedures and TOMs in relation to the processing of Personal Data.

Training & Awareness: All employees and individual contractors of Indeemo involved in processing Personal Data receive appropriate Data Protection and Data Security Training at least annually.

Activity Logs: Indeemo records day-to-day activities to facilitate compliance with the DP Laws. Indeemo ensures that all relevant activities are recorded and managed. It is Indeemo policy to keep logs of all significant Data Protection events. 

Record of Processing Activities: Indeemo maintains a documented Record of Processing Activities (ROPA) to meet Article 30 GDPR requirements. 

Risk Register: Indeemo maintains a risk register that includes the data protection risks that have been identified in the organisation.  

Employment policies and measures: 

  • Indeemo complies with GDPR principles in its employee/consultant recruitment selection and screening policy and procedures.  

  • Provisions relating to access and handling of Personal Data are documented in employees’ contracts of employment. 

  • All Indeemo employees are required to sign confidentiality agreements on the commencement of employment.

  • Access to systems is revoked immediately on termination of employment. 


Internal/External Compliance Reviews: Indeemo undertakes annual internal compliance reviews of its data protection compliance activities. Indeemo is ISO 27001 & HIPAA certified.

Transparency

The organisation provides clear statements to data subjects and communicates all required information about its processing activities.

Data Privacy Statement(s): The organisation ensures that the transparency requirements of the DP Laws are met and communicates all relevant information about its processing activities to data subjects.  

Employee Data Protection Notice: The organisation documents its processing activities in respect of processing of employee Personal Data within the Employee Data Protection Notice.

Data Transfer Management

The organisation discloses Personal Data outside the organisation only for the purposes identified and has all required transfer mechanisms in place.

Supplier/Partner Management: Indeemo incorporates data protection measures into supplier/partner activities by:

  • Addressing the requirements of Article 28 GDPR, in Data Processing Agreements (DPAs) with all relevant suppliers

  • Processors are assessed to ensure the establishment of adequate safeguards for processing Personal Data

  • Specifically, processors are assessed/selected for security of processing and physical storage (location) of Personal Data.

All processing is carried out under contract. Processor contracts are assessed to ensure adequate safeguards and service levels are in place (as appropriate).

Security Management

The organisation manages the security of the systems that it uses to process the Personal Data.

Information Security and related Policy Documents: Indeemo has documented its Information Security Policies. Indeemo policies are available on request. Indeemo has documented and maintains security and privacy policies/documents including: 

  • Access control policy

  • Asset control policy & Asset Management Register

  • Physical security policy

  • Encryption policy

  • IT and infrastructure security policy

  • System & network security policy

  • Incident/breach management policy

Business Continuity & Disaster Recovery Plans: Indeemo has documented and implemented appropriate Business Continuity & Disaster Recovery measures relation to the processing of Personal Data.

Backups: Indeemo has established an appropriate backup process to ensure that it can restore access to Personal Data in the event of any incidents and to ensure confidentiality, integrity and availability for the Personal Data that is processed.

Retention and Deletion of data: Indeemo has implemented measures that allow adequate management of retention time and perform subsequent actions such as e.g. Anonymisation or deletion where relevant.

Network Security: Indeemo implements network security infrastructure such as Firewalls, Intrusion Detection/Prevention Systems (IDS/IPS) and other security controls that provide continuous monitoring, restrict unauthorized network traffic, detect and limit the impact of attacks.

Security measures include:

  • Patch management

  • Anti-virus / anti-malware

  • Threat notification advisories

  • Vulnerability scanning (all internal systems) 

  • Annual penetration testing process in place.

Breach Incident Management

The organisation provides & implements policies & procedures for reporting and managing Personal Data breaches. Indeemo has documented and implemented Breach Management measures including responsibilities and procedures to identify and investigate incidents.

Data Subject Rights Management

Policies and procedures are in place to respond to data subjects who seek to invoke their rights. 

Indeemo has documented and implemented Data Subject Access Request (DSAR) measures including related responsibilities and procedures.

Data Management

Purpose Limitation: The purpose of processing is reviewed regularly to ensure that the purpose remains consistent with the Record of Processing Activities and Data Privacy Statements of the organisation. Indeemo will not use personal Data for new, different or incompatible purposes from that disclosed to data subjects when it was first obtained unless it has informed the data subject of the new purposes and an appropriate lawful basis has been identified.

Record Retention: Policies and procedures relating to data retention are maintained and reviewed regularly to ensure that Personal Data is only retained for as long as is necessary for the purposes and there after disposed of securely.

Data Minimisation: The processing of Personal Data is reviewed regularly to ensure that processing is consistent with the principle of data minimisation by limiting the amount of data collected and the processing activities to only to that necessary for the purposes and by allowing access to the Personal Data only to those personnel carrying out the processing activities.

Legal Basis Management (relevant to Indeemo’s role as Controller only)

The organisation regularly reviews its lawful basis for processing Personal Data and ensures it has suitable safeguards in place. The lawful basis is documented, and assessments are carried out as appropriate.

Change Management

The organisation provides and implements a framework for data protection risk and change management.

Data Protection by Design: Indeemo incorporates Data Protection by Design principles for systems and enhancements at the earliest stage of development as well as educating software development, test and support teams on data protection and cybersecurity annually.

Indeemo will undertake a Data Protection Impact Assessment (DPIA) where the type of processing undertaken by Indeemo, is likely to result in a high risk to the rights and freedoms of data subjects.  A DPIA is ideally undertaken prior to undertaking the relevant processing activity and it assesses the impact of the envisaged processing operations on the protection of Personal Data.

If you require any additional information, please email dataprotection[at]indeemo.com