.png)
.png)
Technical and Organizational Measures
| Measures pseudonymising and/or encrypting personal data | Purchasely maintains Customer Content encrypted in transit with TLS and at rest with AES 256-bit encryption. |
|---|---|
| Measures for ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and services | The infrastructure for the Application Services spans multiple fault-independent availability zones; a variety of tools and processes are in place to maintain high availability and resiliency (autoscaling, backups, leader-follower DB, monitoring & alerts, …). |
| Measures ensuring the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident | Backups of the Customer Content are performed on a regular schedule and recovery testing is periodically conducted. |
| Processes for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures in order to ensure the security of the processing | - we perform an annual assessment of our vulnerabilities (including penetration testing) - each system runs an up-to-date malware detection program - we log all access to systems and review those logs for security Incidents |
| Measures for user identification and authorisation | Purchasely enforces passwords and offers multi-factor authentification. Purchasely is engaged to only provide access to the required ressources. A user can be scoped to one or multiple apps and may not provision and control accesses. |
| Measures for the protection of data during transmission | Purchasely maintains its entire contents encrypted in transit with TLS. |
| Measures for the protection of data during storage | Encrypted with AES-256 bit encryption. |
| Measures for ensuring physical security of locations at which personal data are processed | Data is stored in the AWS Cloud. More information can be found at https://aws.amazon.com/compliance/data-protection/ |
| Measures for ensuring events logging | Applicative logs are sent to Datadog. Infrastructure logs are managed by AWS. All logs can be accessed only by authorized employees and access controls are in place to prevent unauthorized access. |
| Measures for ensuring system configuration, including default configuration | Pre-production and production environments are segregated. Most of environment-specific-variables are encrypted and stored on AWS: only a restricted team can modify them. We monitor changes to ensure that changes follow the process and to mitigate the risk of un-detected changes to production. Code-related changes are tracked in our change platform. |
| Measures for internal IT and IT security governance and management | - central and automated management of secrets deployed on the servers for use by Purchasely tools and infrastructure - physical and logical separation of production and testing environments - remote collection of logs - continuous integration and deployment, with automated testing for Purchasely’s code - continuous monitoring of all production systems and alerting on deviations - Quality Assurance process in place before production releases - Data Protection Officer designated |
| Measures for certification/assurance of processes and products | Purchasely is currently in process of SOC 2 Type II certification. You can request access to the documents and check our progress to this certification here: https://app.vanta.com/purchasely.com/trust/grnmamthf8r38yu2xtlmwu As part of this certification we constantly maintain a level of security that is audited constantly and re-validated every year by an independent expert. Penetration tests are performed at least annually by a certified, third party company. |
| Measures for ensuring data minimisation | Purchasely implements privacy by default and privacy by design, imposed by the GDPR. All the data is associated to a unique user ID which is either provided by the customer, or generated randomly by the platform and which is not personally identifiable. Thanks to this principle, it is not possible to link back the Purchasely data to the physical person. More details on the data processing registers is available here: https://www.purchasely.com/hubfs/data-processing-agreement.pdf |
| Measures for ensuring data quality | - all users and admins activity is logged in a independent tool (Datadog) - we don’t store any user personal information. User ids can be anonymized on demand. - many application-level checks are in place to ensure data integrity |
| Measures for ensuring limited data retention | The Personal Data processed and in particular the transactions are kept in the database, for the entire duration of the Agreement between the Client and the Supplier and kept five more years as intermediate archiving by the Supplier to keep the proof of a right or an obligation. The intermediate archiving process is part of the customer off-boarding process and launched when an Agreement with a customer ends. |
| Measures for ensuring accountability | Purchasely employs multiple controls to ensure high visibility and enforcement of change management policies to ensure accountability, including comprehensive system logs, code reviews and filtering requests through a centralized ticketing solution. |
| Measures for allowing data portability and ensuring erasure | Customer can ask CSV export of their data any time, by reaching out to the support. |
| For transfers to (sub-) processors, also describe the specific technical and organisational measures to be taken by the (sub-) processor to be able to provide assistance to the controller and, for transfers from a processor to a sub-processor, to the data exporter | Purchasely subprocessors pursuant to the data processing agreement with its customers enter into written agreements with Purchasely requiring them to abide by terms consistent with the requirements of the data processing agreement with Purchasely’s customers |