Control of physical access to the premises and equipment used for data processing

Equipment processing data for Random Team is managed and owned by Amazon Web Services.

Security controls notably include:

• Anti-intrusion system (locked rooms, security alarm)

• Backup power supply to guarantee security of physical devices

• Authentication mechanism when entering premises (badge / key)

• Procedure on the handling of authentication mechanism when entering premises

• Additional measures restricting access to critical technical areas such as:

• locked rooms,

• video surveillance with recording,

• access badge with specific authorisation justified by a legitimate professional need

• Backup devices stored in secured location

• Video surveillance

• 24/7 guard service

• Specific conditions for guest access (signing of a record, temporary badge, etc.)

• Policy on escorting guests into buildings

• For additional information: https://aws.amazon.com/fr/compliance/data-center/controls/

Physical security at Random Team offices (equipment: staff computers) notably includes:

• Anti-intrusion system (locked rooms, security alarm)

• 24/7 guard service

• Video surveillance

• Authentication mechanism when entering premises (badge)

• Laptops locked in cabinets at end of day

Control of access to IT system

• Access logging for IT systems

• User authentication through registered user accounts

• Limitation of failed login attempts (blocking of user account)

• Strong password policy for both users/administrators

• Documented procedure to reset forgotten passwords

• Access policy for IT systems with a regular reviewed procedure for granting authorisations

• Access to IT systems allowed only after double-factor authentication

• Secure remote access to IT systems (VPN / strong authentication)

• Server systems can only be administered with via password-protected and encrypted connection

• Secure wireless network

• Automatic password-protected screen and computer locking when temporarily not in use

• Regular update of antiviruses and firewalls

• Critical updates for operating systems installed without delay

• Applications updates installed in case of critical breach

Control of access and transmission of data

• Pseudonymization

• Data access restricted to persons with an operational need only

• Logging of data access

• Policy describing access authorisation

• Data transmitted through the internet is encrypted

• Remote access via VPN connection

Control of data integrity and availability

• Logging of system administrators’ activity

• Activity logging for users of data processing tools

• Data backup on a regular basis with control over carrying out and verifying theses backups

• Emergency and restore procedures with regular testing

• Secure technical setups (UPS with inverters, smoke detectors, temperature control…for further details check here: https://aws.amazon.com/fr/compliance/data-center/controls/)

• Business continuation plan with regular testing

• Disaster recovery plan with regular testing

• Proper, state of the art usage of system protection solutions

Separation control & IT development

• Physical/logical separation of data in case of numerous clients

• Sandboxing

• IT development tests carried out on fictitious or anonymised data

• Training developers in data privacy by default and by design

Organizational measures

• Procedure for testing, analysing and assessing the efficiency of technical and organisational measures (penetration tests, scans for internal and external vulnerabilities, etc.)

• Procedure for managing security incidents

• Security policy

• Raising user awareness in terms of security

• Training employees whose tasks consist in processing data entrusted to the provider

• Periodic assessment of sub-processors