Technical and Organisational Measures
The technical and organisational measures (TOMs) provided below apply to all Flockler Services except where the Client is responsible for the security and privacy TOMs. The Client has access to all Personal Data of their Flockler organisation and account, and they can modify, transfer, export, and delete that information at any time.
Flockler will validate that necessary documentation is in place between Flockler and the Client, where Flockler processes Personal Data covered by GDPR.
In addition to this TOMs document, Flockler will create and maintain the following security and privacy documentation:
Flockler will maintain and follow IT security policies and practices that are integral to Flockler’s business and mandatory for all Flockler employees, including supplemental personnel. IT security policies will be reviewed periodically and amended over time to maintain protection of services and Content processed therein.
Flockler will maintain an inventory of Personal Data reflecting the instructions set out in the DPA, including disposal instructions upon contract closure.
Flockler will maintain proper controls for requesting, approving, granting, modifying, revoking, and revalidating user access to systems and applications containing Personal Data. Only employees with clear business need will access Personal Data located on servers, applications, and databases, and will have the ability to download data within Flockler’s Services. All access requests will be approved based on individual role-based access and regularly reviewed for a continued business need.
All the Personal Data is stored with subcontractors cloud services’ outside Flockler’s premises. Flockler will implement and protect the physical security of its personnel and their dedicated devices accessing the cloud services.
Flockler will implement protections on end-user devices to make sure those devices comply with the security standard.
Flockler will securely sanitize physical media intended for reuse before such reuse and will destroy physical media not intended for reuse.
Flockler will maintain an incident response plan and follow documented incident response policies, including data breach notification to Data Controller without undue delay where a breach is known or reasonably suspected to affect Client Personal Data.
Flockler employees are made aware and trained at least on an annual basis of the security risks associated with their activities and of the applicable policies, standards, and procedures related to the security of organizational information systems. Additional policy and process training will be provided to persons granted administrative access to components and cloud services that are specific to their role within Flockler’s operation and support of the service.
Flockler will ensure that employees are adequately trained to carry out their assigned information, security-related duties, and responsibilities.
Flockler will provide security awareness training on recognizing and reporting potential indicators of insider threat.
Flockler will periodically assess the risk to organisational operations, organisational assets, and individuals resulting from the operation of organisational information systems and the associated processing, storage, or transmission of information.
Flockler will scan for vulnerabilities in the information system and applications periodically and when new vulnerabilities affecting the system are identified. Flockler will seek to remediate vulnerabilities in accordance with assessments of risk.
Flockler will create, protect, and retain information system records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful, unauthorized, or inappropriate information system activity.