Testing Data

No production information is exposed or reused in environments other than for acceptance testing. This includes production data (also not pseudonymised), API keys, credentials and production server hostnames.

Account lock-out

After a period of 45 days of inactivity or at the end date of a formal relation with the organisation for which the account was provided, accounts are automatically blocked....

Retention periods

How long data is retained and available is identified and recorded and adheres to the minimum legal or business requirements. After this period, data is deleted and unrecoverable. This includes...

Organizational Data Deletion

After the retention period or when the data medium is decommissioned, lost or repurposed, organisation data is deleted. End users receive sufficient warning before data is deleted.

Data Exfiltration Detection and Prevention

There are measures to prevent users from downloading entire datasets. Additionally, or if these measures cannot be implemented, alerting and monitoring for users downloading large amounts of information from the...

Authorized data distribution

The proces owner authorises distribution of confidential information explicitly to any recipient, internal or external to the organisation. For all non-incidental data transfers, the authorisation is documented and reviewed yearly....

Encrypted data storage

Data at rest is always stored encrypted. The organisation is responsible for the key management of the chosen encryption solution, either directly, contractually or through policies.

Email forwarding

Automatic forwarding of email to external addresses is denied-by-default.

Encrypted connections

All data in transit is transferred over encrypted connections, using the encrypted versions of protocols or encapsulation of plaintext protocols over encrypted connections.