Technical and organisational measures

Organisation of Information Security

Objective

Puzzel has a security organisation that covers all relevant areas of the business. Puzzel has appointed one or more security officers responsible for coordinating and monitoring the security policies and procedures. Puzzel ensures that its Personnel are competent in information security.

Measures include

a) Puzzel employs Personnel with full-time responsibility for information security
b) Puzzel’s Chief Security Officer is a member of the Board of Management “BoM”
c) Puzzel’s Compliance Officer is assigned the Data Protection Officer role and is responsible for managing Puzzel’s Information Security Management System (including Data Privacy) and is reporting directly to BoM independent to operational management
d) Puzzel has a comprehensive set of information security policies, approved by BoM and disseminated to all Personnel
e) Puzzel security policies are reviewed at least annually and updated whenever needed
f) All Puzzel Personnel have signed legally reviewed confidentiality agreements that apply during and post-engagement
g) Failure of Personnel to follow information security policies can be treated as a disciplinary matter and lead to sanctions, including dismissal
h) All Puzzel Personnel are given training in information security with focus on data protection
i) Data Protection by design and default is a basic principle for the Puzzel Contact Centre Services
j) Puzzel is committed to continual improvement of its security

Information Security Management System

Objective

Puzzel has an ISMS (Information Security Management System) in place to evaluate risks to the security of Personal Data, to manage the assessment and treatment of these risks and to continually improve its information security.

Measures are

Puzzel has deployed an Information Security Management System (ISMS) to manage security professionally and to support Puzzel’s business objectives. The Information Security Policy is the foundation of Puzzel’s ISMS and is supported by underlying policies and procedures detailing security related activities and controls. The Information Security Policy is revised and improved annually.

Puzzel and its ISMS has been and continues to be audited by an independent, external auditor and certified under ISO/IEC 27001:2013.

Statement of Applicability

The applicability of all controls in ISO/IEC 27001:2013 Annex A have been evaluated against requirements from all interested parties. All controls listed in Annex A have been mapped to requirements and marked as applicable in the Statement of Applicability. This means that Puzzel must adhere to, and be audited towards, all parts of ISO/IEC 27001:2013.

Physical Access

Objective

Physical access to Personal Data is protected.

Measures include

a) Puzzel runs the Puzzel Contact Centre Services from professional, third-party Data Centres with a defined and protected physical perimeter, strong physical controls including access control mechanisms, controlled delivery and loading areas, surveillance and 24x7x365 guards. Only authorized representatives have access to the data center premises
b) Power and telecommunications cabling carrying Personal Data or supporting information services at the production data center are protected from unauthorized access and damage
c) The production data center and its equipment are physically protected against natural disasters, malicious attacks and accidents
d) Equipment at the production data center is protected from power failures and other disruptions caused by failures in supporting utilities and is correctly maintained
e) Equipment or disk media containing Personal Data (including faulty or end of life disks) are not physically removed from the production data center unless securely erased prior to such removal or being transferred securely for destruction at a third-party site
f) When Personal Data is copied electronically by Puzzel outside the production data center, appropriate physical security is maintained, and the data is encrypted at all times

System Access

Objective

Puzzel data processing systems are used only by approved, authenticated users.

Measures include

a) Access to Puzzel internal systems is granted only to Puzzel Personnel and/or to permitted employees of Puzzel’s Sub-Processors and access is strictly limited as required for those persons to fulfil their function
b) All users access Puzzel systems with a unique identifier (user ID)
c) Puzzel has established a password policy that prohibits the sharing of passwords and requires passwords to be changed on a regular basis and default passwords to be altered. All passwords must fulfil defined minimum. Each computer has a password-protected screensaver.
c) A second factor of authentication is required for access to online systems containing Personal Data
d )Only secure protocols are in use for remote administration (e.g. SSH v2, RDP and HTTPS
e) Remote administration of Puzzel systems use industry standard VPN technology
f) Puzzel has a thorough offboarding process to deactivate users, their access and data when a user leaves the company or a function
g) An Intrusion Detection System (IDS) or Intrusion Prevention System (IPS) is deployed at the production data center to help identify potential inappropriate access
h) For Customer access to the system, Puzzel provides a wide range of authentication capabilities including the ability for Customers to set their own password policies and support for two-factor authentication
i) Puzzel maintains a responsibility matrix linking assets and technology to responsibility owners
j) Puzzel maintains an asset register containing all parts of the Puzzel Contact Centre Services

Data Access

Objective

Persons entitled to use data processing systems gain access only to the Personal Data that they are authorized to access.

Measures include

a) Puzzel restricts Personnel access to files and programs on a “need-to-know” basis
b) Personnel training covers access rights to and general guidelines on definition and use of Personal Data
c) Where appropriate and practical, Puzzel employs data minimization and pseudonymizing to reduce the likelihood of inappropriate access to Personal Data
d) The production environment for the Puzzel Contact Centre Services is separate from the development and testing environment, and development Personnel do not access to the production environment other than under troubleshooting scenarios
e) Puzzel uses up-to-date anti-malware software on all appropriate computers and servers.
f) Puzzel uses well-configured firewalls for the Puzzel Contact Centre Services
g) The Puzzel Contact Centre Services contains versatile capabilities to set roles and permissions to let Customers manage authorizations so that Personal Data is only made available to appropriate users when needed
h) Puzzel ensures that appropriate Personnel receive alerts and notifications from system software vendors and other sources of security advisories and installs system software patches regularly and efficiently

Data Transmission

Objective

Prevent Personal Data from being read, copied, altered or deleted by unauthorized parties during transfer.

Measures include

a) Customer access to the Puzzel Contact Centre Services is protected by encrypted protocols
b) Puzzel configures TLS for security, for an up-to-date report on our configuration, see https://www.ssllabs.com/ssldb/analyze.html?d=client.puzzel.com
c) Puzzel uses encryption for all other transmissions of Personal Data outside the production data center
d) Puzzel web servers only use certificates issued from recognized 3rd party certificate vendors
e) Any Personal Data stored outside the production data center is protected by encryption at rest

The Customer is responsible for the security of Personal Data once it has been transmitted from Puzzel to the Customer including when downloaded or accessed by Customer users.

Confidentiality and Integrity

Objective

Personal Data remains confidential throughout processing and remains intact, complete and current during processing activities.

Measures include

Puzzel has a defense in depth approach to ensuring confidentiality and integrity and many of the measures in other sections of this document safeguard confidentiality and integrity. Some other measures that contribute include:

a) Puzzel has a formal background check procedure and carries out background checks on all new Personnel with access to Personal Data
b) All Puzzel Personnel are obligated to sign confidentiality agreements and must adhere to business & ethics conduct policies
c) Puzzel trains and tests its software engineers and quality assurance Personnel in application security practices and secure coding practices
d) Puzzel has a central, secured repository of product source code, which is accessible only to authorized Personnel
e) Puzzel has a formal product development security policy and uses a Secure Development Lifecycle (SDLC) that includes a wide range of security testing, flaw reporting, measures and management procedures.
f) Security testing includes code review and employing static code analysis tools on a periodic basis to identify flaws
g) All changes to software on the Puzzel Contact Centre Services are via a controlled, approved release mechanism within a formal change control program that tracks, documents, tests, and approves change requests prior to implementation (ITIL standard)
h) Puzzel do not use Customer Data in training
i) Puzzel has a procedure for vulnerability management to ensure confidentiality, integrity and availability

Availability

Objective

Personal Data is protected from accidental destruction or loss, and there is timely access, restoration or availability to Personal Data in the event of an incident.

Measures include

a) IT Operations On-call duty arrangement available 24x7x365
b) Puzzel uses a high level of redundancy at the production Data Centres so that an availability failure of a single system or component is unlikely to impact general availability
c) The production Data Centres has multiple power supplies, generators on-site and with battery backup to safeguard power availability to the Data Centres
d) The production Data Centres have multiple access points to the Internet to safeguard connectivity
e) The production Data Centres is monitored 24x7x365 for power, network, environmental and technical issues
f) Puzzel uses commercially reasonable efforts to create frequent backup copies of Personal Data and these are duplicated (cross-site) between the production Data Centres
g) Puzzel has a system in place to ensure that any failures of backup to operate correctly are flagged and dealt with
h) Puzzel performs restore tests from those backups at least quarterly
i) Puzzel has a business continuity plan in place which is regularly updated
j) Puzzel tests elements of its business continuity plan regularly and learns from the results of such tests
k) DDoS protection are installed and protecting internet perimeters. DDoS protection from ISP’s are in place to mitigate high-volume attacks and in the Puzzel perimeters to mitigate more advanced attacks
l) Patching, security upgrades, equipment replacements, capacity addons and other infrastructure changes are carefully planned and executed in regularly announced maintenance windows. Standard maintenance work will normally not disturb Puzzel Contact Centre Services.

Current availability of the Puzzel Contact Centre Services can be seen at https://status.puzzel.com.

Job Control

Objective

Personal Data processed on a Customer’s behalf is processed solely in accordance with the relevant agreement and related instructions of the Customer including the use of Sub-Processors.

Measures include

a) Puzzel acts as a Processor with respect to Personal Data and stores and processes Personal Data in order to operate the Puzzel Contact Centre Services under the instructions of the Customer, who is the Controller
b) Puzzel does not access Customer Personal Data, except to provide services to the Customer which Puzzel is obligated to perform in support of the Customer experience including for general operation and monitoring of the Puzzel Contact Centre Services, troubleshooting and maintenance purposes, for security reasons, as required by law, or on request by the Customer
c) In some specific Customer setups Puzzel will use a limited number of Sub-Processors to help it provide the Puzzel Contact Centre Services. In this case this will be specified in the data processing agreement between the Customer and Puzzel
d) External parties such as Subcontractors and others with access to any of Puzzel’s assets are required to sign Non-Disclosure Agreements
e) Puzzel has data protection agreements in place directly or via affiliates with all Sub-Processors that process Personal Data. Personal Data are not processed outside of the European Economic Area (EEA) other than if requested by a Customer

Data Separation

Objective

Personal Data collected for different purposes is processed separately.

Measures

a) Puzzel uses a multi-tenant architecture to achieve logical separation of Personal Data originating from multiple Customers
b) In each step of the processing, Personal Data received from different Customers can be identified so data is always physically or logically separated
c) Customers have access only to their own Personal Data
d) Puzzel networks are segregated according to system use and data sensitivity
e) Production systems are physically and logically separated from development and test systems
f) Voice and data networks are physically or logically separated to ensure the best quality and security

Incident Management

Objective

In the event of a security incident or Personal Data breach, the effect of the breach is minimized, and the Customer is promptly informed

Measures include

a) Puzzel maintains an up-to-date incident response plan that includes responsibilities, how information security events are assessed and classified, and response plans and procedures
b) Puzzel logs administrator and user activities at the production Data Centres to provide evidence in the event of an incident
c) The clocks of all systems at the production Data Centres are synchronized to a single reference time source to aid investigation in the event of an incident
d) System administrator activities, exceptions, faults and information security events are logged in a central monitoring tool 24/7/365
e) Puzzel regularly tests its incident response plan with “table-top” exercises and learns from tests and potential incidents to improve the plan
f) In the event of a security incident or data breach, Puzzel will notify Customers without undue delay after becoming aware of the security incident or data breach. Puzzel’s Data Protection Officer will be included in the event of a data breach to secure correct handling of the data breach
g) Puzzel maintains a record of security breaches with a description of the breach, the time period, the consequences of the breach, the name of the reporter, to whom the breach was reported and the procedure for recovering data

Compliance

Objective

Puzzel tests, assesses and evaluates the effectiveness of these technical and organizational measures. Puzzel is compliant with legal and contractual requirements.

Measures include

a) Puzzel has appointed a Compliance Officer to work with compliance fulltime and to ensure that Puzzel complies with relevant laws and regulations
b) Puzzel conducts regular internal and external audits of its security
c) Puzzel performs risk assessments to protect services and Customer Data
d) Puzzel has a formal policy for managing suppliers who have access to Personal Data and this includes criteria for reviewing and approving suppliers and procedures for monitoring and reviewing their performance
e) Puzzel takes reasonable steps to ensure that Personnel are aware of and comply with the technical and organizational measures set forth in this document
f) Puzzel conducts at least annual 3rd party network and application vulnerability scanning’s and or penetration tests on the Puzzel Contact Centre Services to identify vulnerabilities and to demonstrate security compliance
g) Puzzel uses industry standard processes to delete Customer Data when it is no longer needed
h) Audit rights given to Customers always exclude the right or ability to look at the data of other Puzzel Customers
i) Puzzel maintains a register of all Personal Data processing activities in the organization