Security of GDPR Register

GDPR Register takes security very seriously and we are continuously improving the security features and controls.

DATA CENTER LOCATION

GDPR Register application (https://app.gdprregister.eu) is operated in Amazon Web Services (AWS) infrastructure in EU-Central zone located in Frankfurt, Germany. Amazon Web Services infrastructure has been certified for strictest industry-specific standards and certifications, including:

ISO 27001, ISO 9001, ISO 27017, ISO27018
PCI DSS Level 1
SOC1, SOC2, SOC3
HIPAA, GDPR, FedRAMP, FIPS and more.

Please find a Full list of Certifications, Regulations and Frameworks.

DATA CENTER SECURITY

AWS (Amazon Web Services) data centers are secure by design and large number of controls in use make that possible. Data centers include state-of-the-art physical security and environmental access controls in highly secure environment and safety features including:

24/7 professional security staff, video surveillance, and intrusion detection systems.
Fire detection and suppression, redundant electrical power systems, and uninterruptible power supply (UPS)

Find a Full list of controls in AWS data centers:

DATA ENCRYPTION AND COMMUNICATIONS

GDPR Register employs AWS RDS (Amazon Relational Database Service) as for storing its data. Amazon RDS takes care of security and data protection and provides a scalable and fast performing database.

All data is encrypted inside AWS RDS database using AWS KMS (Amazon Key Management Service). KMS is a secure and resilient service that uses FIPS 140-2 validated hardware security modules to protect the encryption keys.

All the uploaded documents in document store are being held inside the same encrypted AWS RDS database service.

All connections to GDPR Register service are using TLS 1.2 transport layer security where all data is encrypted using 2048 bit RSA keys and SHA256withRSA as a signature algorithm.

AUTHENTICATION

Besides the username and password, it is possible to switch on highly secure Multi-Factor authentication via user’s cell phone. During the login process, one time password is sent to user’s phone number as SMS or into Authy mobile application. Multi-Factor authentication can be switched on from User Settings. 

RELIABILITY AND DATA PROTECTION

In order to provide a highly reliable service, GDPR Register employs technologies like AWS ELB (Amazon Elastic Load Balancing) into multiple application servers, which is adjustable based on system load. 

GDPR Register uses AWS RDS as its database system, which creates automated encrypted data backups for multiple times in a day to prevent any data loss. As additional data protection measure, a daily Offsite Backup process is transferring encrypted copy of data into Tallinn, Estonia (member of EU), Zone Media data center.

AUDITING

GDPR Register has an Audit Trail functionality, which logs every user login and user transaction like creating, modifying or deleting any record in the system. 

SECURE DEVELOPMENT STANDARDS

GDPR Register is following closely OWASP Top 10 Most Critical Web Application Security Risks top list to provide security by recommended design principles.

SUBSCRIPTION BILLING

GDPR Register utilises Chargebee (https://www.chargebee.com) as a subscription billing service provider for managing billing for GDPR Register customers. Chargebee is a PCI Data Security Standard (PCI DSS) Level 1 provider, certified to process credit card data.

See the Full overview of certifications and security controls of Chargebee.

VULNERABILITY SCANNING AND PATCHING

We periodically check and apply patches for third party software/services. As soon as vulnerabilities are discovered, the fixes are applied. We do periodic vulnerability scanning using the services of an authorised vulnerability scanning software.