Ashoka’s Technical and Organizational Security Measures

 Introduction

 

Ashoka has taken measures to ensure the confidentiality, integrity, availability and resiliency

of the systems it uses to process Personal Data. These measures are designed to reasonably mitigate risks associated with processing Personal Data and apply to Ashoka, its affiliates, and third parties who, from time to time, are contracted to process Personal Data on its behalf. Third parties may implement their own measures but will at no time provide less protection then provided under Ashoka’s measures digested below.

 

 

Confidentiality

 

Technical measures

  1. Access to the structurally separated and electronically monitored security zones of the datacenter is only allowed to persons performing necessary activities in these zones. Visitors can only enter these zones under supervision of authorized persons.
  2. Access to Ashoka's premises is controlled through an access control system (access card to the premises). Any use of a card reader is logged.
  3. Access to the Ashoka’s Technical Resources is only possible after authentication via a user account and password.
  4. Password complexity is enforced following industry best practice.
  5. Logon processes are logged.
  6. Ashoka's servers are protected against unauthorized access from the Internet through firewalls.
  7. Encryption is used when transmitting data via the Internet.

 

Organizational measures

  1. All employees dealing with personal data must read, sign, and abide by Ashoka’s policies related to processing Personal Data.
  2. Regular training sessions on Personal Data and data protection/security are conducted.
  3. Sharing passwords and / or accounts is prohibited.
  4. Access to Personal Data is segmented by function.
  5. Privileged accounts for system administration and support functions are limited and subject to additional security mechanisms.
  6. Access to Personal Data by employees is only provided when it is necessary for the performance of their duties.
  7. Sensitive data, in physical or electronic form, is made unreadable before disposal either inhouse or by a company that is certified for such activities.
  8. Backup data / media are kept in secure locations.
  9. Privacy by design principals are used to guide the design and/or implementation of systems / processes and the contracting of third parties to process Personal Data.

 

 

Integrity

 

Technical measures

  1. Changes to Personal Data are logged.
  2. Authentication and authorization mechanisms protect systems from unauthorized access and alteration.
  3. Firewalls are used to restrict infrastructure access from the Internet.
  4. Application firewalls are used to guard against application level attacks.
  5. IDS/IPS systems are used to alert administrators to potential risks.
  6. Network access is controlled by authenticating using username and password or by other security measures.
  7. Backups of critical systems and data are maintained.

 

Organizational measures

  1. Regular training sessions on Personal Data and data protection are conducted.
  2. Onboarding and offboarding processes are used to control access.
  3. Network equipment is located in secure, non-public locations.
  4. System logs and alerts are regularly monitored.
  5. Data manipulation workflows limit exposure to system-wide transformations. 

 

Availability and Resiliency

 

Technical measures 

  1. Appropriate fire protection, loss prevention, and civil protection measures have been implemented at contracted datacenters and on-premise infrastructure including HVAC, physical access controls, redundant power supplies, UPCs, and ISPs, and high availability firewalls.
  2. Regular backups are taken of critical data and systems and stored in secure, redundant locations.
  3. Incoming data is scanned for malware and monitoring software is used to alert system administrators to suspicious activities.
  4. Data versioning and rollback systems are used to revert erroneous or malicious changes.

 

Organizational measures

  1. Emergency measure for restoring data are regularly practiced.
  2. System updates and security patches are regularly applied.
  3. Vulnerability scans are regularly conducted and remediation applied.