Technical and Organizational Security Measures is a variable that appears in the Data Processing Agreement Cover Page, in the Changes to the Annex II section.

Check the line items that are applicable to the company’s practices and make sure you provide at least some information about the actual practices in the description field. You are not required to include a response for each section.

Note that there may be overlap across the types of measures listed, and some of your responses may repeat or cross-reference others. In addition, the company may publish policies on its website that directly address some of these items, and it’s fine to reference those policy provisions here.

Included below are examples of measures companies often take.

Measures of pseudonymization and encryption of personal data

Explain in what contexts the company uses pseudonymization and/or encryption (for data in transit and/or at rest) to maintain data security.

TIP: The GPDR defines “pseudonymization” as “the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organizational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.” (Art. 4(5))

Measures for ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and services

This section can be an overview of the company’s security procedures and frameworks. That might include implementation of data security tools like encryption, firewalls, DDos protection, and the like, as well as processes for testing, risk assessment and mitigation, audit trails, access controls, incident response, and so on. It might also include things like data protection training for personnel. In your response, you can cross-reference applicable measures that you’ve indicated elsewhere in this section, or provide a link to your company’s security policy, if applicable. Alternatively, you can provide a comprehensive summary here and cite to this section for other responses.

Measures for ensuring the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident

List measures that the company takes to protect data so that it can be restored in case of corruption or accidental loss, such as remote storage.

Processes for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures in order to ensure the security of the processing

Describe any process for regular audits, company certifications, bug bounty programs, etc.

Measures for user identification and authorization

Explain how users are authenticated on companies’ systems (e.g., password requirements, multi-factor authentication) and how credentials are secured.

Measures for the protection of data during transmission

A typical example is the use of cryptographic protocols to protect data in transit.

Measures for the protection of data during storage

Common measures include industry-standard encryption, access controls such as passwords and data segregation, logical access controls to manage different levels of personnel access, physical access controls (see below), policies for remote work, etc.

Measures for ensuring physical security of locations at which personal data are processed

Describe any physical security measures that the company has in place, such as locked facilities, building security, etc.

Measures for ensuring events logging

Describe processes the company has in place for events logging, e.g., for auditing and incident response purposes.

Measures for ensuring system configuration, including default configuration

Describe the management of configuration, maintenance and monitoring of company systems.

Measures for internal IT and IT security governance and management

Describe structure and procedure for the company’s IT group, including, for example, roles and responsibilities for incident response.

Measures for certification/assurance of processes and products

If the company holds any security certifications, you can mention those here.

Measures for ensuring data minimization

Explain how the company keeps the amount of data processed at reasonable levels, such as limiting data collection only to what is needed, and deleting data once it’s no longer in use.

Measures for ensuring data quality

The GDPR sets out some expectations regarding data quality: “Personal data shall be … accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’).” GDPR Art. 5(1)(d)

Measures for ensuring limited data retention

Explain the company’s policies and standards for data retention and deletion. You do not need to provide details that the company would consider confidential. For example, you could list company procedures to ensure deletion of personal or confidential data after an agreement ends.

Measures for ensuring accountability

Mention any company policies for regular systems testing and security audits.

Measures for allowing data portability and ensuring erasure

Explain how the company supports customers with data access and erasure requests from their users, as well as procedures the company has adopted to ensure secure data deletion and hardware disposal.