Technical and Organizational Security Measures (TOM)
The terms, “Client”, “Data Subject”, “Draft”, “Personal Data”, “Processor”, “Services”, and “Subprocessors” shall have the same meaning as in the Data Processing Agreement.
Description of the technical and organizational measures implemented by the Processor to ensure an appropriate level of security, taking into account the nature, scope, context, and purpose of the processing, and the risks for the rights and freedoms of natural persons:
1. Measures of pseudonymization and encryption of Personal Data
Draft encrypts data in transit via TLS 1.2, and at rest using the AES-256 algorithm.
2. Measures for ensuring ongoing confidentiality, integrity, availability, and resilience of processing systems and services
Measures for ensuring ongoing confidentiality, integrity, availability, and resilience of processing systems and services include:
- Access to production systems is regulated through VPN, leveraging unique accounts and role-based access within operational and corporate environments. Authorization requests for access are tracked and logged on a regular basis. Removal of access for employees upon termination or change of role. Multi-factor Authentication (MFA) is required for access to critical and production resources. Strong passwords are required, never stored in clear text, and are encrypted in transit and at rest.
- Mandatory security training for employees is required, covering data protection, confidentiality, social engineering, password policies, and overall security responsibilities. Confidentiality requirements are imposed on employees. NDAs with third parties are required. Separation of networks based on trust levels is in place.
3. Measures for ensuring the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident
Draft has processes in place to ensure ongoing confidentiality, availability, and resilience to Client accounts and Personal Data and to help restore timely access to Personal Data following an incident during a security incident.
4. Processes for regularly testing, assessing, and evaluating the effectiveness of technical and organizational measures in order to ensure the security of the processing
Draft performs frequent penetration tests for all components of the Services.
Draft maintains security incident management policies and procedures. Draft notifies impacted Clients without undue delay of any unauthorized disclosure of their respective Client data by Draft or its Subprocessors, of which Draft becomes aware to the extent permitted by law.
5. Measures for user identification and authorization
The Services support SAML for Clients. Access to the Services by Draft personnel is uniquely identifiable, logged, and monitored. Access to back-end infrastructure by Draft personnel requires multiple layers of authentication including requiring unique identifiers, optimal password strength, and the use of Multi-factor Authentication.
6. Measures for the protection of data during transmission
Draft employs TLS 1.2 encryption from the User’s browser to the Services, for Clients’ data in transit.
7. Measures for the protection of data during storage
Draft customer instances are logically separated and attempts to access data outside allowed domain boundaries are prevented and logged. Measures are in place to ensure executable uploads, code, or unauthorized actors are not permitted to access unauthorized data - including one customer accessing files of another customer.
8. Measures for ensuring the physical security of locations at which Personal Data is processed
Subprocessors are responsible for the physical security of the data centers and are contractually obligated to ensure that physical security measures and resources are in place. These systems permit only authorized personnel to have access to secure areas. These facilities are designed to withstand adverse weather and other reasonably predictable natural conditions, are secured by around-the-clock guards, two-factor access screening, and escort-controlled access, and are also supported by on-site backup generators in the event of a power failure. Further information about the security provided by OVH is available from the OVH website.
9. Measures for ensuring events logging
Draft logs authorization requests by personnel to privileged spaces. The application logs user activities, including logins, configuration changes, deletions, and updates. They are automatically written to audit logs in internal systems. Internal logs capture timestamps, IP addresses, login/logouts, and errors. These logs are only internally available and available for security investigations upon request.
10. Measures for ensuring system configuration, including the default configuration
Draft monitors changes to in-scope systems to ensure they follow processes. Changes are tracked in our change management system and managed to ensure that they follow the process to mitigate the risk of undetected changes to the production systems.
11. Measures for internal IT and IT security governance and management
Draft has internal information security policies and procedures, which are communicated to all employees upon hire and at least annually. Draft conducts Information Security training upon hire and at least annually thereafter. The Information Security function reports to the senior leadership that can take necessary actions to establish, implement and manage Draft’s Information System Security Policy.
12. Measures for certification/assurance of processes and products
Draft is assisted by a reputable third party to attest that our commitment to controls and safeguards are in place.
13. Measures for ensuring data minimization
Data is collected and processed in accordance with stated purposes. Access is provisioned and restricted in accordance with roles and requirements for job responsibilities.
14. Measures for ensuring data quality
15. Measures for ensuring limited data retention
Automatic deletion is implemented to enforce data retention limitations. Accounts inactive for more than three years are automatically deleted. Their related account data is securely deleted from production, while their backup data is deleted within 360 days of account termination.
16. Measures for allowing data portability and ensuring erasure