Mild will implement not less than the controls listed below, or their equivalent, during the term of this DPA:
Access Control
Mild will implement suitable measures for the purpose of preventing unauthorized persons from gaining access to the data processing equipment by the following means:
- Access authorizations for employees and authorized third parties under Mild’s control
- Protection and restriction of entrances and exits (restricted key cards and/or passes)
- Logging of the persons having access
- Security of relevant premises (alarms and/or security guards)
Authorization and Internal Organization
Mild commits that any and all personnel with access to the personal data has this authority on a need-to-know-basis, for the purpose of providing the services in the Service Agreement/Tjänsteavtalet, by means of:
- Requirements for user authorization and strict access control
- Confidentiality obligations
- Differentiated access policies (e. g. partial blocking)
- Controlled destruction and removal of data media
- Logging of events and activities (monitoring of break-in attempts, or attempts of unauthorized access)
- Issuing and safeguarding the identification codes
- Use of encryption where deemed appropriate by Mild
- Automatic log-off of user IDs that have not been used for a substantial period of time
- Ensuring that each customer only have access to their own data.
Mild will maintain its internal organization in a manner that meets the requirements of Data Privacy Law, by means of:
- Binding internal policies for personnel and/or consultants regarding security and the process of personal data, and/or instructions
- Internal emergency plan for recovery and safeguard of personal data
- Authority to access data for personnel based on a strictly need-to-know-basis
No customer data will be copied to external devices (USB sticks, CD i.e.) without taking the necessary security measurements, such as encryption or password protection
Data in transit and Data in rest
Mild will secure the personal data transferred and/or otherwise processed in accordance with the Service Agreement/Tjänsteavtalet and Instructions by means of:
- Policies controlling the production of backup copies
- Authorization policy
- Deleting remaining data before changing data media
Safety measures will be implemented in the even data is stored with a sub-processor who is not a EU controlled entity, implementing suitable measures such as encryption or pseudonymization
Safety measures will be implemented in the event data is transferred to a sub-processor outside the EU, such as encryption and pseudonymization and will give such entity instructions of immediate removal of all electronic and physical copies, upon finalization of the service performed.