Skip to main content

Appendix 2 to Annex 2: PayFit security policy

Posted on 06 April 2023

Appendix 2 to Annex 2: PayFit security policy

Technical measures

Authentication measures 

  • Unique identifier per user

  • Compliance with CNIL recommendations on passwords (strong authentication, limiting the number of access attempts, periodic password renewal, secure password storage...)

  • 2FA authentication

Access logging and incident management

  • Logging of accesses, anomalies and security-related events

  • Recording incidents in a log file

  • Protecting logging devices from unauthorised access

  • Retention of logs for 9 months

  • Periodic review of event logs

  • Replication of logs to three nodes in three different regions of France

  • Access to Personal Data by internally authorised personnel via VPN and 2FA authentication

  • Access to data restricted to onboarding, customer service and maintenance teams with proper justification

Availability and resiliency

  • Data replication across two nodes for databases and three nodes for AWS S3 storage

  • Node hosting on a dedicated datacenter

  • Automatic server failover capability

  • Backups performed hourly

  • Recovery process checked daily

  • HTTPS encryption of backups during transfer

  • Replication of backups three with access protection through AWS and Kubernetes rights management system

Hosting & Network

  • Hosting provided by Amazon Web Services in servers located in the EU, certified ISO 27001

  • End-to-end HTTPS encrypted transmission between the server and third parties

  • Functional division of the PayFit network into subnets for security: separation of test and production environments

  • PayFit back-office isolated from the Internet except for a single proxy entry point

  • Monitoring and logging of system history that stores and/or processes Personal Data

  • Synchronisation of servers by an AWS NTP server

  • Partitioning of websites and wifi networks (HTTPS, TLS)

  • Internal and external network partitioning

  • Limited access to administration tools and interfaces

  • Performing critical updates without delay

  • Installation of vulnerability detection tools

Securing fixed and mobile stations

  • Automatic locking of sessions, nomadic and mobile stations

  • Firewall

  • Regularly updated antivirus software

  • Encryption of mobile devices and storage media

  • Anti-theft and privacy protection mechanisms and safeguards

  • VPN mandatory for remote access to the back-office

Data and flow security

  • Encryption of attachments

  • Data encryption (hashing, secret key protection...)

  • Encryption of hosted and transferred data

  • Non-transmission of sensitive data to processors

  • Data transfer in TLS/SSL with HSTS and in perfect transmission confidentiality mode

Physical security of premises and data storage locations

  • Anti-intrusion alarm

  • 24/7 video surveillance

  • Access control (badges, locked doors and cabinets, retention of physical access for 45 days)

  • Visitor supervision

  • Fire protection

Organisational security measures

Staff

  • Background check of applicants in accordance with regulations

  • Confidentiality obligations and IT charter

  • Mandatory safety training for employees

  • Application of the RACI responsibility matrix to each development and management task

Management of authorisations

  • Definition of authorisation profiles

  • Annual review of authorisations

  • Removal of irrelevant authorisations

Staff awareness and data confidentiality

  • Staff awareness of privacy and freedom risks

  • Staff confidentiality commitment

  • Processing mapping and compliance monitoring

  • Appointment of a data protection officer (DPO)

  • Record of processing activities (Article 30 of the RGPD) regularly updated

  • Reliability of calculations regularly tested via an automatic verification system

  • Legal department dedicated to compliance

Security of Sub-Processors

  • Employ only Sub-Processors with sufficient guarantees with regard to the regulations

  • Data protection agreement concluded with Sub-Processors (Article 28 of the GDPR)

  • Systematic verification of the supplier's regulatory, financial and security compliance when supplying new information system equipment

Services continuity

  • Implementation of a procedure for security events

  • Training of personnel on the security procedure

  • Transmission of security events to an emergency team

  • Analysis of the event by a member of the emergency team

  • Informing all teams of the causes and consequence of the incident to prevent its future occurrence

  • In-depth review by the maintenance team, relevant departments, and especially the legal and communication department

Digital resources

  • Centralised device security policy (inventory, auto-lock, password complexity, firewall, installation restrictions, auto update, remote locking)

  • Centralised policy of tools allowed to process data by type and classification

  • Controlled access to source code. Peer review of changes

  • Centralised access rights on all SaaS software

  • In case of outsourcing: verification of security and compliance

Audits

  • Regular audits via Sentry and AWS Cloudtrail to assess the security of the * PayFit application and infrastructures

  • Implementation of a reward system on HackerOne to identify and reduce risk on data security via an invitation

  • Implementation of an audit by an independent third-party organisation as part of the ISO 27001 certification

Security guidelines

  • IT charter

  • IS user charter

  • IS administrator charter

  • Authorisation and password management policy

  • Information systems security policy (“PSSI”)

  • Incident management procedure

  • Personal data breach management procedure

  • Security audit reports

  • Purchase of a Cyber insurance policy

  • Certifications: ISO 27001