Appendix 2 to Annex 2: PayFit security policy

Posted on 06 April 2023

Technical measures

Authentication measures 
  • Unique identifier per user
  • Compliance with CNIL recommendations on passwords (strong authentication, limiting the number of access attempts, periodic password renewal, secure password storage...)
  • 2FA authentication
Access logging and incident management
  • Logging of accesses, anomalies and security-related events
  • Recording incidents in a log file
  • Protecting logging devices from unauthorised access
  • Retention of logs for 9 months
  • Periodic review of event logs
  • Replication of logs to three nodes in three different regions of France
  • Access to Personal Data by internally authorised personnel via VPN and 2FA authentication
  • Access to data restricted to onboarding, customer service and maintenance teams with proper justification
Availability and resiliency
  • Data replication across two nodes for databases and three nodes for AWS S3 storage
  • Node hosting on a dedicated datacenter
  • Automatic server failover capability
  • Backups performed hourly
  • Recovery process checked daily
  • HTTPS encryption of backups during transfer
  • Replication of backups three with access protection through AWS and Kubernetes rights management system
Hosting & Network
  • Hosting provided by Amazon Web Services in servers located in the EU, certified ISO 27001
  • End-to-end HTTPS encrypted transmission between the server and third parties
  • Functional division of the PayFit network into subnets for security: separation of test and production environments
  • PayFit back-office isolated from the Internet except for a single proxy entry point
  • Monitoring and logging of system history that stores and/or processes Personal Data
  • Synchronisation of servers by an AWS NTP server
  • Partitioning of websites and wifi networks (HTTPS, TLS)
  • Internal and external network partitioning
  • Limited access to administration tools and interfaces
  • Performing critical updates without delay
  • Installation of vulnerability detection tools
Securing fixed and mobile stations
  • Automatic locking of sessions, nomadic and mobile stations
  • Firewall
  • Regularly updated antivirus software
  • Encryption of mobile devices and storage media
  • Anti-theft and privacy protection mechanisms and safeguards
  • VPN mandatory for remote access to the back-office
Data and flow security
  • Encryption of attachments
  • Data encryption (hashing, secret key protection...)
  • Encryption of hosted and transferred data
  • Non-transmission of sensitive data to processors
  • Data transfer in TLS/SSL with HSTS and in perfect transmission confidentiality mode
Physical security of premises and data storage locations
  • Anti-intrusion alarm
  • 24/7 video surveillance
  • Access control (badges, locked doors and cabinets, retention of physical access for 45 days)
  • Visitor supervision
  • Fire protection

Organisational security measures

  • Background check of applicants in accordance with regulations
  • Confidentiality obligations and IT charter
  • Mandatory safety training for employees
  • Application of the RACI responsibility matrix to each development and management task
Management of authorisations
  • Definition of authorisation profiles
  • Annual review of authorisations
  • Removal of irrelevant authorisations
Staff awareness and data confidentiality
  • Staff awareness of privacy and freedom risks
  • Staff confidentiality commitment
  • Processing mapping and compliance monitoring
  • Appointment of a data protection officer (DPO)
  • Record of processing activities (Article 30 of the RGPD) regularly updated
  • Reliability of calculations regularly tested via an automatic verification system
  • Legal department dedicated to compliance
Security of Sub-Processors
  • Employ only Sub-Processors with sufficient guarantees with regard to the regulations
  • Data protection agreement concluded with Sub-Processors (Article 28 of the GDPR)
  • Systematic verification of the supplier's regulatory, financial and security compliance when supplying new information system equipment
Services continuity
  • Implementation of a procedure for security events
  • Training of personnel on the security procedure
  • Transmission of security events to an emergency team
  • Analysis of the event by a member of the emergency team
  • Informing all teams of the causes and consequence of the incident to prevent its future occurrence
  • In-depth review by the maintenance team, relevant departments, and especially the legal and communication department
Digital resources
  • Centralised device security policy (inventory, auto-lock, password complexity, firewall, installation restrictions, auto update, remote locking)
  • Centralised policy of tools allowed to process data by type and classification
  • Controlled access to source code. Peer review of changes
  • Centralised access rights on all SaaS software
  • In case of outsourcing: verification of security and compliance
  • Regular audits via Sentry and AWS Cloudtrail to assess the security of the * PayFit application and infrastructures
  • Implementation of a reward system on HackerOne to identify and reduce risk on data security via an invitation
  • Implementation of an audit by an independent third-party organisation as part of the ISO 27001 certification
Security guidelines
  • IT charter
  • IS user charter
  • IS administrator charter
  • Authorisation and password management policy
  • Information systems security policy (“PSSI”)
  • Incident management procedure
  • Personal data breach management procedure
  • Security audit reports
  • Purchase of a Cyber insurance policy
  • Certifications: ISO 27001