Appendix 2 to Annex 2: PayFit security policy
Posted on 06 April 2023
Technical measures
Authentication measures
- Unique identifier per user
- Compliance with CNIL recommendations on passwords (strong authentication, limiting the number of access attempts, periodic password renewal, secure password storage...)
- 2FA authentication
Access logging and incident management
- Logging of accesses, anomalies and security-related events
- Recording incidents in a log file
- Protecting logging devices from unauthorised access
- Retention of logs for 9 months
- Periodic review of event logs
- Replication of logs to three nodes in three different regions of France
- Access to Personal Data by internally authorised personnel via VPN and 2FA authentication
- Access to data restricted to onboarding, customer service and maintenance teams with proper justification
Availability and resiliency
- Data replication across two nodes for databases and three nodes for AWS S3 storage
- Node hosting on a dedicated datacenter
- Automatic server failover capability
- Backups performed hourly
- Recovery process checked daily
- HTTPS encryption of backups during transfer
- Replication of backups three with access protection through AWS and Kubernetes rights management system
Hosting & Network
- Hosting provided by Amazon Web Services in servers located in the EU, certified ISO 27001
- End-to-end HTTPS encrypted transmission between the server and third parties
- Functional division of the PayFit network into subnets for security: separation of test and production environments
- PayFit back-office isolated from the Internet except for a single proxy entry point
- Monitoring and logging of system history that stores and/or processes Personal Data
- Synchronisation of servers by an AWS NTP server
- Partitioning of websites and wifi networks (HTTPS, TLS)
- Internal and external network partitioning
- Limited access to administration tools and interfaces
- Performing critical updates without delay
- Installation of vulnerability detection tools
Securing fixed and mobile stations
- Automatic locking of sessions, nomadic and mobile stations
- Firewall
- Regularly updated antivirus software
- Encryption of mobile devices and storage media
- Anti-theft and privacy protection mechanisms and safeguards
- VPN mandatory for remote access to the back-office
Data and flow security
- Encryption of attachments
- Data encryption (hashing, secret key protection...)
- Encryption of hosted and transferred data
- Non-transmission of sensitive data to processors
- Data transfer in TLS/SSL with HSTS and in perfect transmission confidentiality mode
Physical security of premises and data storage locations
- Anti-intrusion alarm
- 24/7 video surveillance
- Access control (badges, locked doors and cabinets, retention of physical access for 45 days)
- Visitor supervision
- Fire protection
Organisational security measures
Staff
- Background check of applicants in accordance with regulations
- Confidentiality obligations and IT charter
- Mandatory safety training for employees
- Application of the RACI responsibility matrix to each development and management task
Management of authorisations
- Definition of authorisation profiles
- Annual review of authorisations
- Removal of irrelevant authorisations
Staff awareness and data confidentiality
- Staff awareness of privacy and freedom risks
- Staff confidentiality commitment
- Processing mapping and compliance monitoring
- Appointment of a data protection officer (DPO)
- Record of processing activities (Article 30 of the RGPD) regularly updated
- Reliability of calculations regularly tested via an automatic verification system
- Legal department dedicated to compliance
Security of Sub-Processors
- Employ only Sub-Processors with sufficient guarantees with regard to the regulations
- Data protection agreement concluded with Sub-Processors (Article 28 of the GDPR)
- Systematic verification of the supplier's regulatory, financial and security compliance when supplying new information system equipment
Services continuity
- Implementation of a procedure for security events
- Training of personnel on the security procedure
- Transmission of security events to an emergency team
- Analysis of the event by a member of the emergency team
- Informing all teams of the causes and consequence of the incident to prevent its future occurrence
- In-depth review by the maintenance team, relevant departments, and especially the legal and communication department
Digital resources
- Centralised device security policy (inventory, auto-lock, password complexity, firewall, installation restrictions, auto update, remote locking)
- Centralised policy of tools allowed to process data by type and classification
- Controlled access to source code. Peer review of changes
- Centralised access rights on all SaaS software
- In case of outsourcing: verification of security and compliance
Audits
- Regular audits via Sentry and AWS Cloudtrail to assess the security of the * PayFit application and infrastructures
- Implementation of a reward system on HackerOne to identify and reduce risk on data security via an invitation
- Implementation of an audit by an independent third-party organisation as part of the ISO 27001 certification
Security guidelines
- IT charter
- IS user charter
- IS administrator charter
- Authorisation and password management policy
- Information systems security policy (“PSSI”)
- Incident management procedure
- Personal data breach management procedure
- Security audit reports
- Purchase of a Cyber insurance policy
- Certifications: ISO 27001