Winnipeg Free Press August 16, 2008
This document describes the technical and organizational measures we have adopted and will adopt to ensure that the data we process is safe in our care.
World Archives uses third party subprocessors and services providers to help us perform our work for our customers. We will make every effort to ensure that each of our subprocessors and service providers complies with all data protection laws. This is done differently for different subprocessors and service providers:
- Large-scale subprocessors and service providers such as cloud providers (AWS, Google Cloud or Azure) have their own data processing agreements (“DPA”) under which they agree to comply with applicable laws and standards. We will confirm that those DPA’s are in place.
- Smaller or newer subprocessors and service providers that do not necessarily have their own DPA’s will be required to sign our DPA. Our DPA will be continually updated and posted on our website at [https://newspaperarchive.com/dpa/].
- In each case, and via the DPA’s, World Archives will restrict the subprocessors’ access to customer personal data only to what is necessary to assist World Archives in providing or maintaining the services and will prohibit the subprocessor from accessing customer personal data for any other purpose.
As part of our due diligence when we add new subprocessors or service providers, we will ask any new subprocess or service provider to provide us with their DPA, and we will require the following assurances before entering into an agreement with them.
- They must enter into a DPA with us that contains provisions similar to our DPA.
- They must disclose any threatened or active legal actions against them regarding data or privacy issues or breaches.
- They must agree in writing that they will not use any of the customer personal data for any purposes other than to provide us the services we require, that they will not sell, rent, or make available to any third party any of the customer personal data, and that they will cooperate with us with regard to any customer request for information. All these provisions can be included in the DPA, but we will independently confirm their existence.
2. Security Measures
World Archives has implemented and will maintain appropriate technical and organizational security measures to protect customer personal data from security incidents and to preserve the security and confidentiality of the customer personal data ("Security Measures"). The Security Measures applicable to the Services are as follows:
- Web Application Penetration Test: World Archives shall continue to annually engage an independent, third-party to perform a web application penetration test. We will address all medium, critical and severe vulnerabilities in the findings of the report within a reasonable, risk-based timeframe.
Security Awareness Training: World Archives will provide annual security training to all personnel. “Security Training” shall address security topics to educate users about the importance of information security and safeguards against data loss, misuse or breach through physical, logical and social engineering mechanisms. Training materials will address industry standard topics which include, but are not limited to:
- The importance of information security and proper handling of PII.
- Physical controls such as visitor protocols, safeguarding portable devices and proper data destruction.
- Logical controls related to strong password selection/best practices.
- How to recognize social engineering attacks such as phishing.
- Unauthorized persons will be prevented from gaining physical access to our premises and the rooms where data processing systems are located.
- We will ensure that all computers processing personal data (including computers with remote access) are password protected, both after booting up and when left inactive.
- We will only grant system access to our authorized personnel and strictly limit their access to applications required for those personnel to fulfil their specific responsibilities.
- We will implement a password policy that prohibits the sharing of passwords.
- We will have adopted procedures to deactivate user accounts when an employee, agent, or administrator leaves our employ or moves to another responsibility within the company.
Process-Level Requirements: We will implement the following processes to ensure security and privacy:
- World Archives shall implement user termination controls that include access removal / disablement promptly upon termination of staff.
- Documented change control process will be used to record and approve all major releases in World Archives’ environment.
- World Archives shall have and maintain a patch management process to implement patches in a reasonable, risk-based timeframe.
- World Archives shall use firewall(s), Security Groups/VPCs, or similar technology to protect servers storing Customer Personal Data.
- Where World Archives handles customer personal data, servers shall be protected from unauthorized access with appropriate physical security mechanisms including, but not limited to, badge access control, secure perimeter, and enforced user provisioning controls (i.e. appropriate authorization of new accounts, timely account terminations and frequent user account reviews). These physical security mechanisms are provided by data center partners such as, but not limited to, AWS, Azure, and Google. All cloud-hosted systems shall be scanned, where applicable and where approved by the cloud service provider.
- Whenever an employee or contractor leaves or is terminated, that individual’s access to customer user accounts shall be immediately terminated or disabled.
End User Computing Level Requirements
- World Archives shall employ an anti-virus solution with daily signature updates for end-user computing devices which connect to the customer network or handle customer personal data.
- World Archives will maintain a policy prohibiting the use of removable media for storing or carrying customer personal data. Removable media include flash drives, CDs, and DVDs.
- World Archives will implement building access control to control and track access to its networks and other equipment.
- World Archives will determine each year which officers and employees within the company will have access to which categories of data and shall review this list annually at the executive level.
- Personnel. World Archives restricts its personnel from processing Customer Personal Data without authorization by World Archives as set forth in the Security Measures and shall ensure that any person who is authorized by World Archives to process Customer Personal Data is under an appropriate obligation of confidentiality.
- Security Incident Response. Upon becoming aware of a Security Incident, World Archives will notify Customer without undue delay and, in any case, where feasible, within seventy-two (72) hours after becoming aware. World Archives will provide information relating to the Security Incident as it becomes known or as is reasonably requested by Customer to fulfil its obligations as controller and will also take reasonable steps to contain, investigate, and mitigate any Security Incident.
3. Security Incident Response
Upon becoming aware of any incident in which it suspects that unauthorized access has been gained to World Archives’ systems, the executives of the company at the highest levels will be immediately notified.
- Executives will immediately confer with each other and with legal counsel regarding any security incident to ensure compliance with legal and contractual obligations.
- We will notify the impacted customer(s) within seventy-two (72) hours, where feasible, after learning of the incident.
- We will immediately investigate and mitigate any security incident.
- World Archives will obtain and maintain reasonable insurance to cover itself for cyber liability.