# Technical-Organisational Measures

# 1. «Confidentiality» [Art. 32(1)(b) GDPR]

Confidentiality refers to protecting information from being accessed by unauthorized parties. In other words, only the people who are authorized to do so can gain access to sensitive data.

  1. Data transmission encryption with HTTP Secure (HTTPS), HTTP Strict Transport Security (HSTS) and HTTPS-everywhere enabled domains (like .app domains) - read more here;
  2. Data is stored on certified cloud providers with high security and compliancy standards (eg. Google Cloud). Revas doesn't have access to the physical infrastructure.
  3. Data persistency encryption on cloud managed databases with external managed encryption keys.

# 2. «Integrity» [Art. 32(1)(b) GDPR]

Integrity refers to ensuring the authenticity of information—that information is not altered, and that the source of the information is genuine.

Human error, whether malicious or unintentional Transfer errors, including unintended alterations or data compromise during transfer from one device to another Bugs, viruses/malware, hacking, and other cyber threats Compromised hardware, such as a device or disk crash Physical compromise to devices

  1. Data transmission encryption with HTTP Secure (HTTPS), HTTP Strict Transport Security (HSTS) and HTTPS-everywhere enabled domains (like .app domains https://www.blog.google/technology/developers/introducing-app-more-secure-home-apps-web/ https://www.eff.org/https-everywhere);
  2. Security guidelines on external physical devices and
  3. Automated test against running software to verify the capability of the system to manage the correctness of the data.
  4. Cloud managed infrastructure with automatic and latest system and antivirus updates.
  5. Cloud managed infrastructure replication against compromised hardware.

# 3. «Availability and Resilience» [Art. 32(1)(b) GDPR]

Availability means that information is accessible by authorized users. Resilience is how well an enterprise can manage a cyberattack or data breach while continuing to operate its business effectively.

  1. Cloud managed databases with serverless capability to ensure fast and consistent data system scaling and availability by design;
  2. Cloud managed VMs with serverless capability to ensure fast and consistent service system scaling and availability by design;
  3. Daily managed automatic OS updates and virus protection;
  4. Nightly global data backups;
  5. Disaster Recovery procedures;
  6. Cold storage for long term data backup storage with managed Retention policies on hybrid cloud providers (even admins don't have deletion right);
  7. DDoS cloud protection and application user and global rate limiters;

# 4. Procedure di Revisione delle Misure di Protezione [Art. 32(1)(d) GDPR]