Security Appendix
Description of Technical and Organizational Measures
1. IT Security Policies and Practices
•https://bravo-next.com/ maintains and follows IT security policies and practices that are mandatory for all employees.
•The IT security policies are reviewed at least once per year and updated, when necessary, in order to protect the personal data of the Controller.
2. Compliance with Protection by Employees
•https://bravo-next.com/ implements organizational measures with respect to all persons processing personal data, and personnel are required to:
◦be familiar with the applicable legislation;
◦be familiar with the https://bravo-next.com/ privacy policy and the instructions for its implementation;
◦comply with the confidentiality and protection of personal data.
•Access to personal data is permitted only to persons whose duties or specifically assigned task require it (“Need to know”).
3. Physical Security and Access Control
•https://bravo-next.com/ maintains control over physical access to buildings, premises, and facilities where the Controller’s personal data is processed.
•Minimum organizational measures for physical protection include:
◦designation of controlled-access zones for the storage of personal data;
◦designation of controlled-access zones for elements of the IT infrastructure;
◦maintenance of systems and policies for organizing physical access, including for external persons;
◦provision of technical means for physical protection;
◦availability of a team for response in case of a security breach.
•Access to data centers and controlled zones is restricted according to the employee’s position.
•Entry into controlled zones is recorded and requires accompaniment by an authorized person.
•Measures are taken to protect the physical infrastructure from natural and human threats.
4. Document Protection
•https://bravo-next.com/ applies measures for the protection of paper documents containing personal data.
•Minimum document protection measures include:
◦an access policy;
◦regulated access to registers;
◦procedures for destruction of personal data.
5. IT Systems and Network Security
•Protection of automated systems and networks is ensured through technical and organizational measures against unauthorized access and processing.
•Minimum measures include:
◦an access policy;
◦definition of roles and responsibilities of employees;
◦identification and authentication;
◦session control;
◦monitoring of systems and networks for attacks;
◦virus protection;
◦backups and recovery procedures;
◦description of storage media and procedures for their destruction.
•When transmitting and distributing personal data, cryptographic protection is used (for example HTTPS, SFTP, FTPS).
•The network architecture is reviewed and maintained with measures for segmentation, isolation, and defense in depth.
•Measures are implemented for logical separation and protection of data.
•Data pseudonymization is applied when exchanging data over public networks.
•Cryptographic key management is carried out in accordance with agreements and procedures for generation, rotation, storage, and destruction.
•Access is limited to the minimum necessary level, including administrative and privileged access, with regular review and approval.
•Unnecessary and inactive accounts with privileged access are removed, including in cases of change of position or termination of employment.
•Implementation of password security measures, controls for inactive sessions, and secure transfer of passwords.
•Control of privileged access and event management to identify unauthorized access and support internal audits.
•Logs for privileged access are archived and protected against unauthorized access or modification.
•Computer protections include screen locking, endpoint management, disk encryption, and protection against malware.
6. Integrity of Activities and Access Control
•All changes to services are managed through documented change requests with risk assessment, schedule, rollback plan, and approval by authorized employees.