Security policy for cloud services supplied by NUMINTEC
This document establishes the technical and organisational policies and methods that apply to the cloud services supplied by NUMINTEC.
1. GENERAL SECURITY MEASURES
THE ORGANISATION’S POLICIES
Information security and privacy policy
There is an information security and personal data protection policy published and that all staff and employees are familiar with
Security Manager
NUMINTEC has designated a Chief Information Security Officer (“CISO”) who is responsible for coordinating and monitoring the security policies, regulations and procedures. Their responsibilities include defining the information security policies, verifying compliance with these policies, evaluating information security risks, determining the technical and organisational measures necessary to mitigate risks, and monitoring the performance of the controls in place.
Roles and responsibilities with regard to information security and protection of privacy
The roles and responsibilities with regard to information security and protection of privacy are defined and assigned appropriately within the organisation. NUMINTEC staff that manage the Services that contain the Customer Data are subject to the obligations of confidentiality and legislation with regard to information security and the protection of personal data.
Risk management programme
Under the Information Security Management System there is an information security risk evaluation and management plan which is periodically reviewed.
Continuous evaluation
NUMINTEC conducts a periodic check and evaluation of the effectiveness of the technical and organisational measures implemented to protect the security of information in processing systems, work centres and the users that use them. This evaluation and review is conducted to industry standards and as per the own policies and procedures determined by the Information Security Management System.
Security policy and privacy of providers
These is a formal process that makes it possible to assess compliance with the requirements of information security and the protection of privacy that providers who process information and personal data must comply with. Providers are only given access to information when there is a legitimate requirement that justifies this access.
STAFF AND CO-WORKERS
Responsibilities
In addition, all NUMINTEC staff have undertaken to comply with and enforce the company’s information security policies and regulations.
Confidentiality commitment
All NUMINTEC staff and co-workers sign a contractual document through which they undertake to keep secret and guarantee the confidentiality and security of the data that they may have access to due to their work responsibility, contractual responsibility, or responsibility of any other kind. The following shall be regarded as confidential information: any information (commercial, technical, administrative or other) belonging to NUMINTEC and its customers, pertaining to its commercial matters, technology, machinery, processes, products, plans, facilities and premises, that before being received by the workers they were not aware of it or had possession of it without an obligation of confidentiality .
Internal information security regulation
There is a regulation relating to information security, the protection of personal data and the use of the IT resources that all staff and co-workers have committed to comply with. Said document contains the warning that failure to comply with said obligations constitutes serious misconduct or workplace disobedience and, thus, will be punishable.
Training and awareness-raising
All NUMINTEC staff receive appropriate training on information security and the protection of personal data. In addition, awareness-raising activities and actions are periodically organised aimed at all staff.
Standards for the use of information systems
The information security regulation establishes the standards for the acceptable use of the information systems and equipment that the staff are responsible for.
Personal use of company equipment prohibited
It has been established that use of those computers and devices intended for the processing of corporate information and personal data for private purposes is prohibited. Nor is it permitted to access corporate information from private systems.
SECURITY IN THE WORKPLACE
Unattended computers
A mechanism has been established so that when a computer is attended the screen locks or the session closes.
Information in the cloud
NUMINTEC processes all information through cloud- based services, and for this reason no sensitive information is stored on workstations.
Secure remote working
A policy has been put in place to ensure that remote working can be performed securely. All Numintec’s activity can be performed in remote working mode.
Safekeeping of documentation
A regulation has been established to ensure that at no time are paper documents or information material left without being securely stored in the workplace.
Security on mobile devices
There is a policy in place to protect the use of mobile devices and the information they may contain.
SYSTEMS ACCESS
Access control policy
NUMINTEC has an access control policy that determines the security privileges of persons that have access to the information based on the principle of least privilege.
Access authorisation
There is a formal process in place for managing authorisation, addition, deletion and change to users’ system access.
Individual accounts
Each person uses an individual and non-transferable user account.
Minimum privilege
NUMINTEC has defined and applies a minimum access policy by default, that guarantees that the staff and co- workers only have access to the information they require to carry out the duties of their role.
Accounts with privileged access
In order to carry out system administration and configuration tasks, nominal access accounts are used with privileged rights that are different and segregated from the system’s ordinary use accounts.
Authentication
NUMINTEC employs standard sector practices to identify and authenticate users that are trying to access the information systems. To access more exposed systems or for system administration, two-factor authentication systems are used. All systems include controls to avoid repeated attempts to gain access to the information systems through an invalid password.
Password security
The existence of password policies (or equivalent mechanisms) shall be ensured for the access to systems and applications that comply with the following minimum requirements:
● Password length: minimum 8 characters
● Passwords changed periodically
● Password complexity requirements
● Limits to the reuse of passwords
Password confidentiality
There is a regulation in place to ensure the confidentiality of passwords, to avoid them being exposed or shared with third parties. Internally, all passwords are stored using irreversible encryption algorithms.
Access logs
A log of the access and attempts to access the system is kept and monitored
INFORMATION PROCESSING ASSETS
Asset inventory
There is an inventory available of the systems and equipment used in the processing of information, with the information of the person who is responsible for said equipment.
Secure disposal and reuse
Formal processes have been established for the secure disposal and/or reuse of the information processing equipment.
Maintenance of equipment
The systems and equipment used for the processing of the information are duly maintained and updated.
Malware protection
The equipment on which information is processed or stored has anti-malware protection continuously activated and updated.
Software update
All software that is used for the processing of the information is duly updated and contains no known serious vulnerabilities.
Systems hardening
Systems hardening measures have been taken such as, among others:
● Only leaving open essential ports
● Disabling all services that are not strictly necessary
● Blocking or changing passwords by default for accounts with privileged access
● Encryption of disks containing data
Limitations placed on the software that can be installed by users
There are technical regulations are measures to prevent staff from installing unauthorised software on their work equipment, and to prevent them from using software that may infringe third-party intellectual property.
Limitation of administration privileges
Technical measures have been implemented so that users are not able to modify or disable the equipment’s security settings.
NETWORK SECURITY
Dedicated security team
Security monitoring and the alert system are an integral part of operations, providing 24/7 security control and a team always available to respond to alerts and incidents.
Network protection and segregation
At layer 2, the infrastructure is protected through VLAN, which guarantees that in each communications port, access is only permitted to the resources that are crucial for the provision of the service that they are intended for. At layer 3 and above, the infrastructure security is based on a dual layer of firewall security. Connections to private operators and networks (Telefónica, ONO, etc.) are isolated from the rest of the infrastructure by VLANs and specific access rules, ensuring network opacity. The DMZ network can only be accessed for the services that are offered to customers, which are the following:
● Web services: HTTP and HTTPS
● Voice services: SIP (TLS) and RTP
● Other services related with voice services: DNS, NTP, SMTP, Netflow, SNMP.
Architecture
The network infrastructure is hosted in two datacentres, one managed by Evolutio and the other by MBA Datacenters (Bitnap). Both have ISO 27001 certification. The locations contain the servers that host the applications and databases that are used in the company and all the network electronics to guarantee access and security. Both datacentres operate redundantly, with the ability to run NUMINTEC’s own services in both datacentres.
Network perimeter security
There is a dual layer of firewall security to filter unauthorised inbound network traffic from the Internet and deny any kind of network connection that is not explicitly unauthorised:
● External firewalls: This layer protects the DMZ where all the company’s equipment and cloud-based connectivity with the outside are housed, both those from public Internet networks and private customer networks, VPNs and connections with operators.
● Internal firewalls: This layer separates the access network from the outside where customers can access from, from the internal server layer that enables the company’s services and applications, where customers cannot access. Administrative access to the firewall is monitored and restricted to authorised employees.
Secure information transmission protocols
All traffic on the organisation’s networks, especially when it runs completely or partially through public networks, is encrypted using secure protocols with no known serious vulnerabilities (for example, minimum TLS 1.2)
Network vulnerability scan
Tests are periodically performed to check that the networks are free of vulnerabilities and the required corrective measures are applied. The active network security scan is actively performed on all subnets to quickly identify systems that do not comply with requirements or are potentially vulnerable. The scheduled passive scans are also run for all internal or private subnets, as well as all public DMZs or subnets that face exposed ports (http / https).
Penetration testing
In addition to our internal monitoring procedures, at least once a year NUMINTEC conducts extensive penetration testing (pentest) on the networks and production servers against third party attacks.
Management of security alerts (SIEM)
Our monitoring system collects activity logs both on systems in the DMZ and on the internal network. The SIEM sends incident alerts which notify the corresponding security team for them to investigate and respond.
Detection and prevention of intrusion
The entry and exit points of the application’s data flow are monitored by Intrusion Detection Systems (IDS) or Intrusion Prevention Systems (IPS). This is integrated with SIEM and 24/7 operations.
DDoS mitigation
NUMINTEC monitors network traffic in real time to inspect inbound traffic. For the automatic mitigation of most of the DDoS techniques, the firewalls protect against all known infrastructure attacks (Layer 3 and 4).
SECURITY OPERATIONS
Logical access
NUMINTEC uses role-based security architecture and requires all of the system’s users to be identified and authenticated before accessing any system resource, with granular and specific access privileges per employee. The production resources and all administrative actions are recorded and stored for at least two years with specific protection and backup copies to avoid the audit records being amended. All production resources are managed in the asset inventory system and each asset is assigned an owner. The owners are responsible for approving access to the resource and for performing periodic reviews of access by role. Access to any NUMINTEC network or administration system is determined by a “need-to-know” policy as per ISO27001 and ISO27017 standards.
Capacity monitoring and management
NUMINTEC has implemented a systems monitoring and capacity management process to continuously monitor the performance of the systems, supervise the use of resources and adjust the use of resources, as well as project future capacity requirements to ensure the required system performance.
Response to security incidents
In the event of a system alert, the incidents are escalated to our teams 24/7, who provide operational coverage, network engineering and security. In addition, customers have at their disposal the Customer Technical Support (CTS) team to respond to any incidents they may detect. Employees are trained in controlled security incident response processes to both ISO 9001 and ISO 27001. Additionally, NUMINTEC has a cyberattack response procedure that establishes the mechanisms necessary for the detection, containment, response and recovery from attacks against our networks and systems.
Change management
NUMINTEC has a change management procedure in which it is cautioned that any change may affect the security of information and services. In cases where the change may affect the service, the procedure provides for the obligation to inform customers prior to changes, that provides sufficient information so the customer can assess the impact, and that information is provided about the scheduling of the change and potential alterations to the availability of the service.
Audit records
Audit records of the operations performed on data are collected, retained and reviewed (access, amendment and deletion).
DATA ENCRYPTION
Encryption of data in transit
All information in transit is always transmitted securely as far as possible and taking into account the specific requirements of each customer. The service protocols directly exposed to the Internet are HTTP/HTTPS and SIP for TLS, enabling only the most recent and secure versions. With regard to the HTTPS protocol, NUMINTEC conducts network penetration testing to ensure that the authorised encrypted data is not vulnerable to attack and we apply the necessary security updates and configurations. Communications with third-party services for the needs of the customers (integrations, webservices) are preferably made using HTTPS.
Call encryption
With regard to the SIP protocol through TLS, SSLv3 is used to negotiate the higher cryptographic protocol (TLS 1.1 or 1.2) that will be used for the telephones’ communication at signalling level (call order, receive calls, transfer, etc.). The customer can choose forced audio transmission using the secure SRTP protocol as per RFC3711. It should be noted that this encryption is optional according to the needs of the different customers and their types of terminals, as some terminals do not support encryption. With regard to the different encryption types supported by the SIP protocol, have consideration that despite the fact that some weak ciphers are permitted, telephones always negotiate the higher cipher within those compatible, which means that the encryption security grade depends in part on the type of terminal used. We can guarantee the encryption in our system for inbound calls, but unfortunately it is not possible for calls originating from or intended for the PSTN on its public section, once we send calls to the service provider. This is due to the fact that providers do not support call encryption, as the telephone network is not designed for it. However, to the extent possible, we use encrypted channels (MPLS) for communications with telephony providers, which adds at least an extra layer of security to the section between ourselves and the provider that ultimately routes the call to the PSTN. It should be noted that NUMINTEC has the ability to encrypt calls in order to be able to provide customers with on-demand services (recording or listening) and for the legal interception of communications, as provided for by Law 25/2007, of 18 October, on the retention of data related to electronic communications and public communications networks, and Law 9/2014, of 9 May, General Telecommunications.
Storage encryption
With regard to the encryption of data stored on disks, dm-crypt luks is used as it is well supported by the Linux kernel. This prevents, in the highly unlikely event of disks being stolen from servers located in datacentres, the data contained within them from being used.
AVAILABILITY AND CONTINUITY
Availability
NUMINTEC continuously monitors the availability of our systems and services in order to ensure the agreed availability objectives for the service are met.
Redundancies
Redundancy is integrated into the infrastructure of the system that supports the production services to help ensure that there is no single point of failure, including firewalls, routers and servers. Should the primary system fail, the redundant hardware is configured to take its place. Additionally, there are systems in redundant datacentres with Evolutio and BITNAP that are able to run NUMINTEC’s own services in both centres.
Backup Copies
Backup copies are made automatically. The process for running backup copies is monitored and in the event that any errors occur in making the copies, system staff will take action to determine the root cause of the error and restart the backup execution. Backup copies are made of:
● Virtual machines: Weekly backup copy in the high availability storage array, maintaining two versions of all virtual machines. The application data contained in the virtual machines is included in this backup copy. An additional backup copy is also made of virtual machines in Amazon’s S3 system, and retained for one month. As the backup copy is made weekly, four versions of each virtual machine are retained.
● InvoxContact database: A Snapshot type daily backup is made using Aurora. A full export of all databases is also performed once a week, with versions retained for a minimum of three months. These copies are stored in the alternate database, thus providing geo- redundancy for these backup copies.
Supervision of backup copies
The correct execution of backup copies is continuously monitored.
Recovery testing
Periodic recovery and verification testing is performed on the information contained in the backup copies.
Continuity plan
A Continuity Plan has been developed and tested in order to provide a timely and appropriate response to such incidents that may bring about a disruption to the contracted services.
Disaster recovery procedures
There are specific protection and recovery procedures in place against threats that compromise the integrity of the information, such as ransomware attacks or serious flaws in the technology infrastructure.
PHYSICAL SECURITY OF PROCESSING AREAS
Physical security perimeters
There is a security perimeter to protect the areas and premises where data is processed or stored.
Access control
Physical access controls have been implemented in the areas and premises where data processing is performed to ensure that access is only allowed to authorised staff.
Protection against external and environmental threats
The necessary measures have been established to protect essential individuals, equipment and facilities in the event of natural disasters, malicious attacks or incidents, such as fire, floods, water leakage, air conditioning malfunction, etc.
Supply facilities
The necessary measures have been established to ensure the continuity of the electricity supply in those essential facilities.
Security of data processing centres
NUMINTEC’s services are run on servers located in EVOLUTIO and BINAP datacentres that are ISO 27001 certified. Consequently, the physical security controls are delegated to these providers: https://www.bitnap.net/MBADATACENTERS-iso.pdf https://www.aenor.com/certificacion/certificado/? codigo=4 2390
These datacentres are located in Spain.
IaaS and PaaS service provider security
IaaS and PaaS service providers provide the necessary physical security controls which are ensured through the appropriate certification, such as ISO 27001, SOC 2, ENS (High level), PCI-DSS, and others In this case, the services are contracted in datacentres located in the EU.
2. APPLICATION SECURITY
SECURE DEVELOPMENT POLICIES
Secure training
Our engineers and developers periodically take part in internal and external training programmes on the principles of secure system engineering, and best security practices for the design and development of secure code.
Coding security controls
NUMINTEC incorporates all the security measures recommended by OWASP. These include guides to protect applications from the main known threats, such as Injection, Broken Authentication, Sensitive Data Exposure, Broken access control, Cross-Site Scripting XSS and Cross Site Request Forgery (CSRF) among others. In addition, the testing process applies all relevant checks for our applications included in the OWASP testing guide.
QA
During the testing process the code is re-examined and detailed testing is performed before any change is put into production. The process also includes regression testing to avoid any unforeseen impact due to the changes introduced to the code, in the libraries and components used and in the operating systems where the applications are run. The QA team is actively involved in the development cycle, so that their recommendations are incorporated from the design stage.
Separate environments
The programmers work on their local machine synchronising everything. The testing environments are connected to segregated production databases, with obfuscated or fictitious data. The testing environments are located in an environment completely separated from the production one, with specific servers for these environments.
3. PRODUCT SECURITY FEATURES
AUTHENTICATION SECURITY
Authentication options
To access the InvoxContact platform’s web applications, users must log in using their own username and password. Where possible, SSL certificates signed by the Numintec certificate authority (self-signed) will be used. Additionally, for customers that require it, a two-step (2FA) authentication process is used to provide an additional layer of protection for accounts with administration privileges.
Password policy
Passwords can only be reset by the end user with an active email address (the name of the user is the same email address). The password policies stipulate compliance with a minimum number of length and complexity requirements to ensure that passwords are strong, as well as policies to force them to be renewed once a year. The password assignment mechanism helps ensure that passwords are kept secret, given that the user can set their own password from their first login. In addition, the password recovery process ensures that only the user can know the new password.
User account management
Once the customer dashboard has been activated, the customer’s administrator can manage their own user accounts to either add or revoke access the organisations’ agents and supervisors. New users receive an email with instructions and temporary login details that must be changed by the user themselves when they first log in.
Administrator access
The customer dashboard administrator can determine NUMINTEC’s technical support staff can access the customer’s service using their own user login credentials, so that when they are dealing with incidents they do not require the user to give them their own credentials, thus ensuring the secrecy of users’ passwords.
Application access restriction
The customer dashboard administrator can establish which applications and services each user has access to, and assign locations, agents and/or supervisors to an agent.
Audit records
An audit record is kept of all access and changes made from the InvoxContact web application. These changes can be viewed by the customer dashboard administrator.
Secure password storage
NUMINTEC follows best practices in secure password storage. Passwords are never kept in readable format, uni-directional encryption of them is generated that includes the use of random bits (salt). Password transit between the browser and the server is protected through the use of the HTTPS protocol that involves the encryption of the form data sent.
API security
The customer’s applications only access the services on the server via a HTTPS full REST-API. To make any call, the customer needs to have a secret API Key and have passed the API request authorisation flow.
Data transmission security
All communications through public networks with NUMINTEC servers (two-way) are encrypted using HTTPS. This ensures that all data traffic between the customer and NUMINTEC is kept secret during transit. For real-time functions, such as real-time chat, NUMINTEC uses the secure websockets protocol as a secure and transmission-oriented additional HTTP alternative.
4. PERSONAL DATA PROTECTION
TECHNICAL AND ORGANISATIONAL MEASURES
Management System
NUMINTEC has implemented an information privacy management system that ensures compliance with the legal obligations, the appropriate treatment of risks to the rights and freedoms of users, and an ongoing review and improvement process for the policies applied.
Responsibilities
NUMINTEC has appointed a Data Protection Officer responsible for monitoring the Personal Data Protection System. Their responsibilities include defining the personal data protection policies, verifying compliance with these policies, evaluating personal data processing risks, determining the technical and organisational measures necessary to mitigate risks, and monitoring the performance of the measures implemented and evaluating regulatory compliance. In addition, all NUMINTEC staff have undertaken to comply with and enforce the company’s data protection policies and regulations.
Obligations
All NUMINTEC staff sign a contractual document through which they undertake to comply with personal data protection policies. Said document contains the warning that failure to comply with said obligations constitutes serious misconduct or workplace disobedience and, thus, will be punishable.
Training and awareness-raising
All NUMINTEC employees participate in awareness and training sessions on the protection of personal data processing.
Technical measures
All personal data processing is protected through the same technical measures as apply to all company information in accordance with ISO27001 certification.
Privacy Policy
In the “General Terms and Conditions for the procurement of services supplied by Numintec Comunicaciones”, NUMINTEC has included a clause that sets out the privacy policy for the protection of personal data. Said policy includes information about the purposes and legitimacy of processing, the categories of data processed, the data retention criteria, possible communications or transfers of data, and the procedure that ensures stakeholders can exercise their rights.
Data processor
Under the data processer clauses included in the Data Processing Agreement, NUMINTEC is responsible as data processor for the data that it processes on behalf of our customers and which is required in order to supply the contracted services. Thus, NUMINTEC guarantees to:
● Ensure the permanent confidentiality, integrity, availability and resilience of the processing systems and services.
● Quickly restore the availability of and access to the personal data in the event of a physical or technical incident.
● Verify, evaluate and assess, on a regular basis, the effectiveness of the technical and organisational measures implemented to ensure the security of the processing measures implemented and evaluating regulatory compliance.
Communication and transfer of data
The data that NUMINTEC processes as our customers’ data processor will not be transferred or communicated to third parties, with the exception of:
● Companies that, as data processors, provide us with services related to the ordinary and administrative activity of the company, such as, among others, web hosting services, SaaS mode management application services, file archiving in the cloud, etc.
● Telecommunications network operators that supply services necessary for the routing of calls made by customers of our services to their recipients.
● Official entities and bodies that require it in order to meet obligations with the Public Administrations in cases such as required in accordance with prevailing legislation at any time and, when applicable, also other bodies such as state security forces and bodies and to judicial bodies.
International data transfers
The provision of NUMINTEC services may entail the processing of personal data on the part of companies located outside the European Economic Area, in which case it is only performed when the countries offer an adequate level of protection, or, provide adequate safeguards, such as the Standard Contractual Clauses (SCC) adopted by the Commission in accordance with Article 46(2) of Regulation (EU) 2016/679. Should the routing of calls to their recipient involve the transfer of data to third parties, this will be covered by existing interconnect agreements under current telecommunications legislation.
Retention criteria
In accordance with the contract termination clauses set out in the “General Terms and Conditions for the procurement of services by Numintec Comunicaciones”, after a time period of ninety (90) days from the disconnection, or, if necessary, the period stipulated in the service contract terms, NUMINTEC will permanently delete the data contained in our databases, except under such circumstances under which legal obligations or responsibilities may arise from the execution of the provision of the service, in which case a copy may be retained, with the data duly blocked, until the cessation of said responsibilities and obligations.
PRIVACY BY DESIGN AND BY DEFAULT
Data collection minimised
Data is only collected that is strictly necessary for the purpose for which it needs to be processed.
Data retention period limitation
NUMINTEC has established procedures to limit the retention of data and prevent it being retained for longer than the established time periods. The temporary files created as a result of the processing are deleted when they are no longer required.
Limitation of purpose
NUMINTEC has defined mechanisms to prevent the information that is being processed on behalf of the controller from being used for purposes other than those set out in the Data Processing Agreement (DPA).
Data pseudonymisation and encryption
Where applicable, pseudonymisation and encryption measures will be taken, especially when the information processed includes especially sensitive data.
Segregation of sensitive information
Access to more sensitive information is segregated so that it may only be viewed and processed by specifically authorised staff.
EXERCISE OF RIGHTS BY STAKEHOLDERS
Response procedure
NUMINTEC has established a formal process to aid and assist the controller in responding to requests from stakeholders to exercise their rights.
Communication of requests to exercise rights
NUMINTEC has defined the channels through which the stakeholders can communicate their requests to exercise their rights to the data controller.
Limitation of processing
There are mechanisms in place to limit the processing of data if it is so required.
SECURITY BREACHES
Management of personal data security breaches
The procedure makes it possible to identify when a personal data security breach occurs and provides for the immediate notification of the controller without undue delay of said security breaches, including all the information necessary to assess the impact and determine the causes and corrective measures applied.
Support for the Controller in notifying of security breaches
It is expected that the Controller will be assisted in notifying the supervising authority of the security breach, and, where applicable, the stakeholders, taking into account the information available to the processor.
5. RELATIONSHIP WITH PROVIDERS
GENERAL MEASURES
Provider security policy
There is a formal process that makes it possible to assess compliance with the requirements of information security that providers who process information and personal data must comply with. Providers are only given access to information when there is a legitimate requirement that justifies this access.
Confidentiality
All our providers must sign confidentiality commitments and non-disclosure agreements (NDA) to protect the secrecy of NUMINTEC’s information and that of its customers.
Certification and standardisation
All providers that supply services that involve the processing of NUMINTEC’s information and that of our customers in its facilities, must be certified ISO 27001 or equivalent. In the specific case of providers of information processing services and infrastructure in the cloud (SaaS, IaaS, PaaS), ISO27001 or equivalent certification must cover in its scope the services supplied to NUMINTEC. Should said certification not be available, the standardisation process involves verifying the existence of equivalent guarantees appropriate to the risks identified and, even the possibility to respond to audits of third party to verify the performance of the guarantees provided.
Service evaluation
NUMINTEC has implemented a provider evaluation process that involves the periodic review of compliance with the service level guarantees (SLA) and compliance with the requirements of the services established.
Safeguarding the supply chain
NUMINTEC’s policy is to ensure the continuity of our services through provider diversification and redundancy.
Personal data processing
NUMINTEC has personal data processing agreements (DPA) with all providers that supply services involving the processing of personal data that NUMINTEC or our customers are responsible for in their facilities.
Termination of service
NUMINTEC requires that its providers, and especially those that supply services in the cloud, delete any information they process once the termination of service has been agreed. This policy applies to all information that is processed under the service provided, whether NUMINTEC’s or that of our customers.
Segregation of environments
NUMINTEC requires that its providers, and especially those that supply services in the cloud, guarantee the segregation of virtual information processing environments, with guaranteed sealed access to the different environments and service capacity.
6. REGULATORY COMPLIANCE
CERTIFICATIONS
Auditors
SGS, the certification authority that audits us has official accreditations that ensure its reliability, among which the most notable are OCA, ECA, Ministry of Defence, Ministry of Health and Consumer Affairs, Ministry of Industry and Energy, Ministry of Public Works and Transport, Nuclear Safety Council and ENAC.
ISO 9001:2015
NUMINTEC is ISO 9001:2015 certified.
ISO 27001:2013
NUMINTEC is ISO 27001:2013 certified
ISO 27017:2014
NUMINTEC complies with ISO 27017:2014.
LEGAL COMPLIANCE
Personal data protection
NUMINTEC complies with data protection legislation in accordance with:
● Regulation (EU) 2016/679 on Personal Data Protection (GRPD)
● Law 3/2018, of 5 December, on Protection of Personal Data and Guarantee of Digital Rights (LOPD-GDD). Information about the data processing that NUMINTEC undertakes can be found in our privacy policy: https://www.numintec.com/en/privacy-policy/
Telecommunications operator
NUMINTEC is subject to the legislation that applies to it as telecommunications provider:
● Law 11/2022, of June 28, 2002, General Telecommunications Law (LGT).
● Law 25/2007, of 18 October, on the retention of data related to electronic communications and public communications networks.
● Law 25/2007, of 18 October, on the retention of data related to electronic communications and public communications networks. Among other aspects, compliance with this legislation means that NUMINTEC is obliged to retain and transfer to the representatives appointed the source and destination data, day, time and duration of calls, among others.
Intellectual property
Política de Seguridad de los servicios en la nube_en-GB
NUMINTEC is subject to intellectual property legislation:
● Law 2/2019, of 1 March
Under this law, NUMINTEC guarantees that it has established policies to ensure the protection of third-party intellectual property rights, in accordance with the terms of the licences for all software that it uses to provide its services.
DC-036 Rev. 01 05/5/2022