Log in

Security Annex

Last modified: 12 February 2025


  1. Introduction

    This Security Annex outlines the technical and organizational measures implemented by Olaboard to ensure an appropriate level of security in accordance with Article 32(1) of the General Data Protection Regulation (GDPR). These measures are designed to protect personal data against unauthorized access, alteration, disclosure, or destruction.

  2. Access Control & Authentication
    1. Access to Systems and Data
      • Implementation of role-based access control (RBAC) to ensure employees and third parties have access only to the data necessary for their role.
      • Multi-factor authentication (MFA) for all privileged and administrative accounts.
      • Single Sign-On (SSO): Where feasible, Olaboard integrates authentication with Google Workspace or another identity provider to streamline secure access.
      • Strong Password Policies: All user accounts must adhere to password policies requiring a minimum length, complexity, and periodic rotation.
  3. Data Protection Measures
    1. Data Encryption
      • Encryption of data at rest using AES-256 encryption or equivalent.
      • Encryption of data in transit using TLS 1.2 or higher.
      • Secure key management processes, including regular key rotation and access controls.
    2. Data Minimization and Anonymization
      • Where possible, personal data is pseudonymized or minimized to reduce the impact of a potential data breach.
      • Regular reviews to ensure the collection and storage of personal data are minimized.
  4. Network and Infrastructure Security
    1. Logging & Monitoring
      • All access and modification attempts are logged via GCP’s audit logs.
    2. Endpoint and Device Security
      • Deployment of endpoint protection and anti-malware software on all devices.
      • Regular patching and updates of operating systems and software to mitigate vulnerabilities.
  5. Incident Response and Breach Management
    1. Incident Detection and Response
      • Continuous monitoring of systems to detect and respond to security incidents.
      • Olaboard maintains an incident response plan detailing steps to take in case of a data breach, including notification procedures in compliance with GDPR requirements.
      • Immediate containment, investigation, and mitigation actions following any suspected breach.
    2. Personal Data Breach Notification
      • Notification to the Customer without undue delay and, where feasible, within 72 hours of becoming aware of a personal data breach.
      • Cooperation with the Customer in investigations and mitigation efforts.
  6. Review and Continuous Improvement
    • Periodic security assessments and audits to evaluate the effectiveness of implemented measures.
    • Regular updates to security policies in response to emerging threats and regulatory changes.
  7. Contact information

    For security-related inquires, please contact Olaboard’s Data Protection Officer at [email protected]