Technical and Organizational Measures

In accordance with the requirements of the General Data Protection Regulation (GDPR) Magic Feedback (“Processor”) commits to implementing the following Technical and Organizational Measures to ensure the security, confidentiality, and integrity of the personal data processed on behalf of Culligan (“Controller”).

1. Data Protection and Security

1.1 Data Encryption

  • All personal data is encrypted both at rest and in transit using industry-standard encryption protocols (e.g., AES-256, TLS 1.2 or higher).
  • Encryption keys are managed securely, with access limited to authorized personnel only.

1.2 Access Control

  • Access to personal data is restricted to authorized personnel based on the principle of least privilege (PoLP).
  • Strong, unique passwords are enforced, and multi-factor authentication (MFA) is required for accessing systems that process personal data.
  • Regular reviews of access rights are conducted to ensure that access levels are appropriate.

1.3 Data Minimization

  • Personal data processing is limited to the minimum necessary to fulfill the agreed-upon purposes.
  • Procedures are in place to anonymize or pseudonymize personal data wherever possible.

1.4 Physical Security

  • Data centers and office locations where personal data is processed are secured with physical access controls (e.g., biometric access, security personnel, CCTV).
  • Security measures are in place to protect against unauthorized access, theft, and physical damage.

1.5 Network Security

  • Firewalls, intrusion detection systems (IDS), and intrusion prevention systems (IPS) are implemented to protect against unauthorized access and attacks.
  • Regular vulnerability assessments and penetration testing are conducted to identify and mitigate security risks.

2. Data Breach Management

2.1 Incident Response Plan

  • A comprehensive incident response plan is in place to address potential data breaches.
  • Procedures include immediate containment, investigation, and notification to the Controller within 72 hours of becoming aware of the breach.

2.2 Breach Notification

  • In the event of a data breach, the Processor will notify the Controller with detailed information regarding the nature of the breach, affected data, and mitigation steps taken.

3. Data Retention and Deletion

3.1 Data Retention Policy

  • Personal data is retained only for as long as necessary to fulfill the purposes for which it was collected, or as required by applicable law.
  • Regular audits are conducted to ensure compliance with data retention policies.

3.2 Secure Deletion

  • Personal data is securely deleted or anonymized when no longer required, using industry-standard methods (e.g., data wiping, secure shredding).
  • Data deletion processes are documented and regularly audited.

4. Employee Awareness and Training

4.1 Training Programs

  • All employees involved in the processing of personal data receive regular training on data protection laws, security best practices, and the importance of maintaining data privacy.
  • Specialized training is provided to employees with elevated access to personal data.

4.2 Confidentiality Agreements

  • Employees are required to sign confidentiality agreements as part of their employment contracts.
  • Disciplinary actions are enforced in case of breaches of confidentiality.

5. Third-Party Management

5.1 Vendor Management

  • Third-party vendors who process personal data on behalf of the Processor are carefully vetted and required to adhere to the same data protection standards.
  • Data Processing Agreements (DPAs) are in place with all third-party vendors.

5.2 Regular Audits

  • Regular audits of third-party vendors are conducted to ensure ongoing compliance with data protection requirements.
  • Any identified risks are promptly addressed and mitigated.

6. Regular Review and Improvement

6.1 Continuous Monitoring

  • The Processor regularly monitors and reviews its security measures to ensure they are effective and up-to-date with the latest industry standards and threats.
  • An internal audit program is in place to assess compliance with this policy and other relevant legal requirements.

6.2 Policy Review

  • This policy is reviewed and updated at least annually, or more frequently if necessary, to reflect changes in legal requirements or business practices.