GDPR Infrastructure

HOW DOES AGILE TELECOM INFRASTRUCTURE GUARANTEE COMPLIANCE WITH THE GDPR?

Information security and adequate data management policies are our priorities and the reason we make continuous investments in technology. The General Data Protection Regulation (GDPR) represents a major social innovation. In fact, it clarifies and allows individuals to manage their own privacy.

Agile Telecom has significant experience in threat protection, in privacy protection, and in a wide range of compliance regulations. Moreover, Agile Telecom leverages the organisational model of its holding company, Growens, to better manage its security posture and to foster fruitful synergies among the Business Units and the subsidiaries of Growens, accelerating each own growth.

Agile Telecom maintains a policy of transparency and aim to provide you with the information you need to feel secure when you use the platform. Every day Agile Telecom renew our commitment to our principles in terms of trust in the cloud, data protection, and data security. Relationships with Agile Telecom are supported by contractual commitments for our services, including security standards, support, and timely notifications in accordance with GDPR requirements. Agile Telecom will share the information gathered from various Data Protection Authorities and other reputable organizations, in order to adapt what is learnt to help you create the best possible approach for your organization.

As required by laws and regulations, our infrastructure and security policies have been assessed for their adequacy and impact on data protection. These assessments will continue to be regularly conducted to maintain the highest standards of data protection compliance.

Agile Telecom makes use of Multi-Factor Authentication to strengthen the authentication process to its resources. Multi-Factor Authentication is an authentication method that requires more than one type of credentials, so to guarantee that the authenticating user is legitimate a second level of security is added for user accesses and transactions. The robustness of the access control is reinforced by the presence of Google Single Sign-On. Agile Telecom enforces the robustness of the passwords used by its users in compliance with the policies set up internally. In addition, in Agile Telecom passwords are stored only in secure password managers. Agile Telecom provides well-defined and periodically reviewed access rights following the principles of least privilege and of need-to-know. Agile Telecom protects its connections to web services, using only secure protocols with state-of-the-art encryption algorithms.

From a physical security point of view, offices of Agile Telecom are protected by burglar and fire alarm systems and have surveillance mechanisms to ensure perimeter security. In addition, all accesses to the premises require an internal reservation system, especially for specific sensitive internal areas. To ensure the business continuity of our systems, a dedicated cluster of virtual machines is used for backup replication and redundancy. Agile Telecom stores incremental backups which are opportunely rotated. Agile Telecom data center environment is constantly monitored; there are air conditioning systems to ensure climatic safety, humidity and temperature sensors.

Agile Telecom shares with Growens, the Group holding, an internal change management tool which is accurately used for any tickets, problems and change requests. There is also a separated platform used for several customer-facing purposes like issue tracking, help desk and other customer supports activities.

Corporate policies and the mobile device management (MDM) agent prohibit both local-only storage within a corporate device and the use of removable storage media. In addition, to strengthen the security of the endpoints and the security of the data stored in them, Agile Telecom makes use of full disk encryption, which is enabled by default in all devices.

At the physical level, Agile Telecom protects its data through full disk encryption, a methodology that does not allow sensitive data to be extracted if the physical storage media is stolen. The technology used to store data on physical media is intended to increase performance, make the system resilient to the loss of one or more disks and allow hardware replacement without any interruption in service. Moreover, at the application level Agile Telecom protects customer’s data stored in databases with data-at-rest encryption.

The confidentiality of data transmitted via the Internet could be compromised; therefore, the protection of data in transit is a high priority. In order to protect transmitted data, Agile Telecom uses the Transport Layer Security (TLS) cryptographic protocol, version 1.2 or above, which exploits both asymmetric and symmetric encryption algorithms to ensure secure communications across networks. To provide even greater security, a process of hashing with salting is also used to make the information more confidential & not easily hackable.

Agile Telecom makes use of anti-spam tools in compliance with the internally defined anti-spam policy. Moreover, each endpoint in Agile Telecom is provided with antivirus and antimalware software centrally managed by system administrators, which also scans e-mail – both incoming and outgoing – to guarantee e-mail security against viruses, spoofing and phishing.

Agile Telecom developed an automated procedure useful to periodically check that all servers are up-to-date and with the latest security patches installed.

Agile Telecom established an incident management process which considers security events that can affect the confidentiality, integrity, or availability of systems or data. If an incident occurs, the security team records it and establishes a priority level based on its severity. Events that have a direct impact on customers will be managed with the highest priority.

To ensure data availability in the event of hardware and software issues, backup operations are scheduled at least once per day for the most critical servers. Redundancy of backups is ensured. Backups are copied into a dedicated backup environment located within the European Union. Moreover, backups are securely encrypted to ensure the highest level of confidentiality, and organized in such a way to guarantee the separation of data for each customer. The integrity of backups is periodically verified by Agile Telecom.

Agile Telecom maintains the backup of the data created by its customers for the time specified in the data retention policy, then they are automatically deleted.

Agile Telecom tracks the lifecycle of the used hardware from the purchase through its disposal.

For the disposal of the hardware, Agile Telecom relies on a highly qualified and experienced suppliers that guarantee the deletion of data and the destruction of the disk in compliance with the industry best practices. The supplier provides a certificate to prove that the destruction has taken place.

Agile Telecom defined and assigned roles regarding information security; there is a CIO (Chief Information Officer) and a Cybersecurity Manager of the Growens Group, with the goal of strengthening the company’s security posture. Moreover, the employees’ responsibilities are clearly defined in the company policies. This increases their skills in the event of security incidents and their awareness of the company structure. Agile Telecom implemented an alerting system through a dedicated tool, that sends alerts to the relevant company functions.

With regard to the role of System Administrator, Agile Telecom is fully compliant with the Provision of the Italian Data Protection Authority dated 27 November 2008 (and its subsequent amendments). Agile Telecom appoints System Administrators by assessing their experience, skills and reliability and describe their specific areas of operation in a formal letter of appointment. A list of System Administrators is available to all employees. Every year Agile Telecom reviews the work of its System Administrators, so as to keep their operating areas and the high privileges assigned to each of them always updated, following the principle of minimisation.

Agile Telecom takes care of the training of its staff to increase the company’s awareness of issues that may affect the security of personal data and company information. For this reason, a training programme established by the Growens Group is carried out through targeted lessons and exams. Mandatory training sessions have also been held for certain professional figures, with the issue of certificates of attendance.

Personnel changes take place through well-defined internal procedures, which outline the individual steps to be taken for onboarding and offboarding. The onboarding procedure includes dedicated training for the new employee.

Agile Telecom has defined a secure software development life cycle, which describes each step of its software development, how application security considerations are included from its early stage of design, and how to face several security issues (e.g., input validation and sanitisation). During software development Agile Telecom takes into account the principle of data protection by design and by default, with a focus on how to securely process personal data.

The software development team makes use of four separated environment – development, testing, pre-production and production – described inside the company procedures. Moreover, unit tests and functional tests are developed to verify that the correctness of the codebase.