Technical and Organizational Measures (TOMs)

The technical and organizational measures (“TOMs”) apply to all standard service offerings provided by Particle41 LLC (“P41”) except where our Client is responsible for the security and privacy TOMs. P41 most commonly does work within our client’s environment and will follow any provided TOM’s from the client while providing service. P41 may change its own TOMs from time to time to adapt to the evolving security landscape and where required will notify customers of these changes.

Evidence of the measures implemented and maintained by P41 may be presented in the form of up-to-date attestations, reports or extracts from independent bodies upon request from the Client.

Document Management

P41 will validate that necessary documentation is in place between P41 and the Client where P41 processes any information relating to a person or entity that can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person or entity (“Personal Data”) covered by the General Data Protection Regulation (“GDPR”). In case of a change to the defined scope, any change to the processing of Personal Data will be reviewed to determine any impact on required TOMs and other contract exhibits.

P41 will create and maintain the following security and privacy documentation as well as store them in a central repository with restricted access control:

  1. Data Privacy Agreement (“DPA”)

  2. TOMs

  3. Non-disclosure Agreement (“NDA”) or Confidentiality Information or similar (as required)

  4. Sub-processor Agreement (as required)

Security Incidents

P41 will maintain an incident response plan and follow documented incident response policies in compliance with our published security procedures and ISO certifications. P41 shall send applicable data breach notifications to the legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data (“Data Controller”) without undue delay where a breach is known or reasonably suspected to affect Client Personal Data.

Risk Management

P41 will assess risks related to the processing of Personal Data and create an action plan to mitigate identified risks.

Security Policies

P41 will maintain and follow IT security policies and best practices that are integral to P41’s business and mandatory for all P41 employees, including supplemental personnel. IT security policies will be reviewed periodically and P41 will amend such policies as reasonably necessary to maintain the protection of services and content processed therein.

P41 will maintain an inventory of Personal Data reflecting the instructions set out in the DPA, including disposal instructions upon contract termination, as applicable. Computing environments with resources containing Personal Data will be logged and monitored.

P41 employees will complete security and privacy education annually and certify each year that they will comply with P41’s ethical business conduct, confidentiality, and security policies, as set forth in P41’s internal policies.

Physical Security

P41 allows all employees to work from home following our telecommunications work from home policy is found in our employee handbook. All employees are required to use all reasonable means to keep their person and any P41 equipment safe and secure at all times. Employees are also instructed to never store personal information on their devices in their local environments. 

User Access Management

P41 will maintain proper controls for requesting, approving, granting, modifying, revoking, and revalidating user access to systems and applications containing Personal Data. Only employees with clear business need access to Personal Data located on servers, within applications, databases, and/or have the ability to download data within P41’s network. All-access requests will be approved by management based on individual role-based access and reviewed on a regular basis for continued business needs. All systems must meet corporate IT Security Standards and employ security configurations and security hygiene practices to protect against unauthorized access to operating system resources (“OSR”).

System and Network Security

P41 will employ encrypted and authenticated remote connectivity to P41 computing environments and Client systems unless otherwise directed by the Client.

For Private Cloud User Clients

P41 will implement TOMs to support the security of its network and confirm the availability of computing environments and access to Client Personal Data. Network security measures such as firewalls, network segmentation, and two-factor authentication are used in general for access to the critical P41 target systems.

Controls and Validation

P41 Security will maintain policies and procedures designed to manage risks associated with the application of changes and the changes to the P41 systems.

Workstation Protection

P41 will implement protections on end-user devices and monitor those devices to be in compliance with the security standard requiring hard drive passwords, screensavers, antivirus software, firewall software, unauthenticated file sharing, hard disk encryption, and appropriate patch levels. Controls are consistently applied to detect and remediate workstation compliance deviations.

P41 will securely sanitize physical media intended for reuse prior to reassignment and refer to the P41 Data Destruction and Sanitization Policy (“DDSP”) for any applicable destruction procedures.

Threat and Vulnerability Management

P41 will maintain industry-standard measures to identify, manage, mitigate and/or remediate vulnerabilities within the P41 computing environments. Certain Security measures include:

  • Patch management of operating systems, firmware, productivity applications, and utilities used in all P41 systems, equipment, and facilities

  • Anti-virus / anti-malware

  • Threat notification advisories

  • Vulnerability scanning (all internal systems) and periodic penetration testing (public internet-facing systems) within remediation of identified vulnerabilities