Technical and organisational measures in compliance with GDPR
Art. 32 GDPR defines various areas of security for which appropriate technical and organisational measures (TOMs) are to be taken. The aim is to ensure an appropriate level of protection, taking into account the state of the art, the necessary effort and assessing risks. [↗ Legal text at EUR-LEX]
The following technical and organisational measures defined for votesUP are only part of the security scheme: the basic server operation is ensured by the provider Hetzner as a subprocessor. The TOMs of the provider can be retrieved from ↗ www.hetzner.com/AV/TOM.pdf
Data protection is an ongoing task. The IT world continues to evolve. Organisational measures depend on the size of an accompanying team and are based on risk assessments. Therefore, we will constantly adapt the TOMs to current developments and also improve them on the basis of empirical values.
- Immediately after the delivery of content, the system shortens IP addresses and only stores them in a reduced manner in the log files.
- As little personal data as possible is requested and processed: votesUP offers the participation via anonymous tokens. Users can change their display name.
- All connections to votesUP are automatically transport-encrypted.
- Domain-validated TLS certificates (formerly known as “SSL certificates”) are used according to the current state of the art, which are renewed every 90 days at the latest. We use certificates from Mozilla's “Let's Encrypt” issuing authority for this purpose.
- Browser connections are only possible based on the newer TLS 1.2/1.3 standards. However, this means that outdated operating systems such as Windows XP, which can no longer be secured, are excluded from votesUP use.
- For a validation check of certificates, we use the improved Online Certificate Status Protocol (OCSP Stapling) so that the requesting browser can check the status of the provided encryption certificate. In addition, votesup.eu is equipped with a DNS resource record for “Certification Authority Authorization“ (CAA), which legitimizes only certain issuers of TLS encryption certificates.
3. Ensuring confidentiality
- Confidentiality is ensured by personal behaviour as well as automatic access restrictions. We rely on automated procedures as far as possible in order not to unnecessarily expand the discretion of users and thus expose them to unnecessary responsibility.
- The scopes of possible data access are defined by the assigned user roles and the restrictions on changing these roles.
- Data access is only possible via password-protected accounts. The password requirements differ according to the user's role of responsibility.
- Passwords are not stored directly, but only as check values (hash + salt).
- Additional access protection is ensured via the optional two-factor authentication.
- The data options for administrative access are tailored for the tasks that need to be supervised.
- votesUP's supporting team members are sensitised and trained on data protection requirements. They sign a confidentiality agreement.
- We make risk-based assessments of data processing with foresight. The severity of the potential damage of votesUP events falls predominantly into the “manageable” category according to the classification of the German federal and state data protection authorities (DSK briefing #18): the social status of the persons concerned could be affected (“reputation”). Despite possibly lower requirements in a certain situation, the votesUP system is always oriented towards the highest confidentiality needs.
- By means of mediated stapling of the OCSP (as mentioned under 2.), the data protection problem with validation requests is averted: the votesUP server submits validation requests, so that the personal IP addresses of the actual users do not have to be passed on to certification authorities.
4. Ensuring integrity
- The processing and especially the storage of data records is carried out via several security layers (availability of the request → authorisation → plausibility).
- For the protection against manipulation, check mechanisms are integrated in certrain areas (especially voting): besides regular access to the database, they involve keys from the programme code as well as from configuration files. That combination reduces dangers in the event of a database attack and manipulation is immediately noticeable. The checksums are created using standardised hashing procedures.
- Session management uses increased standards for key lengths, bit depth, origin of requests and transmission.
- Error logging makes it easier to identify problems. Error logging is in place, which itself is also improved based on further development.
5. Ensuring availability
- votesUP is operated in a data centre of a reputable German provider, who is certified according to ISO 27001 (establishment, implementation, maintenance and continuous improvement of a documented information security management system).
- The constant monitoring and maintenance of our servers (operating system, web server, database server, e-mail server as well as supporting systems such as firewalls or attack detection) is ensured by trained technicians of the provider.
- Both the votesUP platform and the user-generated data (votes, etc.) are continuously stored on redundant storage devices. This ensures uninterrupted operation even if a hard disk fails.
- The systems are fully and automatically backed up once a day. These daily backups are stored for 14 days.
- New features are first evaluated in a test system before they are included in the productive system of votesUP.
- Major maintenance work and upgrades to the votesUP system take place during less frequented periods (0 a.m. - 6 a.m. Berlin time) and are announced in advance on the votesUP homepage if possible.
6. Ensuring the resilience of the systems
- A general resilience test of the system takes place at certain intervals (most recently after server migrations in December 2020 and in February 2021 as well as in September 2021).
- A continuous monitoring is in place for the load average of the server.
- Unusually increased access attempts or sources of misuse are blocked automatically if necessary. In the case of user-specific activity, those affected are informed about the limit being reached.
- Events are limited to a certain number of users by default. The limit is only increased upon request and specification of the time period.
- Organisers are requested to register their specific event periods in advance via the administration interface. The calendar of expected load is checked daily by the votesUP team.
- System settings can be adjusted on an ad hoc basis to reduce the load per user. This applies in particular to the frequency of status requests (chat, session, new votes, requests to speak).
- Resource-intensive database queries can be cached.
7. Procedures for restoring the availability of personal data after a physical or technical incident
- Every night a backup of the entire system is created. The data can be restored for 14 days.
- The creation and management of these backups is automated. We check these mechanisms at different intervals to ensure that they are functioning properly.
- The programme code is versioned, i.e. changes can be reversed in the event of problems.
- For the evaluation of programme code, a second system is permanently available and a third one on an ad hoc basis.
8. Procedures for regular review, assessment and evaluation of the effectiveness of technical and organisational measures
- As part of the ongoing development, the functionality and security of votesUP is constantly reviewed and analysed.
- External tools like the Mozilla Observatory (observatory.mozilla.org/analyze/votesup.eu), the SSLlabs (www.ssllabs.com/ssltest/analyze.html?d=votesup.eu), the Geekflare Content-Security-Policy Test (geekflare.com/tools/csp-test) and the MX-Tools for checking the security of mail servers (mxtoolbox.com/SuperTool.aspx?action=mx%3avotesup.eu) make their test reports publicly available for inspection at any time.
- The publicly available documentation of changes (votesup.eu/news) is supplemented by a more detailed, internal development changelog.
Last TOM update (translation from German language): 21/11/2022