Skip to content

Technical and organisational measures (TOMs)

Apteco applies and maintains appropriate and reasonable technical and organisational measures (TOMs) suitable and sufficient to protect any Apteco Cloud Personal Information against unauthorised or unlawful processing and against accidental loss, destruction, or damage.

Access control

Physical access to data centres is controlled at building ingress points by professional security staff utilising:

  • Surveillance
  • Detection systems
  • Other electronic means

Data centres are certified for compliance with ISO 27001. Production Apteco Cloud servers are logically and physically secured from internal Apteco systems.

Intrusion prevention

Multiple protection measures are in place to prevent unauthorised access to the Apteco Cloud network, including:

  • Firewalls
  • Hardened operating systems to CIS Level 1 (Centre for Internet Security)
  • Encrypted network traffic
  • Password policies
  • Regular penetration testing by independent, globally renowned security experts

Unauthorised activities in data processing systems

Multiple protection measures are in place to prevent unauthorised activities on Apteco Cloud systems, including:

  • Firewall policies
  • Hardened operating systems
  • Regular monitoring

Apteco Cloud storage, including all customer data in Apteco Cloud, is encrypted using the industry-standard AES-256 algorithm.

Separation control

A customer's data is held separately from other customers' data, unless previously agreed in writing. Production, test, development, and internal environments are separated.

Pseudonymisation and anonymisation

The processing of any personal data when running the Apteco Cloud service is done in such a way that the data can no longer be attributed to a specific person without additional information. This includes any telemetry data unless the person has specifically approved this, for example by participating in the Apteco Insider Programme. The client is responsible for their own data and whether that data can be attributed to a specific person.

Transfer control

Industry-standard encryption is used for the transmission of Apteco Cloud data, including any personal data customers may hold in Apteco Cloud. This includes data uploaded to and exported from Apteco Cloud over HTTPS during transit.

Input control

The Apteco Cloud environment and application has built-in auditing capabilities, for both building and administering the system and for user activity, with retention periods for auditing and evidence purposes.

Availability control

Backups of Apteco Cloud instances are regularly made and the recovery process tested. The last three daily backups and the last four weekly backups are retained. The administration of Apteco Cloud has additional measures in place to protect against accidental destruction of data. The Apteco software includes many features that contribute to a secure environment, for example, limiting the velocity of data that can be exported.

Resilience and fail-safe control

Apteco Cloud is built on a resilient infrastructure and a hardened operating system that conforms to industry standards defined by the Centre for Internet Security (CIS). Communication channels are maintained with the relevant agencies and suppliers to stay informed about updates and patches. Separate development, test, and production environments are maintained. Proactive measures are also taken on code changes to identify risks before they reach production environments.

Order control

Apteco employee contracts include clauses requiring client confidentiality to be maintained. Apteco does not subcontract the support of Apteco Cloud.