CSA Group and its subsidiaries and affiliates (collectively “CSA Group”) are committed to protecting your personal data. We do not share it, sell it, or access it other than for providing our contracted services to you, or for purposes for which you have provided your consent.

This document summarizes data security policies and practices that we have implemented as part of our security program. The terms “data controller” and “data processor” bear the definitions given to them by the EU General Data Protection Regulation 2016/679 (GDPR).

Protecting Our Physical Premises and Data Processing Facilities

Personal data is located on servers within either Tier 1 or higher data centres (used by data processors), or at secure dedicated server rooms located within CSA Group physical premises. All data processors and CSA Group physical premises have implemented security controls to prevent unauthorized persons from gaining physical access to data processing equipment containing personal data. These include use of the following:

  • Established security areas
  • Access authorization controls for employees and third-parties
  • Security alarm systems
  • Use of proximity ID cards and/or biometric authentication for access
  • Video surveillance and/or access logs
  • Visitor access procedures

Protecting Our Systems

CSA Group has implemented measures to prevent and detect intrusion by unauthorized persons into its data processing systems. System controls include use of the following:

  • Access controls implemented by job responsibilities and use of authorization procedures
  • Privileged access controls for administrators, separately managed
  • Access logging
  • Utilization of next-generation firewall and network-based access restrictions
  • Detection and prevention of malware at multiple points
  • Use of centrally managed identities, strong passwords, multi-factor authentication, and digital certificates
  • Intrusion monitoring and response for detected breaches and other security or operational events
  • Security compliance monitoring and vulnerability scanning
  • Updates of system patches and security software updates
  • Third-party assessments and penetration tests

Protecting Our Data

Access to, or disclosure of, personal data controlled or processed by CSA Group is protected via access authorization rules and/or encryption. Authorized persons with access to systems containing personal data may only access the data to the extent of permissions and scope granted based on their job responsibilities, and for the purpose of providing services or duties as disclosed to data subjects. Where personal data controlled by CSA Group is processed by a third-party, access to personal data must have equivalent controls. These controls include:

  • Controlled access to personal data via role-based rules, unique login credentials, and principle of least privilege
  • Use of encryption during transit and at rest using strong algorithms
  • Systems that maintain access logs for a reasonable amount of time
  • Employee awareness training and policies on usage and access to personal data
  • Regular reviews of accounts, access privileges, and administrator activity

Ensuring Our Data Availability

CSA Group has implemented measures to ensure personal data is protected from accidental loss or destruction from potential disasters at our data processors. These include:

  • Requirements and service agreements for systems performance, uptime, redundancy, physically separate backup storage, and disaster recovery, all with appropriate security systems and process controls
  • Backup policies and procedures, disaster recovery plans, and related testing
  • Real-time availability monitoring of application systems and networks

Managing Our Third-Party Data Processors

CSA Group remains accountable for any personal data processed by a third-party data processor and has implemented measures to ensure this data is protected to at least the same level as if processed directly. In addition to requiring the data processor to perform the items described previously, CSA Group also performs the following:

  • Due diligence reviews of data processor security and availability controls, ability to perform, financial records and other risks
  • Reviewing independent audits or assessments of the data processor
  • Ensuring a legal mechanism is in place to legally permit CSA Group to transfer personal data of European Union residents to the data processor
  • Requiring unambiguous wording of contracts and agreements, including specific clauses related to use and separation of data, and confirmation that ownership / control of data remains exclusively with CSA Group
  • Service Level Management and use of relationship managers at critical data processors