Vera Logo

Technical and Organisational Measures

Learn about Vera's technical and organisational measures implemented to ensure the security of personal data processing in compliance with GDPR Article 32.

Last updated: 6th June 2025

Table of Contents

The following technical and organisational measures have been implemented.

  1. Measures regarding pseudonymisation and encryption of personal data - Art. 32 (1a)
  2. Measures to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services - Art 32 (1b)
  3. Measures to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident - Art 32 (1c)
  4. Measures regarding regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing - Art 32 (1d)
  5. Additional measures to minimise risk

1. Measures regarding the pseudonymisation of personal data

Pseudonymisation means the processing of personal data in such a way that the personal data can no longer be attributed to a specified data subject without additional information, provided that such additional information is kept separately and is subject to technical and organisational measures ensuring that the personal data are not attributed to an identified or identifiable natural person.

Encryption is a way of altering readable data so that only authorized parties can understand the information.

The technical and Organisational measures implemented are:

  • Only secure wireless networks (WLAN) are used, all of which are encrypted with WPA-2
  • All employee devices are password-protected and storage drives are encrypted.
  • Email communication is encrypted to protect sensitive information.
  • The company has deployed secure methods and protocols for the transmission of confidential or sensitive information over public networks. The company uses only recommended secure cipher suites and protocols to encrypt all traffic in transit (i.e. TLS 1.3)
  • Encryption-at-rest is automated using industry-standard ciphers.

2. Measures to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services - Art 32 (1b)

The technical and organisational measures to ensure confidentiality, integrity and availability and resilience of processing systems and services ensure adequate security of personal data. Including measures implemented to ensure data cannot be read, copied, altered or removed without authorisation during their electronic transmission, during their transport or storage on data carriers. Protection against unauthorised or unlawful processing, against accidental loss, destruction or damage. Moreover, ensuring that it is possible to verify and establish where personal data has been transmitted and to ensure subsequent verification and determination of whether, when and by whom personal data have been submitted, modified or removed. In addition to measures that must be implemented prior to and monitored during data processing.

The technical and Organisational measures implemented are:

  • Devices are configured to lock automatically after a defined period of time with no user activity.
  • Multi-Factor Authentication is used for key systems where available.
  • Passwords for key systems used by us are required to follow a strong password policy where a combination of unique complex characters is used.
  • Use a password manager to ensure passwords are stored encrypted, secure passwords are generated by default and sharing occurs in a secure way.
  • Frequent backups of production data are performed. Backups are encrypted and periodically tested to ensure it is possible to recover the data.
  • Enforces a strong password policy for users.
  • Unique credentials (usernames and passwords) and credentials are used to access key systems and accounts are not shared.
  • All Personal Data in the Services may be deleted upon a customer's request and promptly as per the Retention Policy (normally after they leave the service)
  • Users are authenticated and authorized with secure protocols such as JWT (JSON Web Token) or SAML (Security Assertion Markup Language) for SSO.
  • Individuals only have access to the information that their job function requires.

3. Measures to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident - Art 32 (1c)

Measures are implemented to ensure that systems can be recovered and restored in a timely manner in the event of a disaster scenario or security incident.

The measures implemented are:

  • Emergency planning (emergency plan for security and data protection violations with specific instructions)
  • The company captures system activity, including user activity, in transaction logs.
  • The company's databases are replicated to a secondary data centre in real time. Alerts are configured to notify administrators if replication fails.

4. Procedures for periodic review, assessment and evaluation

Regular review, assessment and evaluation of the effectiveness of the technical and organisational measures taken to ensure the security of the processing.

These measures are:

  • A process is in place to detect, record and report security incidents involving personal data.
  • The company has formally assigned and documented roles and responsibilities for data privacy and security functions.
  • All employees receive Data Protection and Security training. We increase awareness to minimise the chance of them following into traps, including phishing emails, the dangers of USB drives, email attachments and recognising data breaches and data subject access requests.
  • The company maintains a formal inventory of production systems and other company assets (including cloud and on-premises assets) that hold data.
  • The company has a vendor management program in place. Including critical third-party vendor inventory, vendor's security and privacy requirements, and review of critical third-party vendors at least annually.
  • The company maintains an internal Data Protection Policy which includes information on information and instructions about Security, Data Protection and uses of their assets and devices.
  • The company has established a procedure to notify Controllers of changes in sub-processors within the specified time periods and form as per the respective DPAs.
  • The company requires employees to sign a confidentiality agreement during onboarding.

5. Measures to minimise risk

Additional technical and organisational measures are put in place to minimise risk are:

  • All systems and devices are updated at regular intervals (software update)
  • Enters into Data Processing Agreements with its Authorized Sub-Processors with data protection obligations substantially similar to those contained in this Addendum.
  • Follow an onboarding / offboarding checklist when employees join or leave the company. Credentials are deactivated/deleted immediately when employees leave the company.
  • The company maintains cybersecurity insurance to mitigate the financial impact of business disruptions.
  • A Data Subject Requests (DSRs) Policy and procedures have been put in place to ensure that the rights of Data Subjects are honoured.
  • The company maintains a map of the information flows and has a list of the data they process, what is the purpose for processing that data and who the data belongs to.
  • The company has appointed Data Protection Officer (DPO) and their contact details are accessible the company's Privacy Policy.
  • The company has appointed an EU Representative to ensure compliance with Article 27 of the GDPR.
  • Where consent is used, the company has ensured that consent is properly requested and recorded.