Home Legal Forsta Technical and Organizational Measures

Forsta Technical and Organizational Measures

Measures of pseudonymization and encryption of personal dataForsta will encrypt all client data at rest and while in transit over public networks.
Measures for ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and servicesForsta will regularly apply security patches to computing devices and monitor for exploitable vulnerabilities.  Forsta will engage partners to perform external and internal penetration testing to look for potential risks to confidentiality, availability and integrity of SaaS products and Client Data.
Measures for ensuring the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incidentForsta will design and implement disaster recovery plans for its software.  Disaster recovery plans will be tested periodically.
Processes for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures in order to ensure the security of the processingForsta will implement security monitoring technologies and internal and external audits to confirm ongoing compliance with its security policies.
Measures for user identification and authorizationAll Forsta users will authenticate using unique credentials and strong passwords. Multi-factor authentication will be used for remote access to private services. Forsta will maintain proper controls for requesting, approving, granting, modifying, revoking and revalidating user access to systems and applications containing Personal Data.  All access requests will be approved based on individual role-based access and reviewed on a regular basis for continued business need. All systems must meet Forsta’s security standards and employ security configurations and security hygiene practices to protect against unauthorized access to operating system resources.
Measures for the protection of data during transmissionForsta will encrypt all data in transit over public networks.   Forsta will employ encrypted and authenticated remote connectivity to its computing environments.
Measures for the protection of data during storageForsta prohibits the transfer of Client Data onto personal removable media.  User workstations and SaaS infrastructure will be protected through encryption, malware prevention, and security monitoring.
Measures for ensuring physical security of locations at which personal data are processedForsta will implement physical security measures at its offices and data centers.  Where data centers are owned/managed by subcontractors, Forsta will regularly confirm subcontractor compliance with substantially similar physical security controls.
Measures for ensuring events loggingForsta will ensure that all system logs are collected and monitored by automated systems in near real-time.  Suspicious events will be investigated.
Measures for ensuring system configuration, including default configurationForsta will use hardened configurations to deploy all computing devices, including network, storage, and computing resources.
Measures for internal IT and IT security governance and managementForsta will create and maintain security and privacy policies.  Policies will be reviewed periodically and updated to reflect Forsta’s commitment to securing Client Data.
Measures for certification/assurance of processes and productsForsta will engage qualified third party auditors to review its information security program and to issue opinions or certifications validating the quality of the information security and privacy program.
Measures for ensuring data minimizationForsta Clients are responsible for determining how much data is collected and stored it Forsta SaaS products.
Measures for ensuring data qualityForsta offers software tools to enable clients to update and/or delete inaccurate Personal Data.
Measures for ensuring limited data retentionForsta Clients are responsible for data deletion within their SaaS subscription.
Measures for ensuring accountabilityForsta will grant Clients the ability to perform audits and will ensure that all subcontractors allow Forsta to perform audits.  Audit rights ensure ongoing accountability for securing and protecting Personal Data.
Measures for allowing data portability and ensuring erasureForsta will logically delete client data at termination of SaaS agreements.  Forsta will sanitize all media at end-of-life in accordance with NIST SP 800-88 guidelines.
Measure for securing custom software and software developmentForsta will use industry standard tools to scan for quality code.  Forsta will test all web applications for common vulnerabilities prior to production release.