Data Protection Document Center and Data Protection and Security FAQs
Document Center

Our Document Center contains detailed descriptions of our security measures and controls. Here you can find Policies, FactSheets and Response Plan. Customers can freely use this material to document internal assurance requirements, perform risk assessment and perform other internal control related initiatives.

Policies

FactSheets

Response Plans

Data Protection and Security FAQs

Use the following Frequently Asked Questions to learn more about Information Security and Data Protection at Crayon, if you can't find an answer to your question, please email infosec@crayon.com.

Accountability + Governance
Policies

Does Crayon have a written policies/procedure, sponsored and approved by senior management, published, update and available to all employees and relevant parties about information security and data protection?

Yes, Crayon has established, implemented and maintains an information security program that includes policies and procedures, to protect and keep secure Personal and Sensitive Data based on industry best practices and as required by applicable law.

 

Does Crayon have an Information Security Policy developed and implemented?

Yes, Guided by Crayon’s Anticipatory ISDP Strategy, organisational security standards and practices are communicated and implemented through a variety of Policies (e.g. Crayon’s IT Use and Data Processing Policy) and operational guidelines (e.g. Codes of Conduct, Incident Response Plans, Data Protection Audit Program and Data Processing Guidelines).

 

How often are Crayon’s Information Security Policies and standards reviewed?

Annually.

Audit Program

Does Crayon have a process for internal auditing of the information security measures and controls?

Yes, to ensure our processes and technology facilitate data processing employees to deliver on Crayon’s Privacy Principles, we implement a comprehensive Data Protection Audit Program which covers four audit blocks – i.e. Accountability + Governance, Lawfulness + Transparency, Security + Safeguards, and Verification + Assurances.

 

The Audit Program is executed by an internal team that is led by Crayon’s Head of Information Security and includes members of our ISDP Network, where relevant. Crayon’s Head of Information Security decides a plan for each audit block. After audit results have been discussed in debriefing workshops with impacted business units, they are provided to Crayon’s Senior Management tier to agree on priorities for corrective actions for non-conformities and the allocation of resources to implement actions in the most efficient and effective manner.

 

Does Crayon make available all information necessary to demonstrate compliance with the obligations under applicable law and allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller?

 

Yes, the Crayon Group DPO is responsible for ensuring our Customers are assisted in meeting their respective compliance obligations.

 

IT Vulnerability Management

Does Crayon have a process for IT vulnerability management (both hardware and software)?

Yes, under Crayon’s Vulnerability Management Program, core systems are periodically subject to a Vulnerability Management Project that is led by the relevant system owners/developers and supported by Crayon’s ISDP Team. In addition, Crayon’s Anticipatory ISDP Strategy promotes the proactive flagging of potential vulnerabilities by inhouse software developers and hardware integrators to ensure a preventative resolution of vulnerabilities at the earliest stage.

Risk Assessment and Risk Management Process

Does Crayon have a risk management process (i.e. risk identification, risk evaluation and risk analysis), including directions and procedures for risk assessments for information security and for handling of personal data?

Yes, proactive Risk identification and Management is one of the core concepts within Crayon’s Anticipatory ISDP Strategy and a horizontal activity across Crayon’s business development, engagement and support functions (e.g. design of new products/services, engagement with new Partners/Suppliers and impact evaluation of new/emerging security threats).

Incident Response Plan

Does Crayon have a process for security incident management, including the procedures on how corrective actions are handled (i.e. after security events or incidents)?

Yes, Crayon operates an Incident Response Plan that runs from Recognizing and Reporting a Suspected Data Breach, to Assessing its Severity/Impact, Containment, Notifying Impacted Stakeholder and Resolving the Data Breach. Whereas each type of incident requires a tailored approach, Crayon’s Head of Information Security assembles the relevant team of ISDP Technical Agents and affected individuals across the business to ensure the targets for initial threat/impact assessment and corrective/mitigating actions are met in due course for the preparation of a potential notification requirement to the Supervisory Authorities within the 72 hour deadline set under the EU GDPR.

Data Protection Officer

Does Crayon have a designated person (DPO) or group within the organisation that has the responsibility and accountability for compliance with Data Protection Requirements? 

Yes, our Data Protection Officer and Head of Information Security for Crayon Group is Dr. Scott Richardson, Email:  dpo@crayon.com

Resources

Does Crayon have a management process for ensuring it has the necessary resources for upholding the required level of information security?

Yes, In addition to its defined operational information security budget for planned updates and enhancements, Crayon also maintains an agile ISDP Investment package to ensure the flexible allocation of funds for emerging demands.

Training

Does Crayon verify that all employees have received the appropriate data protection and information security awareness training, including temporary, locum or contracted employees and, where required, specialized role-based training?

Yes, All Crayon Group Data Processing Employees must complete our Mandatory Information Security and Data Protection Training as part of their induction process. Measures are also taken to ensure this training is up-to-date and adjusted to the requirements associated with individual processing duties. 

Lawfulness + Transparency
Privacy Notice
Access Control + Confidentiality
Data Management

Does Crayon have method(s) for ensuring data is securely collected, stored, transferred and disposed of?

Yes, whereas the combination of security measures used to securely store, transfer and dispose of personal data is dependent on the nature and duration of the services provided, Crayon Group implements a number of standard technical and organizational security measures, which Crayon Companies are required to adhere to under our Binding Corporate Rules (BCRs).

 

Does Crayon take reasonable steps to ensure that Personal Data collected is adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed?

Yes, the obligation for all Data Processing Employees to ensure that only the minimum amount of Personal Information is collected to fulfill the stated purpose(s) is an integral part of Crayon Group's IT Use and Data Processing Policy.

Data Subject Rights

Does Crayon have an effective and efficient mechanism for ensuring data subjects are able to exercise their rights without undue delay?

Yes, Crayon Group's Response System includes the logging and tracking of Data Subject requests. As an example of this, Crayon enables Data Subjects to Opt-Out from marketing simply by using the unsubscribe link in the email communications we send or by sending us a short email to: Opt-out@Crayon.com

Crayon Group uses a Data Discovery system to determine whether it holds Data Subject data.

Technical + Organisational Security Measures
Access Control + Confidentiality

Does Crayon have a formal and documented process for employee and Customer account management that includes provisioning, password requirements, access controls, and de-provisioning?

Yes, new user accounts will only be created if the proper user request form is filed to our helpdesk/support by a person with authority to ask for it. Passwords have password complexity requirements and a limited lifetime before they must be changed. Access to data sources is limited and a standardized set of minimum access is given by default. Additional access is given upon request by the user’s manager or HR. De-provisioning follows the same procedure with a different request form.

 

Do you have a formal and documented access request process for approving and revoking privileges/entitlements?

Yes. access is given by written request to our internal helpdesk. For access to sensitive data systems there is a written description of the approval process that must be followed before access is given.

 

Does Crayon ensure that employees are provided access rights based on “need-to-know” and “least privilege” policy?

Yes, access to IT systems, applications and data is set on the basis of role or service delivery requirements. When acting as a Data Processor on behalf of a Customer, the type of Service and Instructions of the Controller define what internal recipients are required to access IT systems, applications and data to ensure the delivery of the respective service.

 

Do you ensure that all users have a unique User ID, and that user accounts are not shared among multiple people (with the exception of privileged administrative accounts)?

Yes. All users have unique user ID's. No accounts are shared.

                          

Does Crayon have a segregation of duties implemented throughout the organization?

Yes, Segregation of duties is set on the basis of functional business roles and geographical location. Data processing employees are defined according to their business duties and geographical data processing requirements, whereby access to data processing systems and assets mirrors the segregation of duties and geographical location.

 

Does Crayon monitor for unauthorized network connection points such as wireless access points, modems, etc.?

Yes, we have a monitoring system for our Wireless network implementation that can discover and alert us to such rogue devices.

 

Passwords + Confidentiality

Does Crayon change default system account names and passwords across all systems?

Yes, we use a secure password generator to create very strong passwords for all system accounts. The passwords generator is available only for a very limited number of trusted employees.

 

Does Crayon systems and applications have a password history functionality enabled such that passwords cannot be reused within a predefined period of time?

Yes, last 24 passwords.

Encryption / Anonymize + Confidentiality

Does Crayon employ encryption technologies or other controls to safeguard confidentiality and integrity of client data being accessed over public networks?

Yes, Microsoft Intune application for Mobile Device Management on processing devices; Virtual Private Network deployment; and multi-factor authentication.

 

Do Crayon devices (laptops, workstations, etc.) that will access or handle Customer Personal or Confidential Data employ disk based encryption?

Yes, Crayon Group employs BitLocker for full disk encryption and Microsoft Intune for Mobile Device Management on processing devices.

 

Does Crayon have support email encryption (SMTP/TLS or other)? 

Yes, we use Microsoft Exchange / O365 which supports SMTP/TLS.

 

Business Continuity and Disaster Recovery + Availability

Does Crayon have a disaster recovery plan for IT and services provided to their Customers (i.e. to restore access to systems, applications and data)?

Yes, Crayon implements Organizational (e.g. back-up consultants) and Technical (e.g. load balancing & off-site backups) measures to ensure business continuity and disaster recovery during a system failure scenario.

Testing and Vulnerability Management + Integrity

Does Crayon have a process for regularly testing and verifying that implemented technical and organisational security measures and controls are adequate to uphold the required level of security?

Yes, Crayon conducts penetration testing and other vulnerability assessments to test and verify whether implemented measures are adequate and reliable. On identification of a system risk or vulnerability, subprojects are established with relevant IT administrators and system/business owners to stress-test the relevant hardware and/or software solutions and map out an action plan to effectively and efficiently increase the relevant security measures, where necessary.

 

Does Crayon have available the following solutions? 

Anti-Virus;                                                                                                                                        Yes

Anti-Malware and Spyware;                                                                                                          Yes

Email Virus scan and spoofing protection (incoming and outgoing);                                    Yes

Host based firewall;                                                                                                                        Yes

Data Loss Prevention;                                                                                                                     Yes

Host Intrusion Prevention System (HIPS) / Host Intrusion Detection System (HIDS);          Yes

Assets + Availability

Does Crayon have an asset management system, including policies on the acceptable use of assets and providing the appropriate level of protection throughout the asset lifecycle?

Yes, acceptable use of IT assets are covered under our IT Use and Data Processing Policy. Crayon operates a centrally coordinated asset management system for Crayon Group and individual Crayon companies to ensure visibility over the asset lifecycle from asset procurement, use, protection to secure retirement/disposal.

Verification + Assurance
Engagement of Sub-Contractors/ Sub-Processors as Part of the Service

Does Crayon process Personal Data only in accordance with Customer documented instructions including with regard to transfers of Personal Data to a third country or an international organization?

Yes, In the absence of separate instructions issued by the Controller, the relevant subsidiary of Crayon Group will follow the definitions contained in the Personal Data Processing Agreement used across Crayon Group.

 

Where applicable, does Crayon ensure sufficient checks carried out before choosing a subcontractor/subprocessor in order to evaluate that appropriate privacy and security measures will be applied to the Personal Data they handle on Customer’s behalf?

Yes: Where applicable, Crayon Group signs Data Processing Agreements with sub contractors/sub processors to evaluate and document that appropriate privacy and security measures will be applied to the Personal Data they handle on behalf of the controller, including any specific instructions received from the Controller regarding the processing of their data.

 

Does Crayon have a process in place to notify Customers prior to the engagement of subcontractor/subprocessors?

Yes, in Accordance with our Data Processing Agreement with our clients "may engage subcontractors to process the personal data only with the Controller’s prior specific written consent".

 

Does Crayon have a process in place to periodically monitor and assess subcontractors/ sub processors to verify on-going compliance with their contractual and compliance obligations?

Yes: The annual Audit Program followed by the Crayon Group Data Protection Officer includes the monitoring and assessment of subcontractors/subprocessors to verify ongoing compliance with their contractual and compliance obligations.

 

Does Crayon have a procedures governing the secure storage, archiving, disposal, destruction or return of Personal Data which is no longer required?

Yes: The annual Audit Program followed by the Crayon Group Data Protection Officer includes the review of compliance with the data storage, archiving, disposal, destruction, return definitions stipulated in Data Processing Agreements and Records of Processing.

 

Does Crayon have a suitable and functional ISMS (Information Security Management System) or an equivalent set of management processes in place to ensure adequate and continual focus on information security?

Yes, Under the umbrella of Crayon’s Anticipatory Information Security and Data Protection (ISDP) Strategy, the Head of Information Security and ISDP Team work closely with a network of over 20 ISDP Agents worldwide to ensure the continuous monitoring and updating of Crayon’s technical and organisational information security measures.

 

Does Crayon have a management process for building and maintaining an information security culture in the organisation and to which degree security awareness campaigns is run regularly?

In addition to Crayon’s Mandatory ISDP Training, Crayon’s ISDP Team maintains a highly proactive approach to the identification, resolution and communication of emerging security threats/risks.  

Record of Processing

Does Crayon have internal requirements for documentation and record keeping related to the services provided to their Customers (e.g. operational routines, information security procedures, log files)?

Yes, these measures include Processing Guidelines, Legitimate Interest Assessments, Personal Data Processing Agreements, Records of Processing (Controller and Processor), Internal Guidance, Log Files, Flagging/Review of Suspicious Account Activities.

 

Does Crayon have a process for documenting all relevant operational routines and procedures related to the services provided to their Customers and how the documentation is kept current and updated?

When Crayon is processing Personal Data on behalf of a Customer, the Personal Data Processing Agreement is supplemented by a Record of Processing (Processor) that is based on the template of the German Supervisory Authorities to ensure it is comprehensive. The responsible Consultant/Account Executive ensures the Record of Processing is accurate and kept up-to-date together with the Customer. 

Retention

Does Crayon ensure that Personal and Confidential Data is retained for no longer than necessary to provide the services unless continued retention of the Customer Personal Information is required by law.

The Personal Data Processing Agreement used across Crayon Group documents the retention times for Customer Data. Data is either deleted or returned in adherence to the instructions received from the Controller.

Confidentiality and Privacy Agreement

Does Crayon ensure that all persons authorized to Process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality?

Yes, All Data Processing Employees of Crayon Group must sign a Confidentiality and Privacy Agreement, which includes the obligation of confidentiality for the data of our Customers.

 

Does Crayon currently employ or have controlled access to personnel with sufficient knowledge, competence and capacity to implement and maintain the needed level of information security of the services provided to Customer?

Yes, Crayon’s data processing employees are selected on the basis of their expertise to meet the requirements for each Customer engagement and provided with relevant Processing Guidelines and Internal Guidance to implement and maintain the needed level of information security.

 

Does Crayon have a disciplinary policy or corrective action procedures in place for addressing data privacy violations?

Yes.

Data Breach

Does Crayon immediately notify the Controller upon becoming aware of a Personal Data Breach or security vulnerability related to the supplier’s handling of Controller Personal or Confidential Data.

Yes, Crayon Group has a centralised data breach management system which is coordinated by the Crayon Group DPO and includes a 24/7 Data Protection Hotline for the reporting of a data breach. The Crayon Group DPO is also responsible for ensuring cutomers are notified when we become aware of a data breach.