Technical and Organisational Security Measures

Last updated: September, 2025.

15. Appendix B - Technical and Organisational security measures 

This appendix outlines the technical and organizational measures implemented by the Processor to ensure the protection of Personal Data as required under the GDPR and detailed in the main body of the Data Processing Agreement (DPA).

B.1. Technical Measures

B.1.1 Data Encryption:

• All data in transit is encrypted using TLS 1.2 or higher.
• Data at rest is encrypted using established security standards (e.g., AES-256).

B.1.2 Access Control:

• Velory actively works with role-based permissions and access controls to ensure only authorized personnel can access Personal Data.
• Multi-factor authentication (MFA) is implemented for access to critical systems.‍

B.1.3 System Configuration:

• Standard security blueprints and operating system default security configurations are implemented and regularly reviewed.

B.1.4 Monitoring and Vulnerability Management:

• Velory uses tools like Detectify for continuous vulnerability scanning.
• Logs are collected and monitored using Datadog, with alerts configured for unusual activities.
• Network traffic is monitored and protected by Cloudflare to prevent unauthorized access or DDoS attacks.

B.1.5 Backup and Disaster Recovery:

• Regular backups of critical data are conducted and stored securely.
• Disaster recovery plans are in place and periodically tested to ensure business continuity.

B.2. Organizational Measures

B.2.1 Employee Training:

• All employees receive regular training on data protection, security awareness, and GDPR compliance.

B.2.2 Policies and Frameworks:

• Velory follows established frameworks for service delivery, including risk assessments and compliance checks.
• Internal policies for data handling, access permissions, and incident management are enforced and reviewed annually.

B.2.3 Incident Management:

• A documented incident response plan is in place to identify, report, and manage potential security incidents or data breaches.
• Personal Data Breaches are communicated to the Controller within 24 hours of detection.

B.2.4 Vendor and Subprocessor Management:

• All subprocessors are evaluated for GDPR compliance prior to engagement.
• Contracts with subprocessors include clauses that align with Velory’s data protection obligations.

B.3. Physical Security Measures

B.3.1 Data Center Security:

• Personal Data is hosted in ISO 27001-certified data centers with restricted physical access.
• Facilities are secured using biometric controls and monitored through CCTV.

B.3.2 Environmental Controls:

• Data centers are equipped with fire suppression systems, climate control, and uninterruptible power supply (UPS).

B.4. Regular Review and Updates

The Processor regularly reviews and updates these measures to ensure they remain effective and appropriate to mitigate risks related to the Processing of Personal Data.