Gridheart Data Processing Terms

    Appendix 1: Security Measures

    Version 2026-03

    Gridheart implements and maintains the security measures set out in this Appendix 1. Gridheart may update these security measures from time to time, provided that such updates do not result in a degradation of the overall security of the Processor Services.

    1. Organizational Security

    1.1 Security Program

    Gridheart maintains an information security program designed to protect Customer Personal Data. The program includes documented policies, procedures and standards covering data classification, access management, incident response, business continuity and vendor management.

    1.2 Personnel

    • All Gridheart personnel with access to Customer Personal Data are subject to written confidentiality obligations.
    • Security awareness training is provided to all personnel upon onboarding and on a recurring annual basis.
    • Access to Customer Personal Data is granted on a need-to-know basis, aligned with job responsibilities.
    • Background checks are conducted for personnel in security-sensitive roles, to the extent permitted by applicable law.

    1.3 Risk Management

    Gridheart conducts periodic risk assessments to identify and evaluate threats to the confidentiality, integrity and availability of Customer Personal Data. Identified risks are addressed through appropriate technical and organizational measures.

    2. Data Center and Infrastructure Security

    2.1 Data Center Providers

    Gridheart's Processor Services rely on third-party data center providers (as listed in the sub-processor list at gridheart.com/sub-processors). These providers are selected based on their security certifications and practices, and are required to maintain:

    • Physical security controls including 24/7 monitoring, CCTV surveillance, access control systems (biometric and/or electronic card key) and perimeter security.
    • Redundant power supply systems, including UPS and backup generators.
    • Environmental controls (HVAC, fire suppression, water detection).
    • Relevant certifications such as ISO 27001, SOC 2 Type II, or equivalent.

    2.2 Network Security

    • Network segmentation and firewalls are used to isolate systems and restrict unauthorized access.
    • Intrusion detection and prevention systems monitor for malicious activity.
    • DDoS mitigation measures are in place to protect service availability.

    3. Access Controls

    3.1 Authentication

    • Access to Gridheart systems and Customer Personal Data requires individual user accounts with unique credentials.
    • Multi-factor authentication (MFA) is enforced for access to production systems, management consoles and administrative functions.
    • Passwords must meet minimum complexity requirements and are stored using industry-standard hashing.

    3.2 Authorization

    • Access rights are granted based on the principle of least privilege.
    • Access rights are reviewed periodically and revoked promptly upon role change or termination of employment.
    • Privileged access (administrative or root-level) is restricted to a limited number of authorized personnel and subject to enhanced logging and monitoring.

    3.3 Session Management

    • Inactive sessions are terminated after a defined period of inactivity.
    • Administrative sessions use encrypted channels (SSH, HTTPS).

    4. Data Protection

    4.1 Encryption

    • Customer Personal Data is encrypted in transit using TLS 1.2 or higher.
    • Customer Personal Data at rest is encrypted using AES-256 or equivalent, where supported by the Processor Service.
    • Encryption keys are managed using industry-standard practices, including separation of key management from data storage.

    4.2 Data Segregation

    • Customer Personal Data is logically segregated to prevent unauthorized access between customers.

    4.3 Data Handling

    • Customer Personal Data is not stored on removable media or portable devices.
    • Secure deletion procedures are applied when storage media is decommissioned.

    5. Operational Security

    5.1 Vulnerability Management

    • Gridheart performs regular vulnerability scans and applies security patches in a timely manner.
    • Critical and high-severity vulnerabilities are prioritized for remediation.

    5.2 Logging and Monitoring

    • Access to Customer Personal Data and security-relevant events are logged.
    • Logs are retained for a minimum of 90 days and protected against unauthorized modification or deletion.
    • Security logs are reviewed regularly, and anomalies are investigated.

    5.3 Malware Protection

    • Anti-malware solutions are deployed on endpoints and servers.
    • Definitions and signatures are kept up to date.

    5.4 Change Management

    • Changes to production systems follow a documented change management process, including testing and approval prior to deployment.

    6. Incident Response

    6.1 Incident Response Plan

    Gridheart maintains a documented incident response plan that covers:

    • Identification and classification of security incidents.
    • Containment, eradication and recovery procedures.
    • Internal escalation and communication processes.
    • Notification to affected customers in accordance with the Data Processing Terms (within 48 hours of becoming aware of a Data Incident).
    • Post-incident review and lessons learned.

    6.2 Incident Testing

    The incident response plan is reviewed and tested periodically to ensure its effectiveness.

    7. Business Continuity

    7.1 Backup and Recovery

    • Customer Personal Data processed in connection with the Processor Services is backed up regularly by the relevant infrastructure and service providers.
    • Backups are encrypted and stored in geographically separate locations where applicable.
    • Recovery procedures are documented and tested periodically.

    7.2 Continuity Planning

    Gridheart maintains a business continuity plan that addresses critical service dependencies and defines recovery time objectives. The plan is reviewed and updated at least annually.

    8. Vendor and Sub-processor Management

    8.1 Vendor Assessment

    Third-party sub-processors and service providers are assessed for their security practices before engagement and periodically thereafter. Assessment criteria include security certifications, data protection practices, and compliance with applicable law.

    8.2 Contractual Safeguards

    All sub-processors are bound by written agreements that impose data protection obligations at least as protective as those in the Data Processing Terms, in accordance with GDPR Article 28(3).

    Previous versions: Version 2018-05