Tietoevry Tech Services
As of 2 September 2025, Tietoevry Tech Services, earlier part of Tietoevry Group, will operate as a standalone company. We'll soon be operating under a new name: Vivicta. You will discover more about our new brand by the end of the year.

On this new website, you may find some content or links that still refer to Tietoevry Group. We are actively working on updating these pages.

Thank you for your understanding.

Read more
noun_Email_707352 noun_917542_cc Map point Play Untitled Retweet Group 3

Appendix 2: Technical and organisational security measures

Technical and organisational security measures

Data protection risk assessment

Security measures

The purpose of this document is to describe the principles of the technical and organisational data security measures of Tietoevry Tech Services group companies ("Tech Services"), which Tietoevry Tech Services provides for all Customers as a standard in Tietoevry Tech Services's products and services as required by the Regulation (EU 2016/679), the General Data Protection Regulation ("GDPR").

Tech Services implements appropriate technical and organisational data security measures which are designed to meet the data protection principles in an effective manner, and ensures that appropriate safeguards are integrated into the personal data processing in order to meet the requirements of the GDPR and to protect the rights of data subjects as described below.

Product level security descriptions are available upon request if not agreed to be part of the agreement governing the processing of personal data. Customer specific security measures are agreed separately.

1 Data protection risk assessment

Tech Services executes and documents risk assessment for each Tech Services product or service. Data protection and security risks are registered and monitored in the Tech Services risk databases.

Tech Services executes the data protection risk assessment in order to decide which data security measures shall be implemented. The aim is to define the appropriate level of data security measures for each product or service. In all cases, Tech Services has implemented at least the security measures described in chapter 2 below.

2 Security measures

As a part of the Information Security Management System (ISMS) Tech Services has public security and privacy policies, which are available for customers on request. The policies are supported with wide range of mandatory rules on different aspects of data protection and information security. Documents are subject to regular internal review process as well as an external third party verification on their appropriateness as well as the review process.

Tech Services has certified its relevant operations utilizing the following international standards ISO 27001, ISO 9001 and ISO 14001.

With regard to physical and environmental controls in data processing facilities and security management, an external third party audit utilizing ISAE 3402 Type 2 standard is conducted annually. The annual report of the audit can be delivered to Tech Services customer upon request. If agreed, Tech Services can also provide a customer specific infrastructure ISAE 3402 Type 2 assurance report.

2.1 Security of personal data

Tech Services is implementing the following measures based on requirements set out in "Security of processing" (article 32 of the GDPR):

(a) the pseudonymisation and encryption of personal data

Tech Services is utilizing encryption and/or pseudonymization in its operations to mitigate data protection risks where it has been deemed appropriate by Tech Services. Encryption and

pseudonymization techniques may vary between services upon the service requirements and data protection risk assessment. Details of the used measures are available upon request.

(b) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services

Protection of the personal data requires implementation of multiple security controls. Standard operational processes follow good industry practice framework ITIL. Standardized processes help to secure quality of service and safeguards personal data processing.

Tech Services has a centralized system to manage administrative access to customer environments. To access a customer system, the employee must have a valid reason and access is only approved by utilizing a jointly agreed process with the customer. At minimum all access to customer environments requires an encrypted tunnel within Tech Services network. Connections to customer environments are logged to provide full audit trail on administrative operations in customer environments. All remote access to Tech Services services requires an encrypted connection and other possible measures (e.g. strong authentication) as required by the data protection risk assessment.

Unauthorized persons are prevented from gaining physical access to data processing facilities. Personal data is protected against accidental and unlawful destruction utilizing physical and environmental controls. Physical and environmental security controls in data processing facilities are subject to an annual independent third party ISAE 3402 Type 2 audit.

Tech Services controls, monitors and audits all administrative connections, 3rd party access and file transfers which are deployed within Tech Services infrastructure.

Tech Services executes a framework for planning, executing and controlling customer business related operations. The organisational structure assigns roles and responsibilities to provide for adequate staffing and efficiency of operative capabilities. Tech Services management established authority and appropriate lines of reporting for key personnel. As a part of the hiring processes education verification and background checks are conducted based on employee's position and level of access to Tech Services processing facilities and systems.

Tech Services maintains and controls the execution of the Tech Services security policy, provides security training to employees, and performs application security reviews. These reviews assess the confidentiality, integrity, and availability of data, as well as conformance to the Tech Services information security policy.

(c) the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;

To restore the availability and access to personal data in a timely manner in the event of a physical or technical incident Tech Services has backup and business continuity management processes and strategies which ensure rapid restoration of business critical systems as and when necessary. Tech Services has defined continuity and disaster recovery plans for Tech Services infrastructure supporting Tech Services service delivery to Customers. These plans are regularly updated and tested and are subject to third party auditing. Customer specific continuity plans and procedures are agreed separately between Tech Services and the Customer.

(d) a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing

Tech Services emergency processes, plans and systems are regularly tested to assess and evaluate the effectiveness of technical and organisational measures for ensuring the security of the personal data processing. Customer specific disaster recovery testing is agreed separately.

Tech Services operations follow defined processes and are subject to internal and independent third party audits as a part of quality and security management certification (ISO 9001 and 27001). Tech Services conducts internal security testing and vulnerability scanning. For high risk environments Tech Services utilize third party security testing services including penetration testing.

 
Share on LinkedIn Share on Threads Share on Facebook