1. Access control

Technical measures:

  • Use of document shredders.
  • Proper destruction of data storage media.
  • Records of access to all server-based applications and data sets, access by system administrators is only recorded to the extent that their respective logins and the commands they initiate on the server shells are recorded. All other commands (for instance commands initiated in graphic consoles) are not recorded. Logins are stored for a period of 3 months. Access by system administrators does not occur in order to process or actively access personal data, but only for the upkeep, maintenance and updating of the server systems themselves.
  • For all other (regular) users who use the corresponding applications to process personal data, an application history will typically be maintained that records which user carried out which action at what time, insofar as the action modifies personal data. Many other actions are also recorded, for instance to represent the change history of the application itself.

Organisational measures:

  • Employment of service providers for document destruction.
  • Erasure of storage media and data destruction.
  • For security reasons, storage media are erased in compliance with data protection regulations before further internal use (for example, change of server or main user) or transfer.
  • Online Travel authorisation concept, secure storage of data storage media such as backup media.
  • Management of user rights only by Online Travel administrators.

2. Transfer control

As a rule, no data is transferred from the Online Travel support systems. If this is required in exceptional cases, transfer will only occur at the customer’s request and with the customer’s approval in special cases.
All Online Travel networks and systems are structured behind corresponding gateways consisting of a router and firewall; system access only occurs via these gateways. The gateways reject connections that do not come from an explicitly approved network.

Technical measures:

  • Setting up VPN tunnels.
  • Data is primarily exchanged over VPN networks with corresponding protocols. Authentication and encryption are the measures we take to reduce the risk of unauthorised copying or modification of personal data.
  • Secure mailing.
  • Insofar as storage media are transferred by transport companies, the storage media will only be released after prior authentication of the transport company, if necessary with a confirmation call to the transport company. The release of storage media to the transport company is documented.
  • Encrypted data transfer.
  • Data transfer between clients and servers is generally encrypted via RDP FIPS, FTPS, HTTPS and VPN.
  • Network security using hardware and software security components.

Organisational measures:

  • Documentation of data recipients and time frames for planned transfer or agreed erasure deadlines.
  • Declaration of confidentiality internal/external.
  • Regulations such as GPOs concerning the use of Internet and e-mail as well as other applications that are relevant to security.

3. Input control

Technical measures:

  • ADS user logging.
  • Access by system administrators is only recorded to the extent that their respective logins and the commands they initiate on the server shells are recorded. All other commands (for instance commands initiated in graphic consoles) are not recorded. Logins are stored for a period of 3 months. Access by system administrators does not occur in order to process or actively access personal data, but for the upkeep, maintenance and updating of the server systems themselves.

Organisational measures:

  • Overview of which applications can be used to enter, modify and erase which data.
  • Assignment of rights to enter, modify and erase data based on an authorisation concept.

4. Order control

Organisational measures:

  • Selection of the contractor considering due diligence criteria (particularly with respect to data security).
  • Written instructions to the contractor (for example, through a data processing agreement).
  • Destruction of data ensured after termination of the contract.
  • Prior review of the security measures and corresponding documentation adopted by the contractor.
  • Clear contractual agreement, in particular delineation of responsibilities between client and contractor and definition of control measures to be carried out

5. Availability control

Technical measures:

  • Fire extinguishers in server rooms and corridors.
  • Fire alarm system.
  • Redundant air conditioning in the server rooms.
  • Temperature monitoring in the server room.
  • Overvoltage protection for all safety sockets in the server room.
  • Uninterrupted power supply for systems relevant to production.

Organisational measures:

  • Alarm signal in case of unauthorised access to server rooms and building.
  • Daily data backup and storage of data backup in a secure off-site location.
  • Backup and recovery concept.
  • Test for data recovery.
  • Constant network monitoring.

Technical measures:
Fire prevention:

  • Comprehensive fire prevention measures ensure optimal protection of hardware.
  • If early fire detection triggers a pre-alarm, the external air supply is automatically switched off to prevent the further supply of oxygen. If two optical smoke detectors detect smoke, a main alarm is automatically triggered.
  • If a main alarm is triggered, the relevant room is flooded with the extinguishing gas argon. This gas displaces oxygen and is harmless to people and servers. This will extinguish the fire and prevent the fire from restarting due to the concentration of argon gas.
  • A fire alarm system monitors all rooms, including office and storage areas.
  • Argon gas extinguishing system in the server rooms.

Air conditioning:

  • Five redundant climate control cabinets ensure a constant temperature between 21 and 24 degrees and controlled air humidity in the server room.
  • All climate control cabinets are monitored around the clock by the building management system.
  • The redundancy concept allows for the breakdown of up to two climate control cabinets at an external temperature of 30 degrees.
  • Up to 7 kW cooling capacity per m2 in the data centre.
  • Redundant climate control cabinets.
  • 24/7 monitoring of climate control technology.
  • Maintenance contract with 24/7 fault elimination.
  • Environmentally friendly air conditioning through partial use of free cooling ozone-friendly refrigerants in all climate control systems.

Network/carrier:

The following carriers are connected to the data centre via three independent fibre optic routes:

  • Cyberlink/Swisscom
  • UPC Cablecom
  • The implemented BGP routing compensates for the breakdown of one or more carriers; in case of breakdown the traffic is automatically routed through the remaining carriers.

Energy supply:

  • The data centre is connected to the power grid of the AEW Aargau via a 10 kV ring main. All consumers in the data centre are connected with the power grid via an online UPS system. In case of a breakdown in the power supply, all hardware is continually supplied without interruption by the UPS batteries. If the interruption of the power supply lasts longer than 15 seconds, the preheated diesel generator starts up and takes over the power supply.
  • Online Travel guarantees an uninterrupted power supply with accumulators in a separate battery room and with diesel generators that are located in their own separate rooms.
  • In case of a power failure, the accumulators supply energy until the diesel aggregates from the company Elcos Gruppo Elettrogeni have started up and are able to take over the load.
  • SAN storage for data that is relevant to security.

Organisational measures:

  • Alarm signal in case of unauthorised access to server rooms and building.
  • Daily data backup and storage of data backup in a secure off-site location.
  • Backup and recovery concept.
  • Test for data recovery.
  • Constant network monitoring.

6. Separation rule

Technical measures:

  • For pseudonymised data: separation of allocation file and storage in a separate, secured IT system.
  • Physically separated storage in separate systems or data storage media.
  • Separation of production systems and test systems.

The following separation measures are implemented with descending quality:

  • Different virtual systems.
  • Logical client separation (application and database instances).
  • Authorisation concept (application and database rights).
  • Application of purpose attributes/data fields/flags to data sets.
  • This ensures that no employee or customer is able to simultaneously process data from different data sets during their daily work. The separation of applications and storage locations into different instances prevents mixing.

Organisational measures:

  • Creation of an authorisation concept.
  • Defining database rights.
  • Logical client separation (in software).
  • Application of purpose attributes/data fields to data sets.