Server Space

Server Space create an access control data protection policy to make sure users can access only the assets they need to do their jobs — in other words, to enforce a least-privilege model. This policy is implemented with a combination of technical controls and training to educate users about their responsibilities for protection of data.

Server Space must restrict access to confidential and sensitive data to protect it from being lost or compromised in order to avoid adversely impacting our customers, incurring penalties for non-compliance and suffering damage to our reputation. At the same time, we must ensure users can access data as required for them to work effectively. It is not anticipated that this policy can eliminate all malicious data theft. Rather, its primary objective is to increase user awareness and avoid accidental loss scenarios, so it outlines the requirements for data breach prevention.

This data security policy applies all customer data, personal data, or other Server Space data defined as sensitive by the Server Space's data classification policy. Therefore, it applies to every server, database and IT system that handles such data, including any device that is regularly used for email, web access or other work-related tasks. Every user who interacts with Server Space IT services is also subject to this policy.

Server Space shall provide all employees and contracted third parties with access to the information they need to carry out their responsibilities as effectively and efficiently as possible.

1. Each user shall be identified by a unique user ID so that individuals can be held accountable for their actions.
2. The use of shared identities is permitted only where they are suitable, such as training accounts or service accounts.
3. Each user shall read this data security policy and the login and logoff guidelines, and sign a statement that they understand the conditions of access.
4. Records of user access may be used to provide evidence for security incident investigations.
5. Access shall be granted based on the principle of least privilege, which means that each program and user will be granted the fewest privileges necessary to complete their tasks.

Access to Server Space IT resources and services will be given through the provision of a unique user account and complex password. Accounts are provided by the IT department based on records in the HR department.
Passwords are managed by the IT Service Desk. Requirements for password length, complexity and expiration are stated in the Server Space's Password Policy.
Role-based access control (RBAC) will be used to secure access to all file-based resources in Active Directory domains.

All employees and contractors shall be given network access in accordance with business access control procedures and the least-privilege principle. Segregation of networks shall be implemented as recommended by the Server Space's network security research. Network administrators shall group together information services, users and information systems as appropriate to achieve the required segregation. Network routing controls shall be implemented to support the access control policy.

1. All users must lock their screens whenever they leave their desks to reduce the risk of unauthorized access.
2. All users must keep their workplace clear of any sensitive or confidential information when they leave.
3. All users must keep their passwords confidential and not share them.

1. All Server Space staff and contractors shall be granted access to the data and applications required for their job roles.
2. All Server Space staff and contractors shall access sensitive data and systems only if there is a business need to do so and they have approval from higher management.
3. Sensitive systems shall be physically or logically isolated in order to restrict access to authorized personnel only.

1. Access to data classified as ‘Confidential’ or ‘Restricted’ shall be limited to authorized persons whose job responsibilities require it, as determined by the Data Security Policy or higher management.
2. The responsibility to implement access restrictions lies with the IT Security department.

Access control methods to be used shall include:
- Auditing of attempts to log on to any device on the Server Space network
- Windows NTFS permissions to files and folders
- Role-based access model
- Server access rights
- Firewall permissions
- Network zone and VLAN ACLs
- Web authentication rights
- Database access rights and ACLs
- Encryption at rest and in flight
- Network segregation
Access control applies to all networks, servers, workstations, laptops, mobile devices, web applications and websites, cloud storages, and services.

1. Daily incident reports shall be produced and handled within the IT Security department or the incident response team.
2. Weekly reports detailing all incidents shall be produced by the IT Security department and sent to the IT manager or director.
3. High-priority incidents discovered by the IT Security department shall be immediately escalated; the IT manager should be contacted as soon as possible.
4. The IT Security department shall also product a monthly report showing the number of IT security incidents and the percentage that were resolved.

1. Data owners are employees who have primary responsibility for maintaining information that they own, such as an executive, department manager or team leader.
2. Information Security Administrator is an employee designated by the IT management who provides administrative support for the implementation, oversight and coordination of security procedures and systems with respect to specific information resources.
3. Users include everyone who has access to information resources, such as employees, trustees, contractors, consultants, temporary employees and volunteers.
4. The Incident Response Team shall be chaired by an executive and include employees from departments such as IT Infrastructure, IT Application Security, Legal, Financial Services and Human Resources.

Each business unit must be able to demonstrate they have a written SRP in place, and that it is under version control and is available via the web. The policy should be reviewed annually.

Any exception to this policy must be approved by the Server Space Team in advance and have a written record.

Any user found in violation of this policy is subject to disciplinary action, up to and including termination of employment. Any third-party partner or contractor found in violation may have their network connection terminated.

For the purpose of processing customer orders of our products and services and commissioning the products and services for delivery, we process the personal data provided during website registration and the status of the customer’s payments.
We retain the personal data until after termination of all contracts with the customer. Then processing for this purpose is restricted. The data is deleted after all mandatory retention periods have expired.

For the purpose of processing payments for products and services we process the personal data provided for website registration and the account information provided by the customer, the products and services ordered and the amounts incurred. Unless the customer prepays the remuneration for the entire contract duration by bank transfer, the data is transferred to the respective payment processing provider selected by the customer.
We retain the account information for the lifetime of the customer account + 6 months. Then processing is restricted for this purpose and deleted after all mandatory retention periods have expired.

To process all customer or product support inquiries that reach us by email, we process the name, first name, email address, telephone number and other personal data communicated in the e-mail as well as information on the content of the request.
Depending on the content of the request, processing will be restricted to processing for the specific purpose of the request immediately after completing the processing of the request. The data is deleted after all mandatory retention periods have expired.