These Data Processing Terms (“Terms”) form part of the Terms of Service between Rotten Politics and its affiliated companies (“Rotten Politics”) and Users (defined below) regarding RP’s services. These Terms are binding between Rotten Politics and Users, Customers & Merchants and constitute a data processing agreement. If there is a conflict between these Terms and the Agreement, these Terms will govern. If you do not agree to these Terms, do not use the Service (both defined below).
3.1 To the extent that Rotten Politics Processes Personal Data on behalf of the User, the following Processing details apply:
At the choice of the Merchant, Rotten Politics will delete or return all Personal Data to the Merchant after the end of the Agreement, and shall delete existing copies, unless an applicable law requires Rotten Politics to store such Personal Data.
These Terms are governed by the laws of the United Kingdom and are subject to the dispute resolution procedure as prescribed by the Agreement.
Rotten Politics reserves the right, at its discretion, to modify these Terms. In case of material changes, Rotten Politics will notify the User in writing, giving the User the right to terminate the Agreement.
Schedule 1
Technical and Organisational Security Measures
Rotten Politics shall take, among others, the following technical and organizational measures to ensure physical security of Personal Data and control system entry, access, transfer, input, availability and separation of Personal Data:
All entrances are secured or locked and can only be accessed with the appropriate key / chip card / internal digital keys;
Premises are protected by an alarm system;
All visitors are required to identify themselves and are signed-in by authorized staff;
Video monitoring of premises;
Visitors are accompanied by RP’s personnel at all times;
Trained security guards are stationed in and around the building 24/7,
Use of state-of-the-art anti-virus software that includes e-mail filtering and malware detection;
Use of firewalls;
During idle times, user and administrator PCs are locked;
Users are required to setup complex passwords and 2FA in all systems as possible;
Concept of least privilege, allowing only the necessary access for users to accomplish their job function. Access above these least privileges requires appropriate authorization;
Starter, mover & leaver housekeeping processes in place which covers access rights depends on job duties;
RSA/ed25519 2-factor authentication in place for most critical remote connections;
Vulnerability scanning and remediation in place;
Data centre and website penetration testing programme in place.
User and administrator access to the network is based on a groupe-based/ role-based access rights model. There is an authorization concept in place that grants access rights to data only on a “need to know” basis;
Administration of user rights through system administrators or system owners;
IT governance & controls audits undertaken regularly by external 3rd party;
Internal control audits undertaken regularly.