X

Need cloud computing? Get started now

Akamai logo
+1-8774252624
+1-8774252624
Login
Control Center
Access the Akamai platform
Cloud Manager
Manage your cloud resources
Try Akamai
Under Attack?
Login
Control Center
Access the Akamai platform
Cloud Manager
Manage your cloud resources

TOMs for Noname API Security Services

Last updated: November 2024

TOMs applicable for API Security Services (defined as “Services”).

Personal data processed in connection with the Services: any personal data embedded in customer API traffic, e.g., IP address, name, email, credit card number, and SSN (defined as “API Personal Data”).         

These TOMs are applicable for API Security Services Saas and Hybrid versions.

Any personal data processed in connection with the support services for API Security Services Saas, Hybrid or On-prem version is protected based on the TOMs applied by the sub-processors providing support ticketing systems as outlined in the data processor’s sub-processor list.

Measures of pseudonymisation and encryption of personal data

The Services apply automatic obfuscation for most sensitive data categories within API Personal Data such as, e.g., bank account number, birth date, credit card, CVV, health data, religion, salary, SSN, and passport details. The customer may choose to include additional data categories for obfuscation.

API Personal Data is encrypted at rest and in transit, using accepted methods that meet industry standards, e.g., AES-256, TLS 1.2 or higher.

Measures for ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and services

Data processor has implemented and maintains the company's information security and compliance program designed to ensure the ongoing confidentiality, integrity, availability, and resilience of information and processing systems, e.g.:

  • Confidentiality arrangements
  • Data privacy and information security training 
  • Information security policies and procedures
  • Backup procedures
  • Remote storage in third party data centers
  • Utilisation of different availability zones via cloud service providers such as AWS or others (as outlined in the data processor’s sub-processor list) of each customer’s choice to ensure recovery and availability due to physical outages in a cloud service provider’s primary data center 
  • 24/7 network security controls, including the use of firewalls, updated intrusion detection and prevention systems, to help protect systems from intrusion and limit the scope or success of an attack or attempt at unauthorized access to data processor’s system, computing devices or networks
  • Remote access controls to monitor and control access to data processor’s systems or networks, including requiring multifactor authentication for any individual accessing data processor’s network from an external system or network
  • Patch management procedures and controls to timely implement security patches and updates to software and firmware
  • Vulnerability management procedures and technologies to identify, assess, mitigate and protect against new and existing security vulnerabilities and threats, including viruses, bots, other malicious code, and anti-virus protection
  • Availability controls to protect personal data against accidental destruction or loss

Measures for ensuring the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident

Data processor maintains:

  • Business continuity plan
  • Disaster recovery procedure
  • Incident response plan that is maintained and practiced, such as through full environment recovery exercises

Data processor’s production systems are backed up regularly as required by internal back up procedures.

Processes for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures in order to ensure the security of the processing

Data processor has implemented following processes:

  • Internal and external audit program, audit reports and documentation
  • Testing of backup processes and business continuity procedures
  • Risk evaluation and system monitoring on a regular basis
  • Vulnerability and penetration testing on a regular basis

Data processor undergoes regular security assessments and holds certifications as listed at https://www.akamai.com/legal/compliance

Measures for user identification and authorisation

Data processor maintains policies and procedures to manage user identification and authorization, e.g.:

  • Internal policies and procedures, including to establish, manage and control password and authentication requirements
  • User authentication controls, including secure methods of assigning selecting and storing access credentials and blocking access after a reasonable number of failed authentication access
  • Restricting access to certain users
  • Access granted based on a need-to-know, supported by protocols for access authorization, establishment, modification and termination of access rights
  • Logging and reporting systems
  • Control authorization schemes
  • Differentiated access rights (profiles, roles, transactions and objects)
  • Monitoring and logging of accesses
  • Reports of access
  • Access policies and procedures
  • Change management policies and procedures

Measures for the protection of data during transmission

API Personal Data are protected during transmission by:

  • Encryption in transit via industry standards such as TLS 1.2 or higher
  • Obfuscation of anything sensitive in accordance with each customer’s preference, managed by each customer
  • Network and customer data segregation
  • Logging and monitoring of security-relevant events

Measures for the protection of data during storage

API Personal Data are protected during storage by:

  • Encryption at rest via industry standards such as AES-256 
  • Access controls
  • Separation of databases and logical segmentation of customer data from data of other customers
  • Segregation of functions and environments (production/testing/development)
  • Procedures for storage, amendment, deletion, transmission of data for different purposes

Measures for ensuring physical security of locations at which personal data are processed

The following measures are handled by sub-processors such as AWS or another cloud service provider (as outlined in the data processor’s sub-processor list) of each customer’s choice, as data processor does not store API Personal Data on its own servers:

  • Establishing security areas, restriction of access paths
  • Establishing access authorizations for employees and third parties with a need-to-know
  • Access control system (ID reader, magnetic card, chip card)
  • Key management, card-keys procedures
  • Door locking (electric door openers etc.)
  • Security staff
  • Surveillance of facilities, video/CCTV monitoring, alarm system
  • Securing decentralized processing equipment and personal computers

Detailed measures applied by each cloud service provider chosen by the customer can be checked on their respective websites. 

Measures for ensuring events logging

Data processor maintains policies and procedures to ensure events logging, e.g.:

  • User identification and authentication procedures
  • ID/password security procedures 
  • Automatic blocking and lockout of accounts after a set number of login failures
  • Automatic session timeout for inactivity
  • Log management procedures and technologies to create and maintain a complete audit trail to enable effective forensic investigations, including monitoring of break-in-attempts and automatic turn-off of the user ID upon several erroneous passwords attempts
  • Creation of one master record per user

Measures for ensuring system configuration, including default configuration

Data processor maintains procedures and policies to ensure its systems are configured and maintained in accordance with the industry standards, e.g.:

  • Up-to-date baseline configuration documentation and settings
  • Operational procedures and controls to ensure software, computing devices and networks are developed, configured and maintained according to prescribed internal standards consistent with industry standards
  • Changes in the system configuration require specific privileges

Measures for internal IT and IT security governance and management

Data processor manages IT governance in accordance with industry standards such as SOC 2 Type 2, CSA STAR 2, PCI DSS, HIPAA, and applies following measures, e.g.: 

  • Information security policies and procedures 
  • Incident response plan
  • Regular internal and external audits
  • Review and supervision of information security program
  • Regular information security and privacy trainings for employees
  • Access to data based on the least privilege principle                    

Measures for certification/assurance of processes and products

Data processor holds the following certifications:

  • SOC 2 Type 2
  • Cloud Security Alliance (CSA) STAR 2
  • HIPAA
  • PCI DSS

Further details listed at https://www.akamai.com/legal/compliance

Measures for ensuring data minimization

Data processor ensures by its privacy by design principles that its services and systems are developed and designed in compliance with privacy requirements and that only required scope of data is processed, e.g.:

  • Ensuring that the minimum amount of data is processed to fulfil the purpose of the processing
  • Data only captured when API security incidents are detected and only a few packets collected per API to establish API baselines
  • Certain sensitive categories of personal data that is captured by the Services is automatically obfuscated and a customer can choose to obfuscate additional categories of personal data in accordance with each customer’s preferences, which is managed directly by each customer

Measures for ensuring data quality

Data processor receives API traffic packets as is and has no ability to update or correct the API Personal Data within the packets once received. 

Measures for ensuring limited data retention

API Personal Data is stored for the duration of the agreement and can be deleted earlier upon customer’s request. 

Measures for ensuring accountability

Data processor ensures accountability through implementation of various measures, e.g.:

  • Internal policies and procedures to protect data
  • Privacy by design and by default
  • Records of data processing activities
  • Privacy impact assessments, where required
  • Vendor onboarding process and due diligence assessments 
  • Sub-processor controls, including appropriate criteria for selecting sub-processors and adequate agreements 
  • Data privacy and information security training program

Measures for allowing data portability and ensuring erasure

Data processor ensures portability and erasure through the following measures:

  • Customers can use workflows to integrate Services with their own systems and receive API Personal Data within their systems automatically
  • API Personal Data can be exported upon customer’s request
  • API Personal Data can be deleted upon customer’s request
  • Deletion of API Personal Data in accordance with NIST best practices and managed by AWS or another cloud service provider (as outlined in the data processor’s sub-processor list) of each customer’s choice

For transfers to (sub-) processors, also describe the specific technical and organisational measures to be taken by the (sub-) processor to be able to provide assistance to the controller

When data processor engages a sub-processor the data processor and the sub-processor enter into an agreement with data protection obligations substantially similar to those contained in the agreement between the data processor and data controller. 

Description of the specific technical and organisational measures to be taken by the processor to be able to provide assistance to the controller.

For further details regarding data processor’s assistance to the controller see data processing agreement and related service agreement.