Skip to content

Security Measures Checklist

Last updated: August 1, 2025

This checklist outlines the technical and organizational measures ("TOMs") implemented by Ponta Oy to ensure a high level of data protection and platform security for ads.ponta.co, as required under GDPR Article 32.

Access Control

  • [x] Role-based access control (RBAC) for platform features and internal tools
  • [x] Unique user accounts for all employees and contractors
  • [x] Two-factor authentication (2FA) for admin interfaces
  • [x] Session timeout and login activity monitoring
  • [x] Principle of least privilege enforced

Data Encryption

  • [x] HTTPS/TLS encryption for all web traffic
  • [x] AES-256 encryption for data at rest
  • [x] Secure transmission of API traffic and credentials
  • [x] Encrypted backups (at rest and in transit)

Secure Development Practices

  • [x] Regular security code reviews and pull request approvals
  • [x] Dependency and package vulnerability scanning (e.g., Dependabot, Snyk)
  • [x] OWASP Top 10 considered in development guidelines
  • [x] Dev and prod environments strictly separated

Infrastructure Security

  • [x] Firewalls and security groups configured on all cloud services
  • [x] SSH access restricted via key pairs and IP allowlists
  • [x] Auto-scaling and load balancing for redundancy
  • [x] Regular operating system and library updates

Monitoring and Logging

  • [x] Centralized logging for audit trails and anomaly detection
  • [x] Real-time monitoring of server health and API usage
  • [x] Alerts configured for suspicious activity or service degradation
  • [x] Logs stored securely and access-controlled

Backup and Recovery

  • [x] Automated daily backups of databases and config
  • [x] Offsite and geo-redundant storage of backups
  • [x] Regular testing of restore procedures
  • [x] Backup retention policy documented

Incident Response

  • [x] Data breach response policy and escalation path in place
  • [x] Incident logging and root cause analysis protocol
  • [x] 72-hour breach notification readiness (GDPR Article 33)
  • [x] Staff trained on how to report and respond to security incidents

Vendor and Third-Party Risk Management

  • [x] Data Processing Agreements (DPAs) signed with all third-party processors
  • [x] Security assessments reviewed for key partners (e.g., Google Ads, AWS)
  • [x] Use of certified providers (ISO 27001, SOC 2, GDPR-ready)

Training and Awareness

  • [x] Mandatory GDPR and data protection training for all staff
  • [x] Security awareness refreshers conducted annually
  • [x] Clear reporting channels for phishing and suspicious activity

Physical Security

  • [x] Cloud-first infrastructure (no physical servers)
  • [x] Access to employee devices secured with disk encryption and screen lock
  • [x] Laptops remotely wipeable if lost or stolen

This checklist is reviewed quarterly by the Privacy and Security Team at Ponta Oy.

Contact: privacy@ponta.co