Overview
This Appendix II forms part of the Data Processing Addendum ("DPA") between the Client and Blue Arctic, LLC, and provides the description of technical and organizational measures required by Annex II of the EU Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914) as incorporated into the DPA.
The measures described below represent the security controls Blue Arctic implements to protect Personal Data processed on behalf of its clients. Blue Arctic regularly reviews and updates these measures to reflect changes in technology, regulatory requirements, and the evolving threat landscape.
1. Access Control
Authentication. All administrative access to Blue Arctic's infrastructure and systems requires multi-factor authentication (MFA). Client access to control panels and management interfaces is protected by password-based authentication with optional MFA. Blue Arctic enforces minimum password complexity requirements for all accounts.
Authorization. Blue Arctic implements role-based access controls (RBAC) and follows the principle of least privilege. Access to systems containing Personal Data is restricted to personnel whose job functions require such access. Access permissions are reviewed periodically and revoked promptly upon role change or termination of employment.
Session management. Administrative sessions are subject to automatic timeout and require re-authentication after periods of inactivity. Remote administrative access is restricted to secured, authenticated channels.
2. Encryption
Data in transit. All data transmitted between clients and Blue Arctic's infrastructure is encrypted using TLS 1.2 or higher. Blue Arctic enforces strong cipher suites and disables deprecated protocols. Client control panel sessions, API communications, and email transport (where supported by the receiving server) are encrypted in transit.
Data at rest. Blue Arctic implements encryption at rest for storage systems where technically feasible and appropriate to the sensitivity of the data. Full-disk encryption is employed on systems storing administrative credentials, backup archives, and internal databases containing Personal Data.
Key management. Encryption keys are managed in accordance with industry best practices, including secure key generation, restricted access to key material, and periodic key rotation.
3. Network Security
Perimeter defense. Blue Arctic's infrastructure is protected by enterprise-grade firewalls and network segmentation. Ingress and egress filtering is applied at the network perimeter, and access control lists restrict traffic to authorized ports and protocols.
Intrusion detection and prevention. Intrusion detection systems (IDS) and intrusion prevention systems (IPS) monitor network traffic for known attack signatures and anomalous behavior. Alerts are routed to the operations team for investigation and response.
DDoS mitigation. Blue Arctic employs distributed denial-of-service (DDoS) mitigation measures, including traffic scrubbing, rate limiting, and upstream filtering, to protect infrastructure and client services from volumetric and application-layer attacks.
4. Physical Security
Blue Arctic operates its primary infrastructure in data center facilities that maintain the following physical security controls:
- Restricted facility access with biometric authentication and key card entry
- 24/7 on-site security personnel and video surveillance
- Visitor access controls, including registration, identification verification, and escorted access
- Environmental controls, including fire suppression, climate regulation, and water detection systems
- Redundant power systems, including uninterruptible power supplies (UPS) and diesel generators
5. Monitoring and Logging
Infrastructure monitoring. Blue Arctic continuously monitors its infrastructure for availability, performance, and security events. Monitoring covers server health, network connectivity, storage utilization, and service availability, with automated alerting for anomalies and threshold breaches.
Security logging. Security-relevant events — including authentication attempts, administrative actions, access to systems containing Personal Data, and configuration changes — are logged and retained for audit and investigation purposes. Log data is protected from unauthorized access and tampering.
Log retention. Server and access logs are retained for 90 days, consistent with the retention periods described in the Privacy Policy. Logs may be retained longer where required for active investigations or legal proceedings.
6. Infrastructure Security
Patch management. Blue Arctic maintains a patch management process to identify, evaluate, and apply security patches to operating systems, applications, and firmware. Critical and high-severity patches are prioritized and applied within commercially reasonable timeframes.
Vulnerability management. Blue Arctic conducts regular vulnerability assessments and penetration testing of its infrastructure. Identified vulnerabilities are triaged by severity, and remediation is tracked to completion.
Configuration management. Server and network configurations follow hardening guidelines and industry benchmarks. Default credentials are changed prior to deployment, unnecessary services are disabled, and configurations are documented and version-controlled.
Isolation. Client environments are logically isolated from one another using appropriate virtualization, containerization, or account-level separation techniques to prevent unauthorized cross-client data access.
7. Personnel Security
Background checks. Blue Arctic conducts background checks on employees who have access to infrastructure or systems that process Personal Data, to the extent permitted by applicable law.
Confidentiality agreements. All employees and contractors with access to Personal Data are required to execute confidentiality and non-disclosure agreements as a condition of engagement.
Security training. Blue Arctic provides regular security awareness training to all employees, covering topics including phishing, social engineering, data handling, and incident reporting. Training is mandatory and compliance is tracked.
Access termination. Upon termination of employment or contract, access to all Blue Arctic systems and facilities is revoked promptly. Equipment is recovered and accounts are deactivated in accordance with Blue Arctic's offboarding procedures.
8. Incident Response
Blue Arctic maintains a documented incident response plan that defines procedures for identifying, containing, investigating, remediating, and reporting security incidents, including Personal Data Breaches. The incident response process includes:
- Defined roles, responsibilities, and escalation paths
- Procedures for initial triage and severity classification
- Containment measures to limit the scope and impact of incidents
- Root cause analysis and remediation tracking
- Notification procedures in accordance with applicable Data Protection Laws and the breach notification provisions of the DPA
- Post-incident review and documentation of lessons learned
Blue Arctic tests and updates its incident response procedures periodically to ensure effectiveness.
9. Business Continuity and Disaster Recovery
Backups. Blue Arctic performs regular backups of client data and critical systems. Backup schedules, retention periods, and restoration procedures are documented. Backup integrity is verified through periodic restoration testing.
Redundancy. Critical infrastructure components — including power, network connectivity, and storage — incorporate redundancy to mitigate the impact of hardware failures and service interruptions.
Disaster recovery. Blue Arctic maintains disaster recovery procedures designed to restore service availability and data integrity following a disruptive event. Recovery time and recovery point objectives are aligned with the service level commitments described in the Service Level Agreement.
10. Vendor and Subprocessor Management
Blue Arctic evaluates the security practices of its Subprocessors and third-party service providers prior to engagement. Subprocessors with access to Personal Data are required to maintain appropriate technical and organizational measures consistent with the requirements of this Appendix and the DPA.
Subprocessor agreements include data protection obligations, confidentiality requirements, and, where applicable, Standard Contractual Clauses or equivalent transfer safeguards. Blue Arctic periodically reviews Subprocessor compliance and may terminate engagements where Subprocessors fail to meet their obligations.
An informational overview of Blue Arctic's Subprocessor categories is available at bluearctic.com/legal/subprocessors.