Prelude Technical and Organizational Measures

This document describes technical and organizational security measures and controls implemented by Prelude Research, Inc. (hereafter “Prelude”), to protect personal data and ensure the ongoing confidentiality, integrity and availability of our products and services.

This document is a high-level overview of Prelude’s technical and organizational security measures. More details on the measures we implement are available upon request. Prelude reserves the right to revise these technical and organizational measures at any time, without notice, so long as any such revisions will not materially reduce or weaken the protection provided for personal data that Prelude processes in providing its various services. In the unlikely event that Prelude does materially reduce its security, Prelude shall notify its customers.

Prelude takes the following technical and organizational security measures to protect personal data:

  1. Confidentiality 
  • Electronic Access Control: No unauthorized use of the Data Processing and Data Storage Systems, e.g.: (secure) passwords, automatic blocking/locking mechanisms, two-factor authentication, encryption of data carriers/storage media
  • Internal Access Control (permissions for user rights of access to and amendment of data): No unauthorized reading, copying, changes, or deletions of data within the system, e.g. rights authorization concept, need-based rights of access, logging of system access events
  • Separation according to purpose: The separated processing of data, which is collected for differing purposes, e.g. multiple Controller support, sandboxing;
  • Pseudonymization: The processing of personal data in such a method/way, that the data cannot be associated with a specific data subject without the assistance of additional information, provided that this additional information is stored separately, and is subject to appropriate technical and organizational measures.
  1. Integrity 
  • Data Transfer Control: No unauthorized reading, copying, changes, or deletions of data with electronic transfer or transport, e.g.: encryption, Virtual Private Networks (VPN), electronic signature;
  • Data Entry Control: Verification, whether and by whom personal data is entered into a data processing system, is changed or deleted, e.g.: logging, document management.
  1. Resilience
  • Prevention of accidental or willful destruction or loss, e.g.: backup/replication strategy (online/offline; on-site/off-site), virus protection, firewall, reporting procedures, and contingency planning.
  1. Procedures for regular testing, assessment, and evaluation of our employees on data privacy and security.
  1. No third-party data processing without corresponding instructions from the Data Controller, e.g.: clear and unambiguous contractual arrangements, formalized Order Management, strict controls on the selection of the service provider, duty of pre-evaluation, supervisory follow-up checks. 
  2. Prelude has obtained SOC2 certification, effective as of July 14, 2023.