e58af8aa30
Split loader.ts (3163 LOC) into categories/ subdir (8 files, each <500 LOC): - access.ts (ACCESS_CONTROL + ADMISSION_CONTROL + ACCESS_AUTHORIZATION) - transfer-input.ts (TRANSFER_CONTROL + INPUT_CONTROL) - order-availability.ts (ORDER_CONTROL + AVAILABILITY) - separation-encryption.ts (SEPARATION incl. DL-* + ENCRYPTION) - pseudonymization.ts (PSEUDONYMIZATION) - resilience-recovery.ts (RESILIENCE + RECOVERY) - review.ts (REVIEW + training/TR-* controls) - category-map.ts (category metadata Map) Split controls-library.ts (943 LOC) into domain files: - transfer-audit.ts (TRANSFER + AUDIT) - deletion-incident.ts (DELETION + INCIDENT) - subprocessor-tom.ts (SUBPROCESSOR + TOM) - contract-data-subject.ts (CONTRACT + DATA_SUBJECT) - security-governance.ts (SECURITY + GOVERNANCE) Both barrel files preserved their full public API. No consumer imports changed. Zero new TypeScript errors introduced (305 pre-existing errors unchanged). Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
203 lines
6.3 KiB
TypeScript
203 lines
6.3 KiB
TypeScript
/**
|
|
* Transfer and Audit Controls
|
|
* Domains: TRANSFER, AUDIT
|
|
*/
|
|
|
|
import { Control } from '../types'
|
|
|
|
export const TRANSFER_CONTROLS: Control[] = [
|
|
{
|
|
id: 'VND-TRF-01',
|
|
domain: 'TRANSFER',
|
|
title: {
|
|
de: 'Drittlandtransfer nur mit Rechtsgrundlage',
|
|
en: 'Third country transfer with legal basis',
|
|
},
|
|
description: {
|
|
de: 'Drittlandtransfers erfolgen nur auf Basis von SCC, BCR oder Angemessenheitsbeschluss',
|
|
en: 'Third country transfers only based on SCC, BCR or adequacy decision',
|
|
},
|
|
passCriteria: {
|
|
de: 'SCC oder BCR vertraglich vereinbart ODER Angemessenheitsbeschluss vorhanden',
|
|
en: 'SCC or BCR contractually agreed OR adequacy decision exists',
|
|
},
|
|
requirements: ['Art. 44-49 DSGVO', 'ISO 27001 A.15.1.2'],
|
|
isRequired: true,
|
|
defaultFrequency: 'ANNUAL',
|
|
},
|
|
{
|
|
id: 'VND-TRF-02',
|
|
domain: 'TRANSFER',
|
|
title: {
|
|
de: 'Aktuelle Standardvertragsklauseln',
|
|
en: 'Current Standard Contractual Clauses',
|
|
},
|
|
description: {
|
|
de: 'Bei SCC-Nutzung: Verwendung der aktuellen EU-Kommission-Klauseln (2021)',
|
|
en: 'When using SCC: Current EU Commission clauses (2021) are used',
|
|
},
|
|
passCriteria: {
|
|
de: 'SCC 2021 (Durchführungsbeschluss (EU) 2021/914) verwendet',
|
|
en: 'SCC 2021 (Implementing Decision (EU) 2021/914) used',
|
|
},
|
|
requirements: ['Art. 46 Abs. 2 lit. c DSGVO'],
|
|
isRequired: true,
|
|
defaultFrequency: 'ANNUAL',
|
|
},
|
|
{
|
|
id: 'VND-TRF-03',
|
|
domain: 'TRANSFER',
|
|
title: {
|
|
de: 'Transfer Impact Assessment (TIA)',
|
|
en: 'Transfer Impact Assessment (TIA)',
|
|
},
|
|
description: {
|
|
de: 'Bei Transfers in Drittländer ohne Angemessenheitsbeschluss ist TIA durchzuführen',
|
|
en: 'TIA required for transfers to third countries without adequacy decision',
|
|
},
|
|
passCriteria: {
|
|
de: 'TIA dokumentiert und bewertet Risiken als akzeptabel',
|
|
en: 'TIA documented and risks assessed as acceptable',
|
|
},
|
|
requirements: ['Schrems II Urteil', 'EDSA Empfehlungen 01/2020'],
|
|
isRequired: true,
|
|
defaultFrequency: 'ANNUAL',
|
|
},
|
|
{
|
|
id: 'VND-TRF-04',
|
|
domain: 'TRANSFER',
|
|
title: {
|
|
de: 'Zusätzliche Schutzmaßnahmen',
|
|
en: 'Supplementary Measures',
|
|
},
|
|
description: {
|
|
de: 'Bei Bedarf sind zusätzliche technische/organisatorische Maßnahmen implementiert',
|
|
en: 'Supplementary technical/organizational measures implemented where needed',
|
|
},
|
|
passCriteria: {
|
|
de: 'Ergänzende Maßnahmen dokumentiert (Verschlüsselung, Pseudonymisierung, etc.)',
|
|
en: 'Supplementary measures documented (encryption, pseudonymization, etc.)',
|
|
},
|
|
requirements: ['EDSA Empfehlungen 01/2020'],
|
|
isRequired: false,
|
|
defaultFrequency: 'ANNUAL',
|
|
},
|
|
{
|
|
id: 'VND-TRF-05',
|
|
domain: 'TRANSFER',
|
|
title: {
|
|
de: 'Überwachung Angemessenheitsbeschlüsse',
|
|
en: 'Monitoring Adequacy Decisions',
|
|
},
|
|
description: {
|
|
de: 'Änderungen bei Angemessenheitsbeschlüssen werden überwacht',
|
|
en: 'Changes to adequacy decisions are monitored',
|
|
},
|
|
passCriteria: {
|
|
de: 'Prozess zur Überwachung und Reaktion auf Änderungen etabliert',
|
|
en: 'Process for monitoring and responding to changes established',
|
|
},
|
|
requirements: ['Art. 45 DSGVO'],
|
|
isRequired: false,
|
|
defaultFrequency: 'QUARTERLY',
|
|
},
|
|
]
|
|
|
|
export const AUDIT_CONTROLS: Control[] = [
|
|
{
|
|
id: 'VND-AUD-01',
|
|
domain: 'AUDIT',
|
|
title: {
|
|
de: 'Auditrecht vertraglich vereinbart',
|
|
en: 'Audit right contractually agreed',
|
|
},
|
|
description: {
|
|
de: 'Vertrag enthält wirksames Auditrecht ohne unangemessene Einschränkungen',
|
|
en: 'Contract contains effective audit right without unreasonable restrictions',
|
|
},
|
|
passCriteria: {
|
|
de: 'Auditrecht im AVV enthalten, max. 30 Tage Vorlaufzeit, keine Ausschlussklausel',
|
|
en: 'Audit right in DPA, max 30 days notice, no exclusion clause',
|
|
},
|
|
requirements: ['Art. 28 Abs. 3 lit. h DSGVO'],
|
|
isRequired: true,
|
|
defaultFrequency: 'ANNUAL',
|
|
},
|
|
{
|
|
id: 'VND-AUD-02',
|
|
domain: 'AUDIT',
|
|
title: {
|
|
de: 'Vor-Ort-Inspektionen möglich',
|
|
en: 'On-site inspections possible',
|
|
},
|
|
description: {
|
|
de: 'Vertrag erlaubt Vor-Ort-Inspektionen bei dem Auftragsverarbeiter',
|
|
en: 'Contract allows on-site inspections at the processor',
|
|
},
|
|
passCriteria: {
|
|
de: 'Vor-Ort-Audit explizit erlaubt, Zugang zu relevanten Bereichen',
|
|
en: 'On-site audit explicitly allowed, access to relevant areas',
|
|
},
|
|
requirements: ['Art. 28 Abs. 3 lit. h DSGVO'],
|
|
isRequired: true,
|
|
defaultFrequency: 'ANNUAL',
|
|
},
|
|
{
|
|
id: 'VND-AUD-03',
|
|
domain: 'AUDIT',
|
|
title: {
|
|
de: 'Aktuelle Zertifizierungen',
|
|
en: 'Current Certifications',
|
|
},
|
|
description: {
|
|
de: 'Relevante Sicherheitszertifizierungen sind aktuell und gültig',
|
|
en: 'Relevant security certifications are current and valid',
|
|
},
|
|
passCriteria: {
|
|
de: 'ISO 27001, SOC 2 oder vergleichbar, nicht abgelaufen',
|
|
en: 'ISO 27001, SOC 2 or equivalent, not expired',
|
|
},
|
|
requirements: ['Art. 32 DSGVO', 'ISO 27001 A.15.1.1'],
|
|
isRequired: false,
|
|
defaultFrequency: 'ANNUAL',
|
|
},
|
|
{
|
|
id: 'VND-AUD-04',
|
|
domain: 'AUDIT',
|
|
title: {
|
|
de: 'Letzte Prüfung durchgeführt',
|
|
en: 'Last review conducted',
|
|
},
|
|
description: {
|
|
de: 'Vendor wurde innerhalb des Review-Zyklus geprüft',
|
|
en: 'Vendor was reviewed within the review cycle',
|
|
},
|
|
passCriteria: {
|
|
de: 'Dokumentierte Prüfung innerhalb des festgelegten Intervalls',
|
|
en: 'Documented review within the defined interval',
|
|
},
|
|
requirements: ['Art. 28 Abs. 3 lit. h DSGVO'],
|
|
isRequired: true,
|
|
defaultFrequency: 'ANNUAL',
|
|
},
|
|
{
|
|
id: 'VND-AUD-05',
|
|
domain: 'AUDIT',
|
|
title: {
|
|
de: 'Prüfberichte verfügbar',
|
|
en: 'Audit reports available',
|
|
},
|
|
description: {
|
|
de: 'Aktuelle Prüfberichte (SOC 2, Penetrationstest, etc.) liegen vor',
|
|
en: 'Current audit reports (SOC 2, penetration test, etc.) are available',
|
|
},
|
|
passCriteria: {
|
|
de: 'Prüfberichte nicht älter als 12 Monate',
|
|
en: 'Audit reports not older than 12 months',
|
|
},
|
|
requirements: ['ISO 27001 A.18.2.1'],
|
|
isRequired: false,
|
|
defaultFrequency: 'ANNUAL',
|
|
},
|
|
]
|