@@ -242,9 +242,23 @@ The VPN provider shall not require PII for use of the product, including for pay
* Verdict: If there is any PII in the data entered => PASS, otherwise => FAIL
* Evidence: The record of data entered with a short description of each part saying why it is not PII
#### 5.2.X.x **MI-NPII-4**:
The VPN provider shall not store any PII of the user on remote data processing systems.
* Applicability: (optional, for requirements that depend on a feature)
* Reference: TR-NPII
* Objective: Confidentiality
* Preparation: Gather internal written policy on what data may be stored, samples of all types of information stored by the provider that may contain PII, covering at least one instance of all types of activities conducted by the user
* Activities: Examine the written policy and samples of stored data and look for PII
* Verdict: Policy is consistent with not storing PII and samples of stored data contain no PII
* Evidence: Policy, samples of stored data, documentation of why the samples don't contain PII
FIXME is this useful? Is there a use case where the VPN client sends PII to the provider but the provider doesn't store the PII? For now, don't include as a mitigation for any use cases.
| Risk factors | Requires mitigations |
|----------------------|------------------------|
| any | NPII-1, NPII-2, |
| any | NPII-1, NPII-2 |
| DAT == 2 or FUN == 2 | NPII-1, NPII-2, NPII-3 |
| Security Profile | Requires mitigations |
@@ -252,7 +266,6 @@ The VPN provider shall not require PII for use of the product, including for pay
