This article explains our technical and organizational measures for backup, data protection and security.
1. Confidentiality (Article 32 (1)(a) and (b) GDPR)
Physical access control
We host our platform on AWS by Amazon in Frankfurt, Germany. They provide insights into their security measures in detail on this page: https://aws.amazon.com/compliance/data-center/controls/.
Electronic access control
The database is only directly accessible from within our office or through our VPN. This access is read-only and is restricted to system admins only. Passwords for access to the database can only be used when logging in with two-factor authentication to our password management software. We have policies and processes in place for key management that are actively monitored. We only assign access when necessary for the job of the employee.
Separation control
All data for each client is bound to the ID of the client’s account. We have separate development, testing, acceptance, and production environments.
Encryption and pseudonymization
The personal data we store is encrypted in transit and at rest. Personal data can only be accessed through:
Logging in with the login credentials of the client account.
Our support systems with the explicit consent to access the account given through the profile page of the account.
Accessing the database directly from the office network with login.
2. Integrity (Article 32(1)(b) GDPR)
Data transfer control
The database is only directly accessible within our office or through our VPN. This access is read-only and is restricted to system admins only. All data is encrypted in transit and at rest.
Data entry control
Only logged in customers and our support consultants have access and can alter personal data of that customer account. The direct altering of data in the database is restricted. We don't log changes or deletions of personal data.
3. Availability and Resilience (Article 32(1)(b) and (c) GDPR)
Availability control
We host our platform on AWS by Amazon in Frankfurt, Germany. They provide insights into their security measures in detail on this page: https://aws.amazon.com/compliance/data-center/controls/.
Data backup
We have a backup strategy in place where we backup data for five weeks, including remote backups. These backups are regularly tested.
Disaster recovery
We have disaster recovery procedures in place to ensure data and service recovery in case of unavailability.
4. Procedures for regular testing, assessment, and evaluation (Article 32(1)(d) GDPR)
Incident response management
We have an incident management procedure in place.
Data protection by design and default
Our build and development process include data protection by design and default.
Order control
We only process data with the written consent of the controller and only through the third parties listed in our list of sub-processors.
Data protection management
All technical and organizational measures are managed by our ISO 27001-certified information security management system. This includes testing, monitoring, and evaluation of all activities related to these technical and organizational measures.