Request a Demo
System Status

Technical & Organizational Measures

Last updated: May 22, 2018

We take our responsibility serious and therefore have implemented a variety of technical and organizational measures to protect and secure personal data as good as possible. Our measures are aligned with the GDPR regulations (article 32).

Confidentiality

Physical access control

Measures that make sure that no unauthorized access to data processing and data storage facilities takes place.

Concrete measures:

  • Electronic keys with safety locks to get into the office
  • Use of state-of-the-art cloud providers to store data with proven protection processes and within highly secured locations
  • Careful selection of staff (e.g., cleaning, maintenance, security)
  • Employees are using privacy screens whenever they access the systems remotely in public surrounding

Logical access control

Measure that make sure that there is no unauthorized use of data processing and data storage systems.

Concrete measures:

  • Secure passwords including use of state-of-the-art password managers
  • Two-Factor authentication for all key systems
  • Single-Sign-On (SSO) to reduce risk of managing multiple accounts
  • Encryption of data whenever possible
  • Limitation of who can access the systems with very restrictive granting of rights
  • Internal "data protection policy" that all employees agreed to and apply accordingly
  • Clear separation of employee sessions for company and private use

Data access control

Measures that make sure that authorized persons can only access the data according to their assigned rights, so that there is no unauthorized reading, copying, changing or deleting of data within the systems.

Concrete measures:

  • Rights authorization concept
  • Need-based rights of access
  • Limitation of who can access the systems with very restrictive granting of rights
  • Logging of system access events with regular checks

Isolation and separation

Measures that make sure that data which is collected for a specific purpose is isolated from data related to other purposes.

Concrete measures

  • Clear separation of core database systems
  • Database rights are centrally managed and set as granular as possible
  • Production and test systems are clearly separated

Pseudonymization

Measures that make sure that personal data is processed in such a way, that the data cannot be associated with a specific data subject without the assistance of additional information, provided that this additional information is stored separately, and is subject to appropriate technical and organizational measures.

Concrete measures:

  • Sensitive data is pseudonymized or even anonymized when not in regular need
  • Use of only internal identifiers (e.g., internal user id) instead of the raw personal data whenever sufficient

Integrity

Data transmission and transport control

Measures that make sure that no data is compromised during transmission and transport and that there is no unauthorized reading, copying, changing or deleting of data in electronic transfer.

Concrete measures:

  • Using only secured connections (SSL/HTTPS)
  • Encrypting sensitive data
  • No use of physical transportable storage (e.g., external hard drives, USB storage)
  • Reducing use of physical paper as transport medium
  • Limiting storage of local files

Data entry control

Measures that make sure that data entry is verified, whether and by whom personal data is entered, changed or deleted in the systems.

Concrete measures:

  • User-level logging for all critical system components
  • Central cloud-based document storage with detailed change-logs

Availability and resilience

Availability control

Measures that make sure that data is protected against destruction or loss.

Concrete measures:

  • In-depth backup strategy depending on sensitivity of data
  • Backups are stored in secured cloud storage with multi-location security
  • Hosting through state-of-the-art cloud providers in order to minimize risk
  • Recovery plan

Rapid recovery

Measures that make sure that data can be restored and recovered rapidly after an incident.

Concrete measures:

  • Easy backup recovery plan
  • Use of only state-of-the-art cloud providers and subcontractors to increase flexibility for recovery

Regular testing, assessing and evaluation

Measures to make sure that the implemented processes are regularly tested, assessed and evaluated on effectiveness for ensuring the security of the data processing.

Concrete measures:

  • External and unbiased data protection officer
  • Data protection management
  • Data protection by design
  • Data protection trainings with the employees
  • Regular review of all data privacy agreements with subprocessors and subcontractors
  • Internal "data protection policy" that all employees agreed to and apply accordingly
  • Regular review of our data protection concept
  • No third-party data processing without in-depth checks of the subprocessor and guaranteeing clear contractual agreements to make data transfers compliant with the regulations