Order processing contract

Version: 2.0
Status: September 2024

1. Introduction, Scope, and Definitions

1.1. This Data Processing Agreement (hereinafter "Agreement") governs the rights and obligations of the Client and the Processor (hereinafter "Parties") in the context of the processing of personal data.

1.2. This Agreement applies to all activities in which employees of the Processor or subcontractors (hereinafter "Subprocessors") engaged by the Processor process personal data of the Client.

1.3. Terms used in this Agreement shall be understood in accordance with their definitions in the EU General Data Protection Regulation. Insofar as statements are required to be made "in writing" hereunder, "in writing" means in accordance with § 126 of the German Civil Code (BGB). Otherwise, statements may be made in other forms, provided that adequate evidentiary certainty is ensured.

2. Subject Matter and Duration of the Processing

2.1. Subject Matter

The Processor shall perform the following processing operations:

  • Provision of an Access as a Service (ACaaS) service/application for the use, development, and operation of an access management platform that receives access requests from third-party systems and, on this basis, grants access permissions. At the same time, the platform provides information regarding existing and past access permissions.
  • Provision of an Identity as a Service (IDaaS) service/application for the use, development, and operation of an identity management platform that receives authorization requests from third-party systems and, on this basis, grants access permissions. Simultaneously, the platform provides information regarding existing and past access permissions.

2.2. Provision of Support for Clients and Users of the Offered Services

The processing is based on the service contract concluded between the Parties on the basis of the Client’s account with BlueID, as well as the General Terms and Conditions and the services offered in the current version (hereinafter "Main Agreement").

2.3. Duration

The processing shall commence with the start of the Main Agreement and shall continue indefinitely until the Main Agreement entered into between the Parties terminates.

3. Nature and Purpose of the Data Processing

3.1. Nature and Purpose of the Processing

The processing consists of providing an online cloud solution for the management and execution of access and identity management as well as the remote maintenance of the systems deployed (see Section 2.1) for the Client.

3.2. Nature of the Data

Depending on the provision by the Client or the users authorized by the Client, the following data are processed:

  • Pseudonymized user data regarding mobile devices,
  • Full name,
  • Email address of the user,
  • Access permission (e.g., door or room designation),
  • Roles or functional designations (e.g., client, employee, team leader, etc.),
  • Log data of accesses to the lock,
  • Error causes,
  • Number of successful and unsuccessful opening attempts,
  • Status and firmware data.

3.3. Categories of Data Subjects

The processing affects the following persons:

  • Employees
  • External building visitors (e.g., hotel guests, office visitors, tenants, service providers)
  • Other users of the systems (e.g., B2B clients)

4. Obligations of the Processor

4.1. The Processor shall process personal data solely in accordance with the contractual agreement or as instructed by the Client, unless the Processor is legally obligated to process the data in a certain manner. Insofar as such obligations exist, the Processor shall notify the Client prior to processing, unless such notification is prohibited by law. Furthermore, the Processor shall not use the data entrusted for processing for any purposes other than those specified, in particular not for its own purposes.

4.2. The Processor confirms that it is familiar with the applicable general data protection regulations and shall adhere to the principles of proper data processing.

4.3. The Processor undertakes to strictly maintain confidentiality during processing. Persons who may become aware of the data processed under this Agreement shall be bound by confidentiality obligations in writing, unless they are already subject to a statutory confidentiality obligation.

4.4. The Processor warrants that the personnel employed for processing have been made familiar with the relevant data protection provisions and the terms of this Agreement prior to the commencement of processing. Appropriate training and awareness measures shall be repeated at regular intervals. The Processor shall ensure that personnel engaged in the data processing are continuously adequately instructed and supervised with respect to fulfilling the data protection requirements.

4.5. In connection with the commissioned processing, the Processor shall support the Client in the preparation and updating of the register of processing activities as well as in conducting a data protection impact assessment. All necessary information and documentation shall be maintained and provided to the Client immediately upon request.

4.6. If the Client is subject to inspections by supervisory authorities or other bodies, or if data subjects assert rights against the Client, the Processor shall support the Client to the extent required, insofar as the processing under this Agreement is affected.

4.7. The Processor may provide information to third parties or data subjects only with the prior consent of the Client. Inquiries directed directly to the Processor shall be forwarded to the Client without delay.

4.8. The Processor warrants that it has appointed a competent and reliable in-house Data Protection Officer, to whom sufficient time is allocated to perform his duties.

Data Protection Officer at the Processor is:

Malte Pignol
+49 (89) 8099026-00
datenschutz@blueid.net

Malte Pignol is a legal professional specializing in European commercial law, particularly data protection. As an experienced internal and external Data Protection Officer for small and medium-sized enterprises as well as corporations, he holds the relevant certifications as a Data Protection Officer, Data Protection Auditor, Information Security Officer, and Lead Auditor in the field of information security.

5. Technical and Organizational Measures (TOM)

5.1. The data security measures described in Annex 1 are hereby established as binding. These measures may be adapted in accordance with technological and organizational developments, provided that the level agreed herein is not undercut. Any necessary changes to maintain information security shall be implemented by the Processor without delay.

5.2. Should the implemented security measures not meet or no longer meet the requirements of the Client, the Processor shall notify the Client immediately.

5.3. The Processor warrants that the data processed under this Agreement are strictly segregated from other data sets.

5.4. Copies or duplicates shall not be created without the Client's knowledge, except for technically necessary, temporary reproductions, provided that the data protection level agreed herein is not impaired.

5.5. The processing of data in private residences is permitted only in compliance with appropriate technical and organizational measures. In the event such processing occurs, the Processor shall ensure that a level of data protection and data security corresponding to this Agreement is maintained and that the control rights provided to the Client under this Agreement may be exercised without restriction, even in the affected private residences. The processing of data under contract using private devices is not permitted under any circumstances.

5.6. Dedicated data carriers provided by or used for the Client shall be clearly marked and subject to continuous management. They must be stored securely at all times and must not be accessible to unauthorized persons. All entries and exits shall be documented.

6. Provisions on Rectification, Deletion, and Restriction of Data Processing

6.1. The Processor shall rectify, delete, or restrict the processing of data processed under the Main Agreement solely in accordance with this Agreement.

6.2. The Processor shall comply at all times, and even after the termination of this Agreement, with the instructions given by the Client.

6.3. The Processor is entitled to suspend data processing or to refrain from implementing supplementary instructions if objective indications give rise to justified doubts as to the lawfulness or permissibility of the processing. This particularly includes breaches of data protection regulations or provisions of the Main Agreement. In such a case, the Processor shall notify the Client immediately.

7. Subcontracting Relationships

7.1. The Client agrees that the Processor may employ the subcontractors listed in Annex 2 for the operation of the data center.

7.2. Without the Client's consent, the Processor may engage additional or alternative subcontractors for the processing of the contractual data, provided that such data are processed exclusively within the Federal Republic of Germany or the EU/EEA. The Client shall be informed in writing, including the name of the subcontractor, regarding such engagements.

7.3. The rights of the Client must also be effectively exercisable against the subcontractor. In particular, the Client must be entitled at all times to carry out, or have carried out, inspections of the subcontractor to the extent specified herein.

7.4. The Processor shall select the subcontractor with particular consideration given to the suitability of the subcontractor's technical and organizational measures.

7.5. The transfer of data processed under this Agreement to the subcontractor is permitted only if the Processor has, by documented evidence, ascertained that the subcontractor has fully met its obligations. The Processor shall provide the relevant documentation to the Client without being requested.

7.6. The engagement of subcontractors who do not provide data processing services exclusively within the EU or the EEA is permitted only in compliance with the terms of this Agreement. This is particularly allowed only if the subcontractor provides adequate data protection guarantees. The Processor shall inform the Client as to which specific data protection guarantees the subcontractor provides and how such evidence may be obtained.

7.7. Subcontracting relationships within the meaning of this Agreement shall include only those services that are directly related to the provision of the main service. Ancillary services, such as transportation, maintenance, cleaning, as well as the use of telecommunications services or customer support, are not covered. The Processor's obligation to ensure data protection and data security in these cases remains unaffected.

8. Rights and Obligations of the Client

8.1. The Client shall be solely responsible for assessing the lawfulness of the commissioned processing as well as for safeguarding the rights of the data subjects.

8.2. The Client shall notify the Processor without delay if it identifies any errors or irregularities in the review of the processing results.

8.3. The Client is entitled to verify, either directly or through third parties, to an appropriate extent, that the Processor complies with the data protection regulations and the contractual agreements, in particular by obtaining information, inspecting the stored data and data processing programs, and through other on-site inspections. The Processor shall grant the persons assigned to the inspection the necessary access and insight. The Processor is obliged to provide all necessary information, demonstrate processes, and furnish evidence required for the conduct of an inspection.

8.4. The Client shall not carry out its own inspections if the Processor can provide the requested evidence by means of a market-standard certificate (e.g., according to ISO, DIN, or SOC standards). Inspections at the Processor's premises shall take place without causing avoidable disruption to its business operations, unless urgent, documentable reasons exist otherwise.

9. Notification Obligations

9.1. The Processor shall notify the Client without delay of any data protection breaches. Reasonable suspicions thereof shall also be reported. The notification must be made without undue delay from the time the Processor becomes aware of the relevant incident to an address designated by the Client, in compliance with the statutory deadlines. The notification must contain at least the following information:

  • a description of the nature of the data protection breach, including, where possible, the affected categories and the approximate number of affected persons and data records;
  • the name and contact details of the Data Protection Officer or another contact point for further information;
  • a description of the likely consequences of the data protection breach;
  • a description of the measures taken or proposed by the Processor to remedy the data protection breach and to mitigate any potential adverse effects.

9.2. Significant disruptions in the performance of the contract as well as breaches by the Processor or its employees of data protection regulations or contractual provisions must also be reported without delay.

9.3. The Processor shall immediately inform the Client of any inspections or measures by supervisory authorities or third parties that relate to the data processing.

9.4. The Processor warrants that it shall support the Client to the extent necessary in fulfilling its obligations under Articles 33 and 34 of the GDPR.

10. Termination of the Contract

10.1. Upon termination of the contractual relationship or at the request of the Client, the Processor shall, at the Client’s option, either destroy or transfer the data processed under the contract to the Client. All copies of the data shall likewise be destroyed. Such destruction shall be carried out in a manner that ensures that the data, including any residual information, cannot be recovered with reasonable effort.

10.2. The Processor is obliged to ensure the immediate return or deletion of the data also by any Subprocessors.

10.3. Documentation serving as evidence of proper data processing shall be retained by the Processor in accordance with the applicable retention periods even beyond the termination of the contract. Such documentation may be provided to the Client at the termination of the contract for discharge purposes. Deletion shall be carried out immediately upon the Client’s request, which may require a period of up to four weeks, unless a sooner deletion is warranted by the circumstances. Should an earlier deletion be desired, the Client shall notify the Processor with sufficient notice.

11. Remuneration

11.1. The Processor’s remuneration is conclusively regulated in the Main Agreement. No separate remuneration or cost reimbursement shall be provided under this Agreement.

12. Miscellaneous

12.1. Both Parties undertake to maintain the confidentiality of all trade secrets and security measures of the other Party acquired in the course of the contractual relationship, even after the termination of the contract. In the event of any doubt as to whether a piece of information is subject to a confidentiality obligation, it shall be treated as confidential until it is released in writing or in text form by the other Party.

12.2. Should access to the data transmitted by the Client to the Processor for processing be endangered by measures of third parties (e.g., by an insolvency administrator or seizure by financial authorities), the Processor shall notify the Client without delay.

12.3. In the event of any inconsistencies between the provisions of this Agreement and those of the Main Agreement, the provisions of this Agreement shall prevail.

12.4. Side agreements must be in at least written form.

12.5. The right of retention pursuant to § 273 of the German Civil Code (BGB) is excluded with respect to the data processed under this Agreement and the associated data carriers. Should any part of this Agreement be invalid, the validity of the remaining contractual clauses shall remain unaffected.

12.6. This Agreement is subject to the law of the Federal Republic of Germany. The jurisdiction shall be the place of business of the Processor.

Annex: Technical and Organizational Measures

The technical and organizational measures to ensure data protection and data security, which the Processor is required to establish and maintain continuously, are set forth below. The aim is particularly to ensure the confidentiality, integrity, and availability of the information processed under the contract.

1. General Measures

  • The obligation of confidentiality for employees is an integral part of all employment contracts at BlueID and prohibits, inter alia, the further disclosure of personal or business data of third parties, particularly of the employer's clients, to unauthorized third parties. Non-compliance shall be subject to a contractual penalty.
  • Regular data protection training for employees.
  • A specifically qualified Data Protection Officer: see AVV 4.8.
  • Adherence to the standards of ISO 27001.
  • Data Processing Agreements with Subprocessors.

2. Confidentiality

2.1. Access, Entry, Storage, and Data Carrier Control

Measures that are designed to prevent unauthorized persons from accessing data processing facilities where personal data are processed.

Since BlueID does not operate its own servers, we refer to the comprehensive measures implemented by the operators of the data centers used by us, namely Amazon Web Services ("AWS") and Hetzner Online GmbH, on the perimeter, infrastructure, data, and environmental levels.

A detailed description of the protective measures implemented by AWS for the operated server locations can be found on the company's website: https://aws.amazon.com/de/compliance/data-center/data-centers/

A detailed description of the protective measures implemented by Hetzner Online GmbH for the operated server locations can be found on the company's website: https://docs.hetzner.com/de/general/others/technical-and-organizational-measures/

2.2. Access and User Control

Measures that are designed to prevent unauthorized use of data processing systems.

  • Authentication using username/password
  • Technical enforcement of password complexity
  • Encrypted storage of passwords
  • Automatic lockout mechanisms
  • Automatic update installation via admin policy on clients
  • Use of firewalls, antivirus software, spam filters, anti-spy programs, and secure remote connections
  • Encryption of data carriers in mobile systems
  • Prohibition of USB data carriers (except for technical/administrative tasks, e.g., client installation)
  • Standardized process for the application, approval, setup, and deletion of user accounts
  • Review in the event of changes in task assignments, transfers, departures, etc.
  • One user record per user
  • Use of secure passwords
  • Mandatory password change upon initial login
  • Prohibition of sharing passwords
  • Reset of locked user accounts only after secure authentication
  • Administrative accesses limited to the necessary number
  • Task/department-specific administrative accesses
  • Policies regarding clean desk, password issuance, and manual computer locking

2.3. Access Control

Measures that ensure that individuals may only access data within the scope of their access rights and that personal data are not read, copied, altered, or removed without authorization during processing.

  • Documented authorization concept available
  • Assignment of user rights/creation of user profiles
  • Management of rights by system administrators
  • Reduction of the number of administrators to the "minimum necessary"
  • Logging of changes to data
  • Encryption of data carriers
  • Secure storage of data carriers
  • Proper destruction of data carriers

2.4. Data Deletion Concept, Transport, and Transition Control

Measures that ensure that personal data cannot be read, copied, altered, or removed without authorization during electronic transmission and that it can be verified to which points the transfer of personal data by data transmission entities is intended.

2.5. Firewall: The firewall technologies required by the state of the art have been implemented and are maintained up to date.

2.6. Creation of an overview of data carriers upon analog input and output.

3. Integrity

3.1. Input/Processing Control

Measures that ensure that it can be subsequently verified whether and by whom personal data have been entered, modified, or deleted in data processing systems.

  • Traceability of data entry, modification, and deletion through individual usernames (not user groups)
  • Existence of retention and deletion periods for logs

3.2. Documentation Control

Measures that ensure that the procedures for processing personal data are documented in such a manner that they can be reasonably traced.

3.3. Transfer Control

Measures that ensure that personal data cannot be read, copied, altered, or removed without authorization during electronic transmission or during transport or storage on data carriers, and that it can be verified to which points the transfer of personal data is intended.

  • Encryption of transport when sending emails
  • Websites are encrypted with HTTPS

4. Availability Control

Measures that ensure that personal data are protected against accidental destruction or loss and can be restored in the event of a disruption.

Within the data centers used by Hetzner and AWS, numerous measures have been implemented to protect against disruptions and disasters, including:

  • Uninterruptible power supply (UPS)
  • Surge protection
  • Protection against environmental influences (e.g., storms, water)
  • Monitoring of temperature and humidity in server rooms
  • Fire and smoke detectors
  • Alarm systems for unauthorized access to server rooms
  • Testing of data recovery procedures
  • Air conditioning in server rooms
  • Regular backups
  • Secure off-site storage of data backups
  • Antivirus systems
  • RAID procedures for disk mirroring
  • Existence of a disaster recovery plan

5. Segregation Principle

Measures that ensure that data collected for different purposes can be processed separately:

  • Physically segregated storage on separate systems or data carriers
  • Marking of data sets with purpose attributes or data fields
  • Logical tenant separation (software-based)
  • Separation of production and test systems
  • Definition of database access rights
  • Control via a documented authorization concept
  • Separation of data from different clients

6. Review, Assessment, and Evaluation

Measures that ensure that it is regularly or on an ad hoc basis verified whether the data protection requirements are met:

  • Conducting audits
  • Preparation of data protection impact assessments
  • Engagement of external auditors
  • Up-to-date data protection organization including regular training for employees

7. Employed Subprocessors

7.1. AWS / AWS3 / AWS SES

We use the services of Amazon Web Services EMEA SARL, 38 Avenue John F. Kennedy, 1855 Luxembourg (hereinafter "AWS") for our user authentication service (OpenID) as well as for our legacy ACaaS and IDaaS products as application servers (on which the backends operate), AWS S3 for hosting files uploaded in our apps, and AWS SES for the dispatch of invitation emails within our apps to our users.

The locations of the utilized servers/data centers are in the "Frankfurt Region" operated by AWS (see also https://aws.amazon.com/de/region-frankfurt/).

AWS meets high international security standards and is certified according to the standards ISO/IEC 27001, 27017, 27018, and 9001. Details regarding these standards and certifications can be viewed at https://aws.amazon.com/de/compliance/iso-certified/.

The "Appendix to Data Processing" for AWS can be viewed here: https://d1.awsstatic.com/legal/aws-gdpr/AWS_GDPR_DPA.pdf

7.2. weclapp

We use weclapp.com of weclapp GmbH, located at Friedrich-Ebert-Straße 28, 97318 Kitzingen (hereinafter "weclapp") as a service provider for sales management, our marketing processes, and customer service processing. For the use of weclapp, we have entered into a Data Processing Agreement to protect your personal data.

Further information on data protection at weclapp.com can be found at: https://www.weclapp.com/de/datenschutz/

7.3. Hetzner

We use Hetzner Online GmbH, located at Industriestraße 25, 91710 Gunzenhausen (hereinafter "Hetzner") as a service provider for hosting our Cloud Access Backend and app infrastructure. For the use of Hetzner, we have entered into a Data Processing Agreement to protect your personal data.

Hetzner is certified according to the standards ISO/IEC 27001 and SOC2. The locations of the utilized servers/data centers are in Germany.

Further information on data protection at Hetzner can be found at: https://www.hetzner.com/de/legal/privacy-policy

7.4. MongoDB

As a database management system, we use the MongoDB solution provided by MongoDB Deutsche GmbH, Solmsstraße 41, 60486 Frankfurt am Main. We have entered into a Data Processing Agreement with the provider to protect the data made available to us.

Further information on data protection at MongoDB can be viewed at: https://www.mongodb.com/de-de/legal/privacy-policy

7.5. New Spaces

For the provision of common office applications (e.g., email, word processing), we use our partner New Spaces GmbH, located at Schönhauser Allee 163, 10435 Berlin. New Spaces GmbH exclusively employs reputable IT service providers for this purpose. Further information on this may be obtained from our Data Protection Officer.

8. Rights and Obligations of the Client

8.1. The Client shall be solely responsible for assessing the lawfulness of the commissioned processing as well as for safeguarding the rights of the data subjects.

8.2. The Client shall notify the Processor immediately if any errors or irregularities are identified in the review of the processing results.

8.3. The Client is entitled to verify, either directly or through third parties, to an appropriate extent, that the Processor complies with the data protection regulations and the contractual agreements, in particular by obtaining information, inspecting the stored data and data processing programs, as well as through other on-site inspections. The Processor shall grant the persons assigned to the inspection the necessary access and insight. The Processor is obliged to provide all necessary information, demonstrate processes, and furnish evidence required for conducting an inspection.

8.4. The Client shall not conduct its own inspections if the Processor is able to provide the requested evidence by presenting a market-standard certificate (e.g., according to ISO, DIN, or SOC standards). Inspections at the Processor's premises shall take place without causing avoidable disruption to its business operations, unless urgent, documentable reasons exist otherwise.

9. Notification Obligations

9.1. The Processor shall notify the Client without delay of any data protection breaches. Reasonable suspicions thereof shall also be reported. Such notification must be made without undue delay from the time the Processor becomes aware of the relevant incident to an address designated by the Client, in compliance with the statutory deadlines. The notification must include at least the following information:

  • a description of the nature of the data protection breach, including, where possible, the affected categories and the approximate number of affected persons and data records;
  • the name and contact details of the Data Protection Officer or another contact point for further information;
  • a description of the likely consequences of the data protection breach;
  • a description of the measures taken or proposed by the Processor to remedy the data protection breach and to mitigate any potential adverse effects.

9.2. Significant disruptions in the performance of the contract as well as breaches by the Processor or its employees of data protection regulations or contractual provisions must also be reported without delay.

9.3. The Processor shall immediately inform the Client of any inspections or measures by supervisory authorities or third parties that relate to the data processing.

9.4. The Processor warrants that it shall support the Client to the extent necessary in fulfilling its obligations under Articles 33 and 34 of the GDPR.

10. Termination of the Contract

10.1. Upon termination of the contractual relationship or at the request of the Client, the Processor shall, at the Client’s option, either destroy or transfer to the Client the data processed under the contract. All existing copies of the data shall likewise be destroyed. Such destruction shall be carried out in such a manner that recovery of the data, including any residual information, is not possible with reasonable effort.

10.2. The Processor is obliged to ensure the immediate return or deletion of the data also by any Subprocessors.

10.3. Documentation that serves as evidence of proper data processing shall be retained by the Processor in accordance with the applicable retention periods even beyond the termination of the contract. Such documentation may be provided to the Client at the termination of the contract for discharge purposes. Deletion shall be carried out immediately upon the Client’s request, which may require a period of up to four weeks, unless a sooner deletion is warranted by the circumstances. Should an earlier deletion be desired, the Client shall notify the Processor with sufficient notice.

11. Remuneration

11.1. The Processor’s remuneration is conclusively regulated in the Main Agreement. No separate remuneration or cost reimbursement shall be provided under this Agreement.

12. Miscellaneous

12.1. Both Parties undertake to maintain the confidentiality of all trade secrets and security measures of the other Party acquired in the course of the contractual relationship, even after termination of the contract. In the event of any doubt as to whether any information is subject to a confidentiality obligation, it shall be treated as confidential until it is released in writing or in text form by the other Party.

12.2. Should access to the data transmitted by the Client to the Processor for processing be endangered by measures of third parties (e.g., by an insolvency administrator or seizure by financial authorities), the Processor shall notify the Client without delay.

12.3. In the event of any inconsistencies between the provisions of this Agreement and those of the Main Agreement, the provisions of this Agreement shall prevail.

12.4. Side agreements must be in at least written form.

12.5. The right of retention pursuant to § 273 of the German Civil Code (BGB) is excluded with respect to the data processed under this Agreement and the associated data carriers. Should any part of this Agreement be invalid, the validity of the remaining contractual clauses shall remain unaffected.

12.6. This Agreement is governed by the law of the Federal Republic of Germany. The jurisdiction shall be the place of business of the Processor.

Annex: Technical and Organizational Measures

The following sets forth the technical and organizational measures required to ensure data protection and data security, which the Processor is obligated to establish and maintain continuously. The objective is to ensure, in particular, the confidentiality, integrity, and availability of the information processed under the contract.

1. General Measures

  • The confidentiality obligation for employees is an integral part of all employment contracts at BlueID and prohibits, inter alia, the further disclosure of personal or business data of third parties, particularly of the employer's clients, to unauthorized third parties. Non-compliance shall be subject to a contractual penalty.
  • Regular data protection training for employees.
  • A specifically qualified Data Protection Officer: see AVV 4.8.
  • Adherence to the standards of ISO 27001.
  • Data Processing Agreements with Subprocessors.

2. Confidentiality

2.1. Access, Entry, Storage, and Data Carrier Control

Measures designed to prevent unauthorized persons from accessing data processing facilities where personal data are processed.

Since BlueID does not operate its own servers, we refer to the comprehensive measures implemented by the operators of the data centers used by us, namely Amazon Web Services ("AWS") and Hetzner Online GmbH, at the perimeter, infrastructure, data, and environmental levels.

A detailed description of the protective measures implemented by AWS for the operated server locations can be found on the company's website: https://aws.amazon.com/de/compliance/data-center/data-centers/

A detailed description of the protective measures implemented by Hetzner Online GmbH for the operated server locations can be found on the company's website: https://docs.hetzner.com/de/general/others/technical-and-organizational-measures/

2.2. Access and User Control

Measures designed to prevent unauthorized use of data processing systems.

  • Authentication using username/password
  • Technical enforcement of password complexity
  • Encrypted storage of passwords
  • Automatic lockout mechanisms
  • Automatic update installation via admin policy on clients
  • Use of firewalls, antivirus software, spam filters, anti-spy programs, and secure remote connections
  • Encryption of data carriers in mobile systems
  • Prohibition of USB data carriers (except for technical/administrative tasks, e.g., client installation)
  • Standardized process for the application, approval, setup, and deletion of user accounts
  • Review in the event of changes in task assignments, transfers, departures, etc.
  • One user record per user
  • Use of secure passwords
  • Mandatory password change upon initial login
  • Prohibition of shared use of passwords
  • Reset of locked user accounts only after secure authentication
  • Administrative access limited to the necessary number
  • Task/department-specific administrative accesses
  • Policies regarding clean desk, password issuance, and manual computer locking

2.3. Access Control

Measures that ensure that individuals may only access data within the scope of their access rights and that personal data are not read, copied, altered, or removed without authorization during processing.

  • Documented authorization concept available
  • Assignment of user rights/creation of user profiles
  • Management of rights by system administrators
  • Reduction of the number of administrators to the "minimum necessary"
  • Logging of changes to data
  • Encryption of data carriers
  • Secure storage of data carriers
  • Proper destruction of data carriers

2.4. Data Deletion Concept, Transport, and Transition Control

Measures that ensure that personal data cannot be read, copied, altered, or removed without authorization during electronic transmission and that it can be verified to which points the transfer of personal data by data transmission entities is intended.

2.5. Firewall: The firewall technologies required by the state of the art have been implemented and are maintained up to date.

2.6. Creation of an overview of data carriers upon analog input and output.

3. Integrity

3.1. Input/Processing Control

Measures that ensure that it can be subsequently verified whether and by whom personal data have been entered, modified, or deleted in data processing systems.

  • Traceability of data entry, modification, and deletion through individual usernames (not user groups)
  • Existence of retention and deletion periods for logs

3.2. Documentation Control

Measures that ensure that the procedures for processing personal data are documented in such a manner that they can be reasonably traced.

3.3. Transfer Control

Measures that ensure that personal data cannot be read, copied, altered, or removed without authorization during electronic transmission or during transport or storage on data carriers, and that it can be verified to which points the transfer of personal data is intended.

  • Encryption of transport when sending emails
  • Websites are encrypted with HTTPS

4. Availability Control

Measures that ensure that personal data are protected against accidental destruction or loss and can be restored in the event of a disruption.

Within the data centers used by Hetzner and AWS, numerous measures have been implemented to protect against disruptions and disasters, including:

  • Uninterruptible power supply (UPS)
  • Surge protection
  • Protection against environmental influences (e.g., storms, water)
  • Monitoring of temperature and humidity in server rooms
  • Fire and smoke detectors
  • Alarm systems for unauthorized access to server rooms
  • Testing of data recovery procedures
  • Air conditioning in server rooms
  • Regular backups
  • Secure off-site storage of data backups
  • Antivirus systems
  • RAID procedures for disk mirroring
  • Existence of a disaster recovery plan

5. Segregation Principle

Measures that ensure that data collected for different purposes can be processed separately:

  • Physically segregated storage on separate systems or data carriers
  • Marking of data sets with purpose attributes or data fields
  • Logical tenant separation (software-based)
  • Separation of production and test systems
  • Definition of database access rights
  • Control via a documented authorization concept
  • Separation of data from different clients

6. Review, Assessment, and Evaluation

Measures that ensure that it is regularly or on an ad hoc basis verified whether the data protection requirements are met:

  • Conducting audits
  • Preparation of data protection impact assessments
  • Engagement of external auditors
  • Maintaining an up-to-date data protection organization including regular employee training

7. Employed Subprocessors

7.1. AWS / AWS3 / AWS SES

We use the services of Amazon Web Services EMEA SARL, 38 Avenue John F. Kennedy, 1855 Luxembourg (hereinafter "AWS") for our user authentication service (OpenID) as well as for our legacy ACaaS and IDaaS products as application servers (on which the backends operate), AWS S3 for hosting files uploaded in our apps, and AWS SES for sending invitation emails within our apps to our users.

The locations of the utilized servers/data centers are in the "Frankfurt Region" operated by AWS (see also https://aws.amazon.com/de/region-frankfurt/).

AWS meets high international security standards and is certified according to the standards ISO/IEC 27001, 27017, 27018, and 9001. Details regarding these standards and certifications can be viewed at https://aws.amazon.com/de/compliance/iso-certified/.

The "Appendix to Data Processing" for AWS can be viewed here: https://d1.awsstatic.com/legal/aws-gdpr/AWS_GDPR_DPA.pdf

7.2. weclapp

We use weclapp.com of weclapp GmbH, located at Friedrich-Ebert-Straße 28, 97318 Kitzingen (hereinafter "weclapp") as a service provider for sales management, our marketing processes, and customer service processing. For the use of weclapp, we have entered into a Data Processing Agreement to protect your personal data.

Further information on data protection at weclapp.com can be found at: https://www.weclapp.com/de/datenschutz/

7.3. Hetzner

We use Hetzner Online GmbH, located at Industriestraße 25, 91710 Gunzenhausen (hereinafter "Hetzner") as a service provider for hosting our Cloud Access Backend and app infrastructure. For the use of Hetzner, we have entered into a Data Processing Agreement to protect your personal data.

Hetzner is certified according to the standards ISO/IEC 27001 and SOC2. The locations of the utilized servers/data centers are in Germany.

Further information on data protection at Hetzner can be found at: https://www.hetzner.com/de/legal/privacy-policy

7.4. MongoDB

As a database management system, we use the MongoDB solution provided by MongoDB Deutsche GmbH, Solmsstraße 41, 60486 Frankfurt am Main. We have entered into a Data Processing Agreement with the provider to protect the data made available to us.

Further information on data protection at MongoDB can be viewed at: https://www.mongodb.com/de-de/legal/privacy-policy

7.5. New Spaces

For the provision of common office applications (e.g., email, word processing), we use our partner New Spaces GmbH, located at Schönhauser Allee 163, 10435 Berlin. New Spaces GmbH exclusively employs reputable IT service providers for this purpose. Further information on this may be obtained from our Data Protection Officer.