Measures we take to protect your security & privacy
1.1 Confidentiality: Access control
1.1.01 Laptops or smart devices (iPad, etc.) will be kept locked away at the end of service or will be taken home.
1.1.02 Logging on to a client is done through personal user accounts (username and password or similar methods (facial recognition, fingerprint, etc.)).
1.1.03 Collective accounts or unpersonalized user access to clients (several users share one access) do not exist.
1.1.04 A firewall is active on each client (computer) used.
1.1.05 Anti-virus software is installed on each client computer and is updated daily or when a new user logs on.
1.1.06 Incoming mails are checked online on the e-mail server (at the hoster) for viruses.
1.1.07 Incoming mails are checked for spam online at the mail server (hoster).
1.1.08 On each client computer an (antivirus) software is installed, which offers appropriate protection (web filter).
1.1.09 For screens that are used in premises to which customers have access and where personal data are processed, care is taken to ensure that the screen cannot be viewed. If necessary, an appropriate privacy screen is provided.
1.1 Confidentiality: Access control
1.2.01 The number of administrators for servers and central software is reduced to the "essentials”.
1.2.02 Each administrator has his own user account and the password consists of at least of 12 digits.
1.2.03 Passwords expire regularly.
1.2.04 Passwords must be chosen in such a way that they must be different from the last passwords (e.g. last 6 used) must be different.
1.2.05 Passwords of users have sufficient complexity (contain upper and lower case letters, special characters and digits, and have a minimum length of 8 digits).
1.2.06 User rights for software in use are administered centrally by specified system administrators.
1.2.07 Each user receives a separate user account for each system and software he needs for his work (no collective user accounts).
1.2.08 Each user receives on the basis of the "need to know" principle, only the access rights (to data, systems, software, file storage systems) that are absolutely necessary for his activity.
1.2.09 When a user leaves the company, it is ensured that his or her access authorizations are
access rights are immediately removed and the user is also deleted after a certain period of time.
1.2.10 Access rights are assigned on the basis of defined user profiles.
1.2.11 If the need for one or more access rights ceases to exist for a user, the rights are also withdrawn promptly.
1.2.12 Access to sensitive applications or data is logged (who accessed, changed or deleted data and when).
1.2.13 Paper files containing personal data are shredded.
1.3 Confidentiality: separation requirement
1.3.01 Data that is processed electronically as part of a commissioned processing operation is segregated. It is ensured that the data of one client is protected from access by other clients.
1.3.02 In the case of software applications that process personal data, there is a separation into test and production systems.
1.3.03 The access to data in databases is regulated.
1.3.04 Data is backed up to physically and locally separate media.
1.3.05 Software applications and file repositories to which several users have access are equipped with an authorization system.
1.3.06 Personal data is processed only for the specified purposes.
1.3.07 Personal data is disclosed only for the specified purposes.
1.4 Confidentiality: Encryption
1.4.01 For data transfer, encrypted connections such as https (website) or sftp (FTP server) are used.
1.4.02 The most recent version of the TLS encryption protocol is used.
2.1 Integrity: input control
2.1.01 Documents or forms in which sensitive data are collected shall be retained if they are processed automatically in order to be able to correct data errors.
2.1.02 The input, modification and deletion of data by individual users (not user groups) can be traced.
2.1.03 There is a technical logging of the entry, modification and deletion of data incl. the time of the modification and who changed the data.
2.1.04 Logging in and logging out of software applications to which several users have access is logged.
2.1.05 Logging on and off servers is logged.
3.1 Availability and load capacity: Availability control
3.1.01 Updates and security patches are regularly applied to clients and servers.
3.1.02 From relevant systems (e.g. accounting, CRM, HR software) or other systems which personal data are processed, regular data backups are made.
3.1.03 Data backups are kept physically separate from productive data.
3.1.04 Regular checks are made to ensure that data backups can be completely restored.
3.1.05 Data backups are deleted after a defined period of time.
4.1 Verification procedure: Data protection management
4.1.01 Processes are in place to fulfill the rights of data subjects
4.1.02 The information requirements (data protection declaration) are reviewed regularly.
4.1.03 All employees are bound to confidentiality and data secrecy.
4.1.04 Employees receive annual data protection training or demonstrable awareness training.
4.1.05 A policy on the correct use and updating of passwords has been established and employees are trained on this.
4.1.06 There is a policy on the transport and storage of laptops and smart devices during business trips and in the home office.
4.1.07 Employees are instructed to ensure that the valid data protection measures are also applied in the home office.
4.2 Procedure for verification: Incident response management
4.2.01 A process for reporting security breaches to the data protection authority and affected persons exists.
4.2.02 For each security breach, measures are discussed and implemented that will lead to prevention or mitigation of further security breaches (TOMs).
4.2.03 Processing operations are checked with regard to a data protection impact assessment. If necessary, such an carried out and documented if required.
4.3 Procedures for verification: Order control
4.3.01 There is an overview of all suppliers (recipients) who process personal data on our behalf as a processor.
4.3.02 The selection of the contractor is carried out under due diligence aspects (in particular with regard to data security).
4.3.03 We have concluded a processor agreement with all of our processors.
4.3.04 Employees of contractors are obligated to maintain data secrecy, or the contractor must
must ensure this on his part.