Create Account

TOM

Technical-organizational measures

Back to Data Protection Center

Appendix "Technical-organizational measures"
according to § 9 BDSG or Art. 32 DSGVO

These documents have been independently translated and can therefore not be used for legal purposes. In all legal matters, please always refer to the original German documents.

§ 1. Technical and organisational security measures According to § 11 Paragraph 2 Sentence 2 No. 3 BDSG in conjunction with § 9 BDSG and Art. 32 DSGVO, the contracting parties are obliged to define the technical and organisational security measures. In other words, as a cloud and hosting provider, we are obliged to guarantee the highest level of security for the protection of sensitive, especially personal data.
§ 2. Internal organization of the contractor The contractor shall design his internal organisation in such a way that it meets the special requirements of data protection. Measures shall be taken which are appropriate depending on the type of personal data or categories of data to be protected. In other words, we will at all times take all measures to ensure the protection of confidential, personal and personal data.
§ 3. Specification of individual measures In detail, the following measures will be determined:
Confidentiality (Art. 32 para. 1 lit. b. DSGVO)
  • admission control No unauthorized access to data processing systems. Rooms are secured by access control (only individual persons are granted access after prior registration), personal RFID cards plus a personal biometric feature (fingerprint), electric door openers, separation systems, 24/7 plant security, alarm systems and video systems at all entrances and exits and in the rooms themselves;
    • .
  • entry control No unauthorized system use. Every user has personal access data. Only secure passwords are used. Accesses are automatically blocked if there is suspicion of manipulation. Two-factor authentication is mandatory and all volumes are encrypted;
  • access control No unauthorized reading, copying, modification or removal within the system. In addition, authorization concepts are used. Access rights are granted according to the Deny Allow principle and limited to the most necessary. Every access is logged.
    • separation control No unauthorized system use. Every user has personal access data. Only secure passwords are used. Accesses are automatically blocked if there is suspicion of manipulation. Two-factor authentication is mandatory and all volumes are encrypted;
  • access control No unauthorized reading, copying, modification or removal within the system. In addition, authorization concepts are used. Access rights are granted according to the Deny Allow principle and limited to the most necessary. Every access is logged.
    • separation control separation control Separate processing of data collected for different purposes, e.g.: Multi-client capability, sandboxing, separation of test and product environments;
  • Pseudonymisation (Art. 32 para. 1 lit. a DSGVO; Art. 25 para. 1 DSGVO) The processing of personal data takes place in such a way that the data cannot be assigned to a specific data subject without the use of additional information, provided that this additional information is kept separately and is subject to corresponding technical and organisational measures;
    • .    		 In other words, To ensure confidentiality, we protect all our servers and data stores from unauthorized physical access by all available means. The use of our systems or services is excluded without personal access data. No one - not even our employees - has direct access to your data. In principle, we only grant user rights (if necessary temporary rights) that are absolutely necessary for the work of our employees and log every process. Information that we need for our development processes, for example, never contains personal data. We guarantee that data export of confidential data is never possible. Should we ever process personal data, we will use algorithmic measures to make this data so anonymous that no natural person can be identified from the data.
    Integrity (Art. 32 para. 1 lit. b DSGVO)
  • Forwarding control No unauthorized reading, copying, modification or removal during electronic transmission or transport. According to current scientific knowledge, this is achieved by encrypting data and transferring data via Virtual Private Networks (VPN). Checksums are added to data before transmission to validate the unchanged transmission;
    • Input control Determining whether and by whom personal data has been entered, modified or removed from data processing systems. For this purpose, changes and entries of data are logged. Documents are managed in a document management system.    		 In other words, We ensure data integrity by always working with strong encryption and immediately identifying any unwanted changes to data through the use of checksums. We log the creation of new or modification of existing data for better traceability. We can therefore recognize "who" has done "what" "at which time".
    Availability and resilience (Art. 32 Par. 1 lit. b DSGVO) availability check Protection against accidental or deliberate destruction or loss through an online backup strategy (off-site), uninterruptible power supply (UPS), redundant hardware, network disconnections and the use of firewalls, as well as ensuring rapid recovery of services in the event of an error.
  • Fast recoverability (Art. 32 par. 1 lit. c DSGVO);
    		•  In other words, We monitor all our services and do everything in our power to ensure the highest possible availability and security. We back up our own data, but not your data. We regularly practice various events to prepare for a major disruption and then immediately know what we need to do.
    Procedures for regular review, analysis and evaluation (Art. 32 para. 1 lit. d DSGVO; Art. 25 para. 1 DSGVO)
  • Privacy Management;
  • Incident response management;
  • Data protection-friendly presettings (Art. 25 Par. 2 DSGVO);
  • Order control No processing of order data within the meaning of Art. 28 DSGVO without corresponding instructions from the principal. For this purpose, a clear contract design, formalized order management is available and possible service providers are selected according to strict criteria. Appropriate controls and follow-up checks are carried out.
    		•  In other words, we ensure very good data protection at all times and ensure data protection-friendly operation. We will never process your confidential or personal data without your order. We also ensure that 24/7 experienced engineers ensure the operation.