This article explains our technical and organizational measures for backup, data protection and security.

1. Confidentiality (Article 32, Paragraph 1, Point b GDPR)

Physical access control

We host our platform on AWS by Amazon in Frankfurt, Germany. They provide insights to their security measures in detail on this page: https://aws.amazon.com/compliance/data-center/controls/

Electronic access control

We can only access the database on premise. The access is restricted to only sys admins. We restricted the direct altering of data in the database. Passwords for access to the database can only be used when logging in with two-factor authentication to our password management software. The CTO is in charge of access and key management and assigning authorizations. We only assign access when necessary for the job of the employee. 

Internal access control (permissions for user rights of access to and amendment of data)

We can only access the database on premise. The access is restricted to only sys admins. We restricted the direct altering of data in the database. The CTO is in charge of access, key management, and assigning authorizations. We only assign access when necessary for the job of the employee. 

Isolation control

All data for each client is bound to the id of the account of the customer.  

Pseudonymisation (Article 32, Paragraph 1, Point a GDPR; Article 25, Paragraph 1, GDPR)

The personal data we store is encrypted. Personal data can only be accessed if you have the login credentials of the client account or the login to the database and the encryption key.  

2. Integrity (Article 32, Paragraph 1, Point b GDPR)

Data transfer control

We can only access the database on premise. The access is restricted to only sys admins. We restricted the direct altering of data in the database. All personal data is encrypted in the database. 

Data entry control

Verification, whether and by whom personal data is entered into a Data Processing System, is changed or deleted, e.g.: Logging, Document Management

Only logged in customers have access and can alter personal data of that customer account. We don't log changes or deletions of personal data.  

3. Availability and resilience (Article 32, Paragraph 1, Point b GDPR)

Availability control

Prevention of accidental or willful destruction or loss, e.g.: Backup Strategy (online/offline; on-site/off-site), Uninterruptible Power Supply (UPS), virus protection, firewall, reporting procedures, and contingency planning.

We host our platform on AWS by Amazon in Frankfurt, Germany. They provide insights to their security measures in detail on this page: https://aws.amazon.com/compliance/data-center/controls/

We have a backup strategy in place where we backup data for 30 days.

Rapid recovery (Article 32 Paragraph 1 Point c GDPR) (Article 32, Paragraph 1, Point c GDPR);

We have a data recovery lead time of 48 working hours.

4. Procedures for regular testing, assessment and evaluation (Article 32, Paragraph 1, Point d GDPR; Article 25, Paragraph 1, GDPR)

Data protection management

We do an internal audit once a year of the current state of our data protection management.  

Incident response management

We have an incident procedure in place. 

Data protection by design and default (Article 25 Paragraph 2 GDPR);

Our build and development process includes data protection by design and default. 

Order or contract control

We have a contract control process in place. 

No third-party data processing as per Article 28 GDPR without corresponding instructions from the Client, e.g.: clear and unambiguous contractual arrangements, formalized Order Management, strict controls on the selection of the Service Provider, duty of pre-evaluation, supervisory follow-up checks.

As stated in the processor agreement we only process data by written consent of the controller and only by the third parties Mailchimp and Amazon Frankfurt.
Was this article helpful?
Cancel
Thank you!