Safety of data processing

The contractor shall take the following technical and organizational measures for data security i.S.d. Art. 32 DSGVO.

Preliminary information

The listing reflects the security processing implemented by CGX. Customer systems use Amazon Web Services Inc. systems. The data of the customer systems are exclusively in ISO 27001 certified data centers in Europe (Frankfurt am Main), which correspond to the current safety standards and the requirements of the European data protection basic regulation.

Reference is made to data center operator AWS (current versions under Compliance, Data Center und Global Infrastructure).

Access control

"Denial of access for unauthorized persons to processing plants carrying out the processing"

Offices

The offices are located at the company headquarters in Hamburg.

Access to the building and offices is secured by a locking system.

Access control

"Ensuring that the persons entitled to use an automated processing system have access only to the personal data covered by their access authorization"

There is a documented authorization process - requesting permissions are performed in a ticket system and logged.

Authorizations are always aligned with the minimal principle and regularly checked.

Data Center

Both the data used by CGX for administrative purposes and the data of the customer systems are located exclusively in ISO 27001 certified data centers in Europe, which comply with the latest security standards.

Regarding the customer systems, we refer to the data center operator AWS (current versions under Compliance, Data Center und Global Infrastructure).

Entry control

"Ensuring that it can be subsequently verified and ascertained which personal data have been entered or changed at any time and by whom in automated processing systems"

User accounts are only assigned in a personalized way, so changes can always be assigned to a user.

All data changes are recorded in logs.

Implementation of change management in IT, changes to the systems are generally logged through the use of IT tickets.

Transport control

"Ensuring that the privacy and integrity of the data is protected in the transmission of personal data and in the transport of data media"

Cloud data

The access to the systems by the users is only possible in encrypted form.

Accesses by the terminals and users are routed through a firewall system. There is a network monitoring, which can detect errors and notify the administrators immediately.

Operation by CGX

USB data carriers are blocked for the users and can only be used with exception.

The network is protected against public networks (Internet) by a firewall system. Incoming and outgoing traffic can be logged.

Users are obliged by the binding IT and privacy policy to transmit personal data only encrypted.

Use of current encryption algorithms in the transmission of personal data.

Use of encrypted VPN technology for access to IT systems by employees and service providers.

Use of shredders for data protection compliant disposal.

Availability control

"Ensuring that personal information is protected against destruction or loss"

The data center operator guarantees guaranteed availability as part of its service level agreements adapted to the customer contract.

This is supported by the use of mirrored systems, uninterruptible power supplies, redundant line connections and other measures.

Here is also referred to the documentation of the data center operator.

Storage media control

"Preventing Unauthorized Reading, Copying, Modification or Deletion of Media"

Cloud data

The data hosted in the central data centers can only be accessed via encrypted access for the limited circle of administrators and will not be transported further as instructed.

Operation by CGX

The IT and Privacy Policy states that mobile media may only be encrypted. This is enforced by appropriate IT systems.

The workstations used by employees are laptops whose hard drives are encrypted using the latest encryption technology.

Data carriers are disposed of in compliance with data protection by a certified service provider.

Use of central guidelines and control options for connecting smartphones.

Storage control

"Preventing the unauthorized entry of personal data and the unauthorized knowledge, modification and deletion of stored personal data"

Cloud data

The data hosted in the central data centers can only be accessed via encrypted access for the limited circle of administrators and are no longer transported.

All access is via firewalls and monitored by a network monitoring system.

Operation by CGX

The IT and Privacy Policy states that mobile media may only be encrypted. This is implemented by appropriate IT systems.

The workstations used by employees are laptops whose hard drives are encrypted using the latest encryption technology.

User control

"Preventing the use of automated processing systems by means of unauthorized data transmission facilities"

Passwords are generally stored irreversibly and encrypted in all systems (hash values).

Login only possible with the password rules corresponding username / password.

There is a mandatory password policy within the company's IT and privacy policy.

The passwords comply with complexity guidelines and must be changed regularly.

Unused accounts are regularly deactivated by the IT administration.

If misuse is detected, it is possible to centrally deactivate user accounts and thereby centrally control user access permission.

Transmission control

"Ensuring that it is possible to verify and ascertain to which places personal data have been transmitted or made available by means of data transmission facilities"

The customer's personal data remains in the central data center and will not be transferred to other systems.

Accesses by the terminals and users are routed through a firewall system. There is a network monitoring, which can detect errors and notify the administrators immediately.

Recoverability

"Ensuring that deployed systems can be restored in the event of a failure"

There is a documentation of the data backup measures with a data backup concept.

Central backup with snapshot technology by the central operator of the data center.

The backup functionality is regularly checked for functionality and tested.

Reliability

"Ensuring that all functions of the system are available and malfunctions are reported"

Use a network monitoring system with mail notifications to administrators.

There is a lifecycle management system with separation of development, test and production, in which changes are thoroughly tested before commissioning in the production system.

Current development methods for team development contribute to error reduction.

Data integrity

"Ensuring that stored personal information can not be damaged by malfunction of the system"

Implement data integrity by considering database design, implementing referential integrity, and preventing erroneous deletions.

Comprehensive logging functionality enables unintended changes to be detected and undone.

Order supervision

"Ensuring that personal data processed in the order can only be processed in accordance with the instructions of the client"

Implementation of instruction precedence of instructions of the client in the event that data is processed as a processor within the meaning of Art. 28 GDPR data - by obliging employees to data protection and specific data protection regulations.

Control of the service provider contracts and the technical and organizational security measures taken by the contractor by the data protection officer.

Careful selection of contractors.

Clear contract design, in particular delimitation of responsibilities between client and contractor and determination of the control measures to be carried out.

Clear and clear instructions (in writing at best).

Determination of the persons authorized to issue and receive instructions

Regulation of the use of subcontractors.

Separability

"Ensuring that personal data collected for different purposes can be processed separately"

Separation of productive, test and development system.

Identification of the records related to the client affiliation by corresponding attributes in the database in all essential tables.

Consideration of data protection regulations in the design of processes.

The data center operator strictly separates client systems and data media and associated personal data so that they are not accessible to third parties.

For more information on the separation of personal information, see the AWS Attachments (Current Versions under Compliance, Data Center, and Global Infrastructure).

Pseudonymization and encryption

Pursuant to Art. 32 (1) (a), the measures of pseudonymisation and encryption must be taken into account when designing the security measures.

The pseudonymization is implemented due to the relational database structure. Attributes such as names and addresses are not kept multiple.

In the exchange of data with service providers, pseudonymisation is used wherever possible.

Statistics and evaluations are anonymised as much as possible.

The principles of pseudonymisation, anonymization, encryption and data minimization are explained in the data protection training required for employees and the importance of these measures is explained.

The encryption measures used are amongst others explained in the previous points of this document.