Annex 1 to the order according to Art. 28 GDPR

Technical and organisational measures according to Art. 32 GDPR


I. Confidentiality

  • Access control
    • The offices of Synesty GmbH (hereinafter referred to as the Contractor) are located in an office building in Jena.
      • The accesses to the Contractor's offices are closed day and night. Only the contractor's employees have access to the rooms. An electronic locking system is used for access to the building, which is managed by the landlord. However, each tenant of the office building has the possibility to manage the transponder keys issued in each case and to grant and withdraw electronic access rights. This is managed by the contractor's personnel department.
      • Key allocation and key management is carried out according to a defined process which regulates the granting or withdrawal of access authorisations for rooms both at the beginning and at the end of an employment relationship.
      • Access authorizations are only granted to an employee if this has been requested by the respective supervisor and/or the human resources department. The principle of necessity is taken into account when granting authorizations.
      • Visitors are not allowed to move freely in the offices without escort.
      • Servers (physical) are rented from Hetzner Online GmbH. The technical and organizational measures of Hetzner Online GmbH, Gunzenhausen under https://www.hetzner.de/pdf/ADV_TOM.pdf apply.
    • Access control
      • The contractor has taken the following measures for access control:
        • for internal management systems of the contractor
          • In order to gain access to IT systems, employees must have appropriate access authorization. Administrators assign appropriate user authorizations for this purpose. However, this is only the case if the relevant supervisor has requested it. The request can also be made via the Human Resources department.
          • The employee then receives a user name and an initial password, which must be changed the first time he or she logs on. The password specifications include a minimum password length of 8 characters, whereby the password must consist of upper/lower case letters, numbers and special characters.
          • Remote access to the contractor's IT systems is always via encrypted connections. If possible, additional procedures such as two-factor authorization are used.
          • All client systems are equipped with virus protection software that guarantees a daily supply of signature updates.
          • All servers are protected by firewalls, which are constantly maintained and supplied with updates and patches.
          • The access of servers and clients to the Internet and the access to these systems via the Internet is also secured by firewalls. This also ensures that only the ports required for the respective communication can be used. All other ports are blocked accordingly.
          • All employees are instructed to lock their IT systems when they leave them.
          • Passwords are always stored encrypted.
        • Infrastructure at Hetzner Online GmbH
          • Access to servers is always encrypted.
    • Access control
      • for internal management systems of the contractor
        • Authorizations for the contractor's IT systems and applications are set up exclusively by administrators.
        • Authorizations are always assigned according to the need-to-know principle. According to this principle, only those persons who maintain and care for data, databases or applications or are active in development are granted access rights to data, databases or applications
        • The prerequisite is a corresponding request for authorization for an employee by a superior. The request can also be submitted to the personnel department.
        • There is a role-based authorization concept with the possibility of differentiated assignment of access authorizations, which ensures that employees receive access rights to applications and data depending on their respective area of responsibility and, if necessary, on a project basis.
        • The destruction of data carriers is carried out by a service provider who guarantees destruction in accordance with DIN 66399.
        • All employees at the contractor are instructed to deposit information containing personal data and/or information about projects in the designated destruction containers.
        • Employees are generally prohibited from installing unauthorised software on IT systems.
        • All server and client systems are regularly updated with security updates.
      • Separation
        • All IT systems used by the contractor for clients are multi-client capable. The separation of data from different clients is always guaranteed.
      • Pseudonymization & Encryption
        • An administrative access to server systems is always done via encrypted connections.
        • In addition, data is stored on local computers on encrypted data carriers. Appropriate hard disk encryption systems are in use.
        • client data are pseudonymised by the contractor

    II. Integrity (Art. 32 (1) (b) of the GDPR)

    • Input control
      • The entry, modification and deletion of personal data processed by the contractor on behalf of the client is always recorded.
      • Employees are obliged to work with the accounts assigned to them.
    • Passing on control
      • A transfer of personal data, which is carried out by the contractor on behalf of the client, may only be carried out to the extent that it is necessary, as agreed with the client or to the extent that this is necessary to provide the contractual services for the client.
      • All employees working on a client project are instructed on the permissible use of data and the modalities of data transfer.
      • As far as possible, data will be transmitted to recipients in encrypted form.
      • The use of private data carriers is prohibited for employees of the contractor in connection with client projects.
      • Employees at the contractor are regularly trained on data protection issues. All employees are obliged to handle personal data confidentially.

    III. Availability and Resilience (Art. 32(1)(b) GDPR)

    • Data on server systems of the contractor are backed up incrementally at least daily and "fully" weekly. The backup media are stored encrypted in a physically separate location.
    • The import of backups is tested regularly.
    • Availability control
      • All server systems are subject to monitoring, which immediately triggers reports to an administrator in the event of malfunctions.
      • Use of hard disk mirroring for all relevant servers.
      • Monitoring of all relevant servers.
      • Servers (physical) are rented from Hetzner Online GmbH. The technical and organizational measures of Hetzner Online GmbH, Gunzenhausen under https://www.hetzner.de/pdf/ADV_TOM.pdf apply.
      • The contractor has a contingency plan, which includes a restart plan.
    • Rapid recoverability (Art. 32(1)(c) GDPR);
      • An escalation chain is defined for all internal systems, which specifies who is to be informed in the event of a fault, in order to ensure to restore that system as quick as possible.

    IV. Procedures for periodic review, assessment and evaluation (Article 32(1) lit. d GDPR; Art. 25 (1) GDPR)

    • for internal management systems of the contractor
      • A Data Protection and Information Security Team (DST) has been established to plan, implement, evaluate and make adjustments to guidelines and measures in the area of data protection and data security.
      • The guidelines are regularly evaluated and adjusted with regard to their effectiveness.
      • In particular, it is ensured that data protection incidents are recognized by all employees and reported to the DST without delay. The DST will investigate the incident immediately. As far as data are concerned that are processed on behalf of clients, it is ensured that they are informed immediately about the nature and extent of the incident.
      • When processing data for own purposes, if the requirements of Art. 33 GDPR are met, a report will be made to the supervisory authority within 72 hours of the incident becoming known.
    • Assignment control
      • The processing of the data storage takes place exclusively in the European Union or with countries that have an agreement with the European Union (e.g. through corresponding model clauses).
      • If external service providers or third parties are involved, a contract for processing orders is concluded in accordance with the applicable data protection laws. Contractors are also regularly monitored during the contractual relationship.
    • Data protection through technology design and through data protection-friendly presettings
      • Already during the development of the software, the contractor shall ensure that the principle of necessity is taken into account in connection with user interfaces. For example, form fields and screen masks can be designed flexibly. Thus, mandatory fields can be provided or fields can be deactivated.
      • The Contractor's software supports both input control by means of an audit trail, which enables unalterable storage of changes to data and user authorisations.
      • Authorizations on data or applications can be set flexibly.