The Principal as Controller and Dealcode as Processor shall, in accordance with Article 32 of the GDPR, take appropriate technical and organisational measures to ensure a level of protection appropriate to the risk, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of the processing, as well as the varying likelihood and severity of the risk to the rights and freedoms of natural persons.
The client is responsible for identifying and implementing its own suitable measures in accordance with Art. 24 of the GDPR. Dealcode recommends following the recommendations of relevant guidelines and standards, such as ISO/IEC 27002 and the Federal Office for Information Security.
In the following, those measures are set out which Dealcode itself has taken to ensure the security of processing. Where necessary, corresponding measures of relevant subcontractors, in particular with regard to physical security by Infrastructure as a Service providers and data center operators, are also listed and marked accordingly or referred to accordingly.
Dealcode has implemented the following technical and organisational measures within the meaning of Art. 32 DSGVO to ensure encryption and pseudonymisation, confidentiality, integrity, availability and resilience, recoverability, as well as corresponding procedures for verification.
Measures to ensure data protection by technological design and by privacy-friendly default settings.
Appropriate technical and organisational measures must be implemented which meet the requirements of the GDPR and ensure by means of suitable default settings that only personal data whose processing is necessary for the respective specific processing purpose is processed.
Dealcode already takes the requirements of Art. 25 GDPR into account in the conception and development phase of product development. This is ensured by proactively involving the legal department, the data protection officer and the information security manager. Processes and functionalities are set up in such a way that data protection principles such as legality, transparency, purpose limitation, data minimization, etc. as well as the security of processing are taken into account at an early stage.
Measures to ensure confidentiality
Confidentiality is the protection against unauthorized disclosure of information. Confidential data and information may only be accessible to authorised persons in the permitted manner.
Ensure that the internal organisation meets the specific requirements of data protection.
The goals in data protection and information security are defined in a data protection and information security policy and are binding for all Dealcode employees. In addition, further organisational instructions are implemented to provide employees with concrete guidelines in the context of the processing of personal data (e.g. guidelines on working from home and teleworking or guidelines on the use of IT, Internet and e-mail).
A data protection officer has been appointed by the management. He works towards compliance with the regulations on data protection and fulfils the tasks within the meaning of Art. 39 DSGVO. This includes, among other things, support in the establishment and further development of a data protection management system, in the drafting, further development and monitoring of corresponding guidelines and the implementation of regular awareness-raising measures.
All employees are obligated in writing to confidentiality and data protection as well as other relevant laws when they receive their employment contract or at the latest at the beginning of their employment. The obligation applies beyond the term of employment. Freelance employees or external service providers are bound to confidentiality in writing by means of non-disclosure agreements (NDAs) and also sign an order processing agreement if they process personal data on behalf of Dealcode.
Every Dealcode employee receives information and leaflets on data protection with the employment contract and confirms that they have taken note of them. In addition, regular training (primarily by the data protection officer) is carried out as awareness-raising measures. Employees from particularly sensitive areas such as the human resources department, product development or customer service also receive separate information and training on specific specialist topics as required.
Dealcode employees are not permitted to use the company e-mail system for private use. The Internet system and telephone services may only be used privately to a limited extent. Strict attention must be paid to the separation of private and company data. Furthermore, the employees of Dealcode are not allowed to process personal data or other data of the client, especially from the order, on private means of communication. The employees of Dealcode commit themselves to the observance of corresponding guidelines, the observance of which is controlled within the permissible and necessary scope.
Dealcode implements measures before, during and after employment to ensure personnel safety. This usually includes:
Ensuring that personal data is only stored in the system in a way that does not allow third parties to identify the data subject.
For the use, protection and lifetime of keys as well as for the use of state-of-the-art encryption procedures, Dealcode implements a policy for the use of cryptographic procedures. Accordingly, the generation and management of the master key is performed outside the infrastructure of the Infrastructure as a Service provider and data center operator used by Dealcode. Transmission of the keys outside the virtual private cloud and storage within the infrastructure used is exclusively encrypted. The access to the key management is logged and automated as well as checked for irregularities by authorized personnel of Dealcode in case of concrete suspicion. The corresponding keys are rotated at regular intervals and previously used keys are immediately invalidated and removed. In addition, keys are strictly separated according to networks or databases (e.g. no transfer of a key to another network). A regular security check ensures that the key rotation measures are effective and that old keys have been properly removed.
State-of-the-art encryption is used on all databases used by Dealcode, so that data from the database can only be read after proper authentication on the respective database system. The storage media ("storage") used to store documents are also encrypted at the file system level. Backups of the database systems are stored exclusively in encrypted form.
All personal data transmitted from the Dealcode application to a client or to other platforms via an insecure or public network are transmitted exclusively in encrypted form. This applies in particular to accesses to the client and admin system. Dealcode guarantees the use of a state-of-the-art encryption method depending on the encryption algorithm compatible on the client side (currently HTTPS connections or Transport Layer Security (TLS), keyword "backward compatibility: the client is responsible for using end devices/browsers compatible with the state of the art). Administrative accesses to server systems of Dealcode as well as the transfer of backups are carried out exclusively via encrypted connections, e.g. Secure Shell (SSH) or Virtual Private Network (VPN). For access to customer systems in the context of home and telework, a VPN connection is used. Thereby only VPN servers are used, which are under the direct control of Dealcode. The use of public VPN providers is not permitted.
Mobile data carriers, on which data of Dealcode are used or processed, are exclusively used encrypted. This applies in particular to the use of USB sticks, external hard drives or similar. In principle, the use of mobile data carriers for the storage of customer data is not permitted.
Appropriate state of the art hard drive encryption will be set up on all employee laptops.
In principle, the exchange of information and files between the principal and Dealcode is directly encrypted via the Dealcode application (see c.). If personal data or confidential information of the principal must be transferred to servers that cannot be sent via TLS-encrypted HTTPS uploads, these will be transferred using Secure File Transfer Protocol (SFTP) or another encrypted mechanism according to the state of the art. The client is responsible for requesting or providing this secure data transport as required.
In principle, all emails sent by Dealcode employees or within the Dealcode application are encrypted with TLS. Exceptions can be if the receiving mail server does not support TLS. The Customer shall ensure that corresponding mail servers used within the scope of the order support TLS encryption.
Denying unauthorised persons access to IT systems and processing equipment with which the processing is carried out.
The entrance doors to the premises of Dealcode are always locked and electronically secured. The doors are opened via a personal electronic key.
There is a central, documented key allocation to the Dealcode employees. These electronic keys could be deactivated centrally by the management or personnel department.
Access of external service providers and other third parties may only take place after prior authorization and accompaniment by an employee of Dealcode.
Rooms or cabinets with an increased need for protection, for example router room, office of the personnel department, cabinet with contract documents, etc., are always locked after leaving or use. Access to these premises is only granted to authorised personnel.
Employees are organizationally instructed to keep windows and doors closed or locked outside of office hours.
Dealcode only uses server systems from data center operators who have a valid certification according to ISO/IEC 27001 and therefore implement appropriate technical and organizational measures for physical and environmental security, e.g.
Prevention of the use and processing of data protected under data protection law by unauthorised persons.
Accesses that allow access to personal data are always made via encrypted protocols: SSH, SSL/ TLS, HTTPS or comparable protocols.
i. Authentication procedure IT system/ laptop
ii. Authentication procedure customer system (Customer system = access for administrators and users of the client)
iii. Authentication procedure Admin system (Admin system = access to customer systems via user interface for customer service staff as well as product development of Dealcode, if this has been enabled by the customer for support purposes)
The customer can determine support and instruction authorised persons via the system settings, who can issue instructions to Dealcode in accordance with the order processing contract. The assignment to a support and instruction authorized person takes place via the contact data provided by Dealcode (e.g. name, e-mail address, telephone number, user ID). The customer service team of Dealcode is obliged to accept instructions or to give information exclusively from the named persons and to check their identity accordingly in advance. In case of telephone inquiries, the personal telephone PIN stored in Dealcode must be verified in advance.
When assigning and regularly updating secure passwords, the requirements of the BSI IT Grundschutz or other equivalent, recognized security standards for the Dealcode account as well as for the laptops, computers or other mobile end devices must be taken into account (i.e. special characters, minimum length, regular change of the password). Users of Dealcode are required to take comparable measures for blocking in case of inactivity. The client has to take care of this.
Both users of Dealcode and employees are prohibited from sharing passwords for the use of Dealcode, as well as the use of so-called "shared accounts" for access to customer, admin and administrative systems (i.e. exclusive use of personal and individual user login when logging into the system).
Laptops of Dealcode employees are locked by the user with password protection when not in use. In addition, an automatic screen lock with password protection is set up after 10 minutes of inactivity. Users of Dealcode are required to take comparable measures for locking in case of inactivity. The client has to take care of this.
Laptops of Dealcode employees are equipped with a state of the art and up-to-date anti-virus software on all operational or operationally used IT systems. As a matter of principle, no computers may be operated without resident virus protection, unless other equivalent state-of-the-art security measures have been taken or there is no risk. Predefined security settings may not be deactivated or bypassed.
Dealcode employees are required not to print out or locally store personal data of customers, not to leave work materials lying around in the open and to store them neatly. Documents with personal data are to be stored after use either in lockable cabinets or drawers or disposed of in accordance with data protection regulations.
Public wireless networks are used exclusively through a VPN connection provided by Dealcode.
Ensure that persons authorised to use an automated processing system have access only to the personal data covered by their access authorisation.
i. Role and authorization concept customer system
Administrators of the client can individually configure a multi-level role concept for the assignment of rights and differentiate between viewing, suggestion and editing rights per function or area within Dealcode for individual users.
ii. Roles and Authorization Concept Admin System
Access to the admin system is generally restricted to trained employees in the customer service and product development departments. Employees from the sales and finance team only have access to customer systems via the admin system during the free trial phase or to corresponding billing data and can therefore not view customer data.
iii. Role and authorization concept server/database system
Access to the server/database system is generally restricted to a limited number of trained employees in the product development and infrastructure departments.
The client has the possibility to decide via the system settings in the customer system whether Dealcode can access the customer system. The access authorization is deactivated as default and can be activated or deactivated by authorized employees of the client at any time.
Dealcode assigns access rights according to the "need-to-know" principle. Accordingly, access is only granted to persons who clearly need it and for as long as they need it. The requesting person must justify the need conclusively when applying. The authorization concept is role-based. Each employee is assigned a specific role. Authorizations that deviate from this role must be justified. Access authorizations are documented centrally and withdrawn by the administrator immediately after the need for access has ceased. Accesses are limited to the minimum necessary privileges. Access to the admin system or server/database system is approved by the management, the head of the infrastructure department or the information security manager and is usually carried out according to the dual control principle. The administrators or the Information Security Manager regularly check whether authorisations granted are still required. Supervisors are also obliged to request a corresponding correction of authorizations from the IT administration in the event of a change of tasks for employees. In the event that employees leave the company, HR managers must inform the administrators or the HR department immediately of any pending changes so that the corresponding authorizations can be revoked. The withdrawal of authorisations must take place, if possible, within 24 hours of an employee leaving.
Every server system is equipped with a host-based attack detection system. This monitors at least parameters such as conspicuous system log entries, signatures of known rootkits and Trojans, conspicuities in the device file system, or bruteforce attacks. All parameters except changes to file systems are evaluated in real time. File systems are checked at least once a day. In the event of anomalies, the responsible employees (operations and product development) are informed immediately by means of an e-mail notification.
Dealcode's servers use packet filtering firewalls to ensure that no services are directly accessible from the Internet. Publicly reachable services are routed through load balancers or bastion hosts that only allow the protocols needed for the service in question.
Attempts to log in to and log out of admin, customer system and server systems/software are logged (min. e-mail address, user ID, IP address, result of the log-in attempt and time stamp) and currently stored for up to 30 days. These logs can be evaluated upon request and/or in case of concrete suspicion.
Ensure that personal data collected for different purposes can be processed separately and are segregated from other data and systems in such a way that unplanned use of these data for other purposes is excluded.
Data from the operating environment may only be transferred to test or development environments if it has been completely anonymized before the transfer. The transfer of the anonymized data must be encrypted or via a trusted network. Software that is to be transferred to the operating environment must first be tested in an identical test environment ("staging"). Programs for error analysis or the creation/compilation of software may only be used in the operating environment if this cannot be avoided. This is especially the case if error situations depend on data that would be falsified due to the requirements for anonymization when transferred to test environments.
Dealcode separates its networks according to tasks. The following networks are used permanently: production environment, staging environment, office IT staff, office IT guests. In addition to these networks, further separate networks are created as required, e.g. for restore tests and penetration tests. Depending on the technical possibilities, the networks are separated physically or by means of virtual networks.
Dealcode ensures the separate processing and storage of data from different clients via a logical client separation based on a multi-tenancy architecture. The allocation and identification of the data is carried out by assigning a unique identifier to each client (e.g. customer number/company ID). The architecture is secured by the implementation of integration tests, which ensure that no database queries are carried out without a query and assignment to this ID and that the risk of circumventing the client separation through programming errors is minimized. Regular security audits as well as binding code reviews (4- to 6-eyes principle) additionally secure the architecture.
Measures to ensure integrity
Integrity refers to ensuring the correctness (integrity) of data and the correct functioning of systems.
Ensure that the confidentiality and integrity of personal data is protected during the transmission of personal data and during the transport of data media.
See "Encryption and pseudonymisation of personal data", ensuring the integrity of data in transit by calculating checksums.
A transfer of personal data, which takes place on behalf of the client, may in each case only to the extent of the instructions and insofar as this is necessary for the provision of the contractual services for the client. In particular, the disclosure of personal data from the order to unauthorized third parties, e.g. by storage in another cloud storage, is not permitted.
See "Logging of system activities within the admin and customer system and evaluation" under "2.8. Input control".
Ensure that it is possible to verify and establish ex post which personal data have been entered or modified in automated processing systems, at what time and by whom.
Significant system activities are logged (min. user ID, rights according to role concept, IP address, system components or resources, type of activities performed and time stamp) and currently stored for up to 30 days. This includes in particular the entry, modification and deletion of data, users and authorisations as well as the modification of system settings. Upon request and/or in case of concrete suspicion, a corresponding evaluation of the logs can be carried out.
Measures to ensure availability
The availability of services, functions of an IT system, IT applications or IT networks or also of information is present if these can always be used by the users as intended.
Ensure that personal data is protected against accidental destruction or loss.
Dealcode implements a backup concept for the database with the data of the client stored on it as well as the storage medium with corresponding stored documents according to the state of the art to ensure adequate availability.
To ensure geo-redundancy in the event of an unforeseen event, such as a natural disaster, Dealcode ensures that appropriate specifications of spatial separation are guaranteed with regard to the server infrastructure of the productive data and backups. This can be ensured by using different data centers within sufficient distance or data centers of different availability zones.
There is a capacity management including monitoring and automatic notification of the responsible employees of Dealcode in case of capacity bottlenecks.
An alert system is in place to monitor the accessibility and condition of the server systems. In the event of failures, the infrastructure department is automatically notified in order to take immediate action to rectify the problem.
There is a concept and documented procedures for dealing with disruptions and security-relevant events ("incidents"). This includes, in particular, the planning and preparation of the response to incidents, procedures for the monitoring, detection and analysis of security-relevant events, as well as the definition of corresponding responsibilities and reporting channels in the event of a breach of the protection of personal data within the framework of the legal requirements.
An automatic fire detection and suppression system is installed in the data center. The fire detection system uses smoke sensors throughout the data center environment, in mechanical and electrical areas of the infrastructure, cold rooms, and in the rooms where the generators are located. All power systems are redundant. An uninterruptible power supply (UPS) ensures that critical areas of the facility continue to receive power in the event of a power outage. The data center also has generators that can provide emergency power to the entire facility. The data center has air conditioning and temperature control. Preventive maintenance is performed to ensure the continued operation of the facilities.
Ensure that deployed systems can be recovered in the event of physical or technical failure.
Regular full restore tests are conducted to ensure recoverability in the event of an emergency/disaster.
There is a concept for handling emergencies/disasters as well as a corresponding emergency plan. Dealcode ensures the recovery of all systems based on the data backups, usually within 24 hours.
Monitoring and evaluation measures
Presentation of the procedures for regular review, assessment and evaluation of the effectiveness of the technical and organisational measures.
Security Team A Data Protection and Information Security Team (DST) has been set up to plan, implement, evaluate and make adjustments to data protection and data security measures.
A process is in place to analyse, assess and allocate risks, derive actions based on these risks and regularly evaluate the effectiveness of these actions as part of Dealcode's data protection and information security management system.
i. Conducting audits
Regular internal audits on data protection and information security are carried out while ensuring the independence of the auditor (e.g. from another area or externally). Audits are carried out on the basis of common audit criteria/schemes (in particular legal requirements of the GDPR, security standards, etc.) and check in particular the completeness and correctness of guidelines and concepts as well as the documentation and compliance with corresponding processes.
ii. Verification of compliance with security policies and standards (according to 18.2.2 ISO/IEC 27002:2017)
Compliance with the applicable security guidelines, standards and other security requirements for the processing of personal data is regularly reviewed. Where possible, these are carried out on a random and unsuspected basis.
iii. Verification of compliance with technical specifications (according to 18.2.3 ISO/IEC 27002:2017)
Regular automated and manual vulnerability scans are performed by the Information Security Manager or other qualified personnel to check the security of the applications and infrastructure and the regular further development of the product. If required, detailed penetration tests are carried out by an external service provider to specifically examine the applications and infrastructure for vulnerabilities.
iv. Process for continuous improvement of the data protection and information security management system
The processes for data protection and information security also include a regular review and evaluation of the technical and organizational measures taken. This also includes an improvement and suggestion system in which employees can participate. Dealcode thus ensures continuous improvement of the processes for handling personal data.
Ensuring that personal data processed on behalf of the client can only be processed in accordance with the client's instructions.
i. Processing on instruction
Dealcode's employees are instructed to process personal data of the Principal from the Order exclusively on documented instructions within the framework of the Order Processing Agreement and the User Agreement. According to the Order Processing Agreement, Dealcode accepts instructions from the Principal in written form as well as via the electronic formats offered by the Contractor for this purpose. Verbal instructions are only permitted in urgent cases and must be confirmed by the Principal immediately in writing or in an electronic format offered by Dealcode for this purpose.
ii. Careful supplier selection
In the case of outsourcing, suppliers/third-party providers are commissioned on the basis of a careful selection process in cooperation with the Information Security Manager, Data Protection Officer and Legal Department according to defined criteria, in particular with regard to data protection and IT security, especially ...
For risk prevention purposes, a risk assessment is also carried out for the respective suppliers as part of the process, insofar as the third-party supplier regularly works with personal data.
iii. Commissioned processing pursuant to Art. 28 DSGVO
The commissioning and use of a subcontractor shall only take place in accordance with the order processing agreement between Dealcode and the Principal, legal provisions, as well as after the conclusion of a corresponding agreement on order processing in accordance with Art. 28 of the GDPR between Dealcode and the subcontractor. If possible, this agreement shall regularly take into account at least the following aspects:
iv. Carrying out regular checks/demanding evidence
Dealcode will convince itself of the compliance of the technical and organisational measures of the subcontractors used by it before the start of the assignment and thereafter on a regular basis, or will have these measures proven.