Technical and Organizational Measures

Description of technical and organizational measures (TOMs)

1. Confidentiality

Our company finds itself in a particularly confidential relationship with the customer. That is why we treat all received data and information confidentially and observe discretion.

1.1. Physical Access Control

Administration:

  • Alarm facility
  • Key control (issuance of keys, etc.)
  • Locked doors during absence
  • Careful selection of cleaning personnel

Data Center (Hetzner):

  • Electronic access control system with record-keeping
  • High security fence around the entire computer center
  • Documented distribution of keys
  • Guidelines for the escorting and identification of guests in the building
  • 24/7 manning of computer centers by staff
  • Video monitoring of entrances and exits, security checkpoints, and server rooms
  • Access by external personnel (e.g. visitors) to the rooms is limited as follows: only when accompanied by a Hetzner
  • Online GmbH employee

1.2. Entry Control

The following measures prevent timr servers from being used by unauthorized persons:

  • Application of user roles, user rights
  • RSA key authentication for authentication at servers
  • Authentication with user name and password or where possible, 2-factor authentication
  • Authentication with biometric method, where possible
  • Computer / Laptop are encrypted by troii employees.
  • Smartphone contents are encrypted by troii employees.
  • Deployment of MDM software in order to enforce security settings on devices
  • Use of password management software from troii
  • Utilization of a software firewall on timr servers
  • Guidelines for password/deletion/clean-desk

1.3. Access Control

The following measures provide assurance that troii employees are able to access exclusively the data governed by their access authorization and that personal data cannot be read, copied, changed or removed without authorization during its processing or use as well as after saving it:

  • Utilization of an authorization concept. The rights are assigned by the system administrator.
  • Administrative access is limited to the most vital employees.
  • Password guidelines including password length, password change
  • Encryption of data carriers
  • Deployment of document shredders
  • Hard drives in the computer center will be overwritten multiple times in accordance with a defined procedure during server changes (deleted).

2. Integrity

2.1. Transfer Control

The following measures ensure that personal data cannot be read without authorization, copied, changed or removed during electronic transmission:

  • Data such as backups will be transferred purely on electronic transport paths.
  • The transmission will take place exclusively over encrypted channels.

2.2. Input Control

Measures which ensure that it can be reviewed by whom personal data in the data processing system was entered, changed or removed:

  • Logging of the entry, change and deletion of data
  • Traceability of the entry, change and deletion of data by individual user name
  • Awarding of rights to the entry, change and deletion of data on the basis of an authorization concept
  • Clear responsibilities for deletions

2.3. Order Control

The following measures ensure that personal data that are processed as part of an order are only processed in accordance with the customer’s instructions:

  • Careful selection by the contractor, especially with regard to data security.
  • Logging of all entered data for work hours, project hours, and drivers’ logbook
  • Written directions to the contractor through contract data processing agreement

3. Availability Control

The following measures ensure that personal data will be protected against accidental destruction or loss:

  • Automatic incremental data backup every hour
  • Automatic data backup daily
  • Periodic tests of the data backup and data restoration
  • Data backups will be stored in a secure, outsourced location.
  • Backup and restoration concept for all data
  • Emergency plan for a reserve system in the event of a server failure
  • Use of an uninterruptible power supply, emergency generating facility in the data center
  • Permanently activated DDoS protection in the data center

4. Separation Rule

The following measures will be taken for the separated processing (storage, change, deletion and transfer) of data for different purposes:

  • Authorization concept and database authorizations
  • Client separation on the software side
  • Separation of production and test systems

5. Data Protection Management

The interoffice organization is configured in accordance with the following measures so that it satisfies the special demands of data protection:

  • Central documentation of all policies and regulations for data protection with the possibility of access by employees based on need / authorization.
  • An audit of the effectiveness of the technical protective measures will be carried out at least once a year.
  • Evidence of employee training on data protection are on hand
  • Evidence of compliance by employees who process the data with the obligations related to data protection are on hand
  • Periodic sensitization of employees, at least once a year
  • A documented process for recognizing and reporting security issues / data glitches (also with regard to the obligation to report to regulatory authorities)
  • The data protection officer is appointed in writing
  • The data protection impact assessment will be carried out when necessary
  • A formalized process for processing requests for information on the part of the affected person is on hand.

6. Procedure for periodic audit, assessment and evaluation

  • Periodic sensitization of employees, at least once a year
  • troii data protection management system (DSMS) is on hand
  • Data protection-friendly default settings will be taken into account during software development
  • An audit and improvement process will be carried out at least once a year