Technical and organizational measures (according to GDPR)

Version 3.0 of September 20th, 2024

Preamble

Riege Software operates a hybrid cloud environment consisting of

  • Data Centers  in Germany

  • Services and infrastructure at Microsoft Azure.

The following technical and organizational measures also apply to Microsoft Azure, with the exception that Riege Software has no control over physical access control and the internal infrastructure at Azure.

The security measures of Microsoft Azure and the data processing addendum can be found under the following link:

https://www.microsoft.com/en-us/licensing/product-licensing/products

Confidentiality (Art. 32, para 1(b) GDPR)

Entry control

Rooms and buildings

Unauthorized persons must be prevented from entering data processing facilities in which personal data is processed or used, resp. in which personal data is stored

Security Areas

All Riege Software employees can access the office buildings (Security Area I). The business premises are secured at all times through a locked security door that can be opened using a security key, resp. in the daytime via a transponder. All guests are being registered and receive a visitor badge. Entry is monitored by company employees. In addition, the rooms are secured by an alarm system outside normal business hours.

All areas in which the network infrastructure is operated or data is stored are classified as Security Area II.

Internal technical rooms (on the company’s premises, Security Area II):  

  • Access to Security Area I is controlled using a transponder for the alarm system and a security key for the locking system

  • Implementation of safety doors

  • Access to security area II (separate door) via transponder or security key for authorized personnel

  • The alarm system is switched to an external security service

Personal data is stored in data centers (Security Area II).

  • Alarm system, installed by the data center operator

  • Implementation of safety doors

  • Entry is only granted to authorized personnel, whereby these are required to submit their ID cards / passports at reception

  • Entry is logged in a key book

  • The racks are secured using separate locks

Specification of individuals to be granted entry access

The management determines which personnel are to be granted entry access.

Visitors and external staff

Visitors may only access Security Area I and are always accompanied by a Riege Software staff member. External staff, in particular telecommunication service providers,

  • are always accompanied and monitored by authorized staff members inside the internal data centers (Security Area II)

  • are registered at the external data centers by authorized staff members for temporary access and following a respective check; the entry specifications described above apply.

All cleaning, maintenance and security staff can access Security Area I and are selected carefully and required to undertake an obligation to observe data secrecy in accordance with GDPR (General Data Protection Regulation) and business secrets.

Non-authorized persons are denied access to the security areas.

Access control

IT systems, applications

Unauthorized persons must be prevented from using data processing systems.

Authentication

System access is provided through an authentication process based on individual user accounts. The respective passwords are only known to the users to which they are assigned. During a period of inactivity, users are automatically logged off after having used a console to access server systems and in the case of PCs, password-protected lock screens are initialized.

If possible and sensible, all systems are connected to the central Microsoft M365 AD / Entra ID with two-factor authentication. Passwords generally have a minimum length of 8 characters if multi-factor authentication is used, otherwise at least 12 characters and 4 character classes are used, or at least 20 characters with 2 character classes.

At operating system level (e.g. SSH), authentication via an asymmetric cryptosystem (key) is possible instead of using a password.

Logs

All successful and unsuccessful authentication attempts to access the systems are logged in log files. User accounts will be locked automatically after five successive failed login attempts to our Windows domain and have to be unlocked manually by IT staff again.

Encryption

Mobile data media are encrypted, in as far as personal data or sensitive company data are stored on these media. This also applies to the hard drives of all mobile devices. State-of-the-art encryption procedures are used.

State-of-the-art VPN technology is deployed for unsecured networks, in particular the Internet, in order to provide employees and customers with access to data in line with the authorization scheme.

Authentication data are encrypted using state-of-the-art encryption protocols and algorithms whilst in transit.

The cryptographic procedures used comply with the current technical guideline TR-02102-1 of the German Federal Office for Information Security (BSI - Bundesamt für Sicherheit in der Informationstechnik).

User master records

Each individual user has his own master record.

In application software (such as Procars, Scope and web services), authorized users are either

  • appointed by the Controller; one master record is maintained per user, or
  • managed directly by the Controller. The Controller must take measures to prevent unauthorized persons from accessing his data processing systems (primarily through the use of long passwords).

Smartphones

A separate network is provided for devices with mobile Internet access, such as smartphones. Regulations are in place to prohibit any other usage, particularly in internal networks.

Usage control

Data access

Steps must be taken to ensure that persons authorized to use the data processing system may only access data to which they have specifically been granted access and that personal data cannot be read, copied, modified or removed without authorization during the processing, usage or storage of such data.

Authorization scheme

The access rights at Riege Software are specified by the management and set down and controlled in an accordingly documented process.

Group rules govern access for authorized staff members, whereby the rights correspond to the respective work areas and are accordingly restricted. Administrators have unlimited access to all data. Support and software development staff can access customer data through the applications whilst outside the applications (for example, databases), only read rights are granted, whenever possible.

Data manipulation

Customer data is only accessed or modified upon the explicit request of the Controller, or where this is required during the error analysis process. This is documented using a support ticket system (electronical records).

Serious modifications to database systems (e.g. statements to modify a number of different data records) are prepared, tested and executed based on the four-eye-principle / multi-eye principle. These changes are documented in a ticket.

Customer systems

In the case of application software, such as Procars, Scope or web services, the Controller defines the rights of his users using group rules, modules or via the respective branch.

Logs

At operating system level, logins and logouts are primarily stored in the log files whilst the commands entered by the individual users are stored in the history. Scope logs the creation, last modification and deletion of data in log files. Any manipulations carried out on database systems are recorded in tickets and in a log book (documentation).

All logs are stored for at least 6 months; the history contains the last 1,000 commands entered.

Data destruction

Discarded files and old data media are stored securely and destroyed in a correct and appropriate fashion.

Security management

Software is updated at regular intervals according to the system of releases deployed by the manufacturer. Security-relevant updates are regularly evaluated and, where deemed urgent, installed within three days.

Segregation control

Steps must be taken to ensure that data collected for different purposes is processed separately.

Functional segregation

The systems are segregated and accommodated in different environments depending on whether they constitute a production, test or development system. Software updates for the production environment are released via a differentiated procedure.

Segregation of customer systems

Data belonging to different Principals are logically segregated. This segregation is achieved using access control mechanisms, resp. logical sub-networks (VLANs).

A Principal is only able to view his own data and is unable to access data belonging to third parties.

Integrity (Art. 32, para 1(b) GDPR)

Transmission control

Steps must be taken to ensure that no personal data can be read, copied, modified or removed without authorization during electronic transmission or transport, or whilst such data is being saved to data media, and that it is possible to check and establish which bodies are scheduled to receive such personal data by means of data transmission facilities.

Security during transport / encryption

Unless otherwise agreed in individual cases, data is transferred through dedicated connections, encrypted VPN connections (Virtual Private Network) or encrypted and sent through the Internet. All encryption procedures used correspond to the latest state-of-the-art technology.

The cryptographic procedures used comply with the current technical guideline TR-02102-1 of the German Federal Office for Information Security (BSI - Bundesamt für Sicherheit in der Informationstechnik).

Logs

All data transfers are electronically logged.

Storage

The systems governing access control (physical access, logical access to the systems, and access to specific data), together with the associated protective measures, prevent the unauthorized reading, copying and modification of data.

Input control

Steps must be taken to ensure that it is possible in arrears to check and determine whether personal data has been entered into, modified or removed from data processing systems and by whom.

Traceability

The system prevents data being entered manually and anonymously during processing. User logins are logged in respective log files. The applications themselves store all manipulations, together with the name of the user and a respective time stamp internally.

Availability and resilience (Art. 32, para 1(b) GDPR)

Availability control

Steps must be taken to ensure that personal data are protected against accidental loss and destruction.

System-related measures

All data sent to Riege Software for processing is stored redundantly on hard disk systems. The systems are also redundantly connected to several power supplies (e.g. UPSs) in the data centers.

Monitoring

The status of all systems and services is monitored and regularly checked. An alarm is also issued outside normal business hours.

Infrastructure services

Central infrastructure services (such as databases, firewall systems and network components) are designed to be redundant.

Firewall / anti-virus protection

Riege Software uses firewall systems (packet filter, intrusion prevention system, web proxy) in the data centers, which protect the access on internet and internal networks. The PCs are equipped with modern virus scanners that report their findings to a central system.

If sensitive data is processed in the public cloud, firewalls with an appropriate level of protection are also installed in front.

PCs, internal email systems and proxy servers used by staff members are equipped with anti-virus scanners.

Fire protection / temperature monitoring / electrical circuit protection

The data centers in Germany are equipped with an early fire detection and extinguishing system. Temperatures are monitored in all data centers.

In addition, the data centers are equipped with multiple power circuits, including emergency power generators.

Data residency

All data collected in the EU is stored solely within the EU. This applies to both data center and public cloud operations.

Restore in a timely manner (Art. 32, para. 1(c) GDPR)

The availability of and access to personal data must be rapidly restored in the event of a physical or technical incident.

A daily backup is performed and synchronized between the EU data centers. A copy is also written to tape and securely stored externally. The statutory retention periods are adhered to.

An established incident management process ensures rapid detection and communication in case of system failure. Roles between teams are defined to efficiently handle the incident. Data can be recovered quickly from the backup system of the local data center if needed.

Process for regular testing, assessment and evaluation (Art. 32, para. 1(d) GDPR; Art. 25, para. 1 GDPR)

ISO 27001 certification / ISMS

Riege Software operates an information security management system (ISMS), which is regularly audited. The ISMS and its processes are also regularly audited externally. Riege Software is ISO 27001 certified.

Essentially, the protection goals of confidentiality, availability and integrity are considered and audited, including in the ISMS module "Data protection".

Data protection management

A procedure for regularly reviewing, testing and evaluating the effectiveness of the technical and organizational measures to ensure the safety of the processing is to be implemented in the company.

Compliance with the technical and organizational measures pursuant to Art. 32 GDPR by Riege Software is ensured by the following measures:

  • Riege Software has appointed an external data protection officer (for details, see "Agreement pertaining to commissioned data processing"), which audits compliance with statutory data protection regulations at regular intervals.

  • The internal data protection team has developed a data protection management system which is coordinated with the data protection officer. 

  • The employees are committed to the data secrecy according to GDPR and are trained annually on the subject of data protection.

  • A privacy policy is existing that all employees are familiar with. 

Incident response management

In the event of a personal data breach, the Responsible Party shall notify the appropriate authority referred to in Article 55 GDPR without delay and within 72 hours after becoming aware of the breach.

Riege Software has a detailed incident management for data protection incidents that defines the necessary processes. This includes in detail:

  • The identification and reporting of the incident.

  • The analysis, categorization respectively prioritization and risk assessment of the incident.

  • The notification to the management, to the data protection officer and to the supervisory authorities.

  • The information of the data subjects concerned.

Riege Software shall inform the Controller immediately of any operational failures.

Default settings that are conducive to data protection (Art. 25, para. 2 GDPR))

The Responsible Party shall take appropriate technical and organizational measures to ensure that, by default, only personal data whose processing is required for the particular specific purpose is processed.

The technical settings for the processing of personal data within the systems of Riege Software have been chosen so that this data is collected and processed only to an extent necessary and earmarked. Processing beyond this scope is not intended or will not be carried out without the consent of the person concerned.

Job control

Measures that are designed to guarantee that personal data destined for commissioned processing can only be processed according to the Controller's instructions.

Issuing instructions and job processing

There are defined processes in place for job control at the Processor.  All relevant changes to database systems are prepared, tested and executed by different roles according to the four- or multi-eye principle.

All the jobs and respective logging are conducted using Riege Software's support ticket system. All jobs are commissioned by the Controller in writing (e.g. via email). Verbal instructions from the controller must be confirmed in writing immediately.