Download - Schedule 2 to the Agreement on Contract Processing · version 4.0 Schedule 2 to the Agreement on Contract Processing NAME page 1 ProfitBricks GmbH ... resilience as well as procedures

version 4.0 Schedule 2 to the Agreement on Contract Processing NAME page 1

ProfitBricks GmbH I Greifswalder Straße 207 I D - 10405 Berlin I www.profitbricks.de/en I

Executive management: Achim Weiss, Matthias Steinberg

District Court Charlottenburg, Berlin I Registration number: HRB 125506 B I VAT number: ID: DE 270700052

Schedule 2 to the Agreement on Contract Processing

Technical and organizational measures

between

(referred to as “Customer” hereinafter)

and

ProfitBricks GmbH,

Greifswalder Str. 207, 10405 Berlin

(referred to as “Contractor” hereinafter)

1. General

Taking into account the state of the art, the cost of implementation and the nature, scope, context and

purposes of Processing as well as the risks of varying likelihood and severity for rights and freedoms of Data

Subjects posed by Processing, the Customer and the Contractor shall implement the required technical and

organizational measures to provide an adequate level of protection when processing Personal Data, in

particular in respect of certain categories of Personal Data. In this process, the Contractor shall take into

account the relevant technical guidelines and recommendations issued by the Federal Office for Information

Security.

Both the Contractor and the individual computing centres commissioned by the Contractor have implemented

the measures described below. As a general rule, the use of data processing systems by the operator of the

computing centre is not provided. Insofar the Contractor uses its own hardware installed in the security areas,

meaning that the computing centres have no access rights and cannot access, disclose or enter the

Contractor’s data.

2. Technical and organizational measures pursuant to Art. 32 GDPR

The Contractor has implemented appropriate measures to ensure confidentiality, integrity, availability and

resilience as well as procedures for periodical testing, assessing and evaluating.





(1) Denying unauthorized persons’ admission to processing systems involved in Processing (access

control)

ProfitBricks’ premises in Greifswalder Str. 207 in 10405 Berlin are located on the ground floor, first,

second and fifth upper floor of a rear building used entirely for business purposes.

All entrances are sufficiently secured against unauthorized entry, meaning that:

• all and any exterior doors are equipped with a manual and technical master key system (security

locks) and locked all the time;

• employees receive personalized keys and acknowledge receipt of such keys;

• admittance to server rooms is granted only to a limited number of people (restricted area);

• employees work exclusively with their personalized user profiles requiring the input of an at least

eight-digit alphanumerical password which must be changed at least every three months;

• screens and access are subject to automatic blocking for 30 minutes after maximum 5 minutes or

if more than five erroneous inputs have been made, respectively;

• VPN technology (SSL/TLS) is in place;

• data media are encrypted (as far as possible);

• visitors can only move about the premises if accompanied by an employee;

• third-party personnel, especially for cleaning and maintenance tasks, is carefully selected;

• admission rights and visitor regulations have been fixed.

The operation of the computing centre meets the following requirements:

• admission to the computing centre is permitted to authorized persons only;

• admission is controlled by a material (RFID chip) and an immaterial (PIN) identification feature.

Admission rights can be permanently assigned or deposited with the security service for

collection. If an admission right is deposited for collection, authorization is established by

inspection of the person’s ID card. The data are deposited with a security service (whitelist),

guaranteeing that only authorized persons can enter the computing centre.

• admission to the individual customer cabinets or customer areas is reserved to the customer and

the responsible personnel;

• admission control systems and alarm systems are safeguarded against power failure by

uninterruptible power supply and an emergency power plant;

• video surveillance is in place in the computing centre, especially at entrances to security zones;





• the computing centre is inspected by a security service at regular defined intervals. The places to

be inspected by the security services inside the computing centres are defined. Conspicuous

findings are reported. The defined paths to be walked by the security personnel are recorded.

(2) Preventing any unauthorized reading, copying, altering or deleting of data media (data media control)

The Contractor guarantees that

• data media (as far as possible) are used restrictively and encrypted;

• hardware is tested and issued by the Contractor’s IT department;

• access rights (both for users and for administrators) reflect the requirements of the project and of

the provisions of data protection law;

• discarded data media are deleted or physically destroyed in conformity with data protection law;

• access to applications (input, alteration and deletion) is recorded and can be analysed (over a

period of at least 14 days)

• protection against unauthorized internal and external access is provided by encryption and

firewalls.

Authenticated user identification is ensured in particular through:

• all technical systems (central and decentral), both hardware and software, being protected by a

firewall, and

• the virus protection (anti-virus software) in place being maintained and updated.

Input is controlled by:

• recording any input, alteration or deletion of data for traceability (through logfiles) and

• tailoring access rights (both for users and administrators) to reflect the requirements of the

project and the provisions of data protection law.

(3) Preventing any unauthorized input of Personal Data, as well as any unauthorized taking of notice,

alteration or deletion of stored Personal Data (memory control)

Aspects of memory control include:


the provisions of data protection law (authorization based on “need to know”),

• access to applications and use of files (input, alteration and deletion) is recorded and can be

analysed,





• protection against unauthorized internal or external access is provided by encryption and firewalls,

• systems to be administered by the customer are pre-set in a way to provide a high level of data

protection (e.g. transparent deletion is possible at any time),

• deallocated memory areas are overwritten (zeroized) prior to reallocation.

Authenticated user identification is ensured in particular by:

• protecting all technical systems (central and decentral), both hardware and software, by a firewall,

and

• maintaining and updating the virus protection (anti-virus software) installed.

Input is controlled by:

• recording any input, alteration or deletion of data for traceability (through logfiles) and

• tailoring access rights (both for users and administrators) to reflect the requirements of the

project and the provisions of data protection law.

(4) Preventing the use of automated processing systems by means of data transmission devices by

unauthorized persons (user control)

Conditions for user control include:


the provisions of data protection law (authorization based on “need to know”),

• access to applications (input, alteration and deletion) is recorded and can be analysed (over a

period of at least 14 days) and,

• remote access to infrastructural systems is via dedicated management networks and encrypted

services secured by passphrases and certificates.



and

• maintaining and updating the virus protection (anti-virus software) installed.

(5) Guaranteeing that persons authorized to use an automated processing system have access exclusively

to such Personal Data as are covered by their authorization for access (access control)

Unauthorized activities in data processing systems beyond authorizations granted are prevented in

particular by:





• tailoring access rights (both for users and for administrators) to reflect the requirements of the

project and of the provisions of data protection law (authorization based on “need to know”),

• issuing password policies including password length and password change,

• allowing access to applications (input, alterations and deletions) to be recorded and analysed

(over a period of at least 14 days),

• providing protection against unauthorized internal and external access through encryption and

firewalls,

• putting an IT security policy for the ITSM in place and

• defining dedicated obligations to preserve records.

(6) Guaranteeing the possibility to check and establish where Personal Data have been or can be

transmitted or made available by means of data transmission devices (transmission control)

Transmission of Personal Data is protected by:

• using VPN technology (SSL/TLS) for data communication,

• providing the possibility to send all email messages and other information in encrypted or

pseudonymised form,

• carefully selecting persons for physical transport.

(7) Guaranteeing the possibility to check and establish subsequently which Personal Data were entered in

automated processing systems at what time and by whom (input control)

Input control is implemented by:

• recording entries, alterations and deletion of data for traceability (by means of logfiles) and


project and of the provisions of data protection law (authorization based on “need to know”),

(8) Guaranteeing the safeguarding of data confidentiality and data integrity in the processes of

transmission of Personal Data and transport of data media (transport control)

Transport control requires

• the careful selection of third parties (esp. because of data security) in cooperation with the data

protection officer (where possible, only companies/computing centres certified under ISO/IEC –

27001:2005),

• contract processing to be based on detailed contractual stipulations,

• the stipulation of effective supervision rights and/or access/deletion rights (contractual penalties,

if applicable),





• supervision by the data protection officer on a regular basis.

The transmission of Personal Data is protected by:

• using VPN technology (SSL/TLS) for data communication,

• providing the possibility to send all email messages and other information in encrypted or

anonymized form

• carefully selecting people and vehicles for physical transport, and fixing transport routes

Input control is implemented by:



project and of the provisions of data protection law.

(9) Guaranteeing that the systems used can be restored in case of disturbances (recoverability)

To guarantee recoverability, the Contractor undertakes to

• draw up a Backup & Recovery concept,

• test data recoverability,

• provide a RAID controller (Redundant Array of Independent Disks),

• support data portability and

• record and analyse any disturbances.

(10) Guaranteeing that all functions of the system are available and any malfunction occurring will be

reported (reliability)

Reliability requires

• processual reporting of any cases of escalation (display of error and disturbance messages in the

IT systems)

• performance of external/internal technical security analyses

• the existence of test and release procedures e.g. for the introduction of new soft- or hardware

• activities to raise employees’ awareness of data protection and/or data security issues

(11) Guaranteeing that stored Personal Data cannot be damaged by system malfunction (data integrity)

To ensure data integrity,

• the Contractor follows an Information Security Management System (ISMS) and





• the Processing of Personal Data may in individual cases and in agreement with the Contractor be

performed in such a way that the data cannot be attributed to a specific Data Subject without

using additional information.



and

• maintaining and updating the virus protection installed (anti-virus software).

Input control is implemented by



project and of the provisions of data protection law.

(12) Guaranteeing that Personal Data being processed to order can only be processed pursuant to the

Customer’s instructions (order control)

Placement of orders for, and supervision of, contract processing, in particular by external computing

centres, are subject to:

• the careful selection of third parties (esp. because of data security) in cooperation with the data

protection officer (where possible, only companies/computing centres certified under ISO/IEC –

27001:2005)

• contract processing to be based on detailed contractual stipulations

• the stipulation of effective supervision rights and/or access/deletion rights (contractual penalties,

if applicable)

• supervision by the data protection officer on a regular basis.

(13) Guaranteeing that Personal Data are protected against destruction or loss (availability control)

To ensure availability, the Contractor has arranged for

• the existence of a backup strategy,

• the installation of an uninterruptible power supply,

• the rooms to be divided into fire lobbies each with its own fire protection equipment (fire and

smoke alarm systems, fire extinguishers),

• the installation of air conditioning systems and

• the existence of an emergency matrix.





The computing centre will be operated with particular focus on:

• ensuring power supply by redundancies (emergency units and uninterruptible power supply

systems with n+1 redundancy; minimum 15 min bridging time until the emergency units restore

power supply – rise time including load changeover 1-2 min.)

• air-conditioning the rooms of the computation centre (average temperature 22°C +/- 4°, redundant

(n+1), air filters installed comply with DIN EN 779 G4)

• structurally separated fire lobbies. A fire alarm system and a system for earliest fire detection are

installed in the rooms.

• DIN-compliant testing of flood and earthquake criticality.

(14) Guaranteeing that Personal Data collected for different purposes can be processed separately

(severability).

Separate processing of data is guaranteed by:

• the impossibility of physical access due to dedicated rights and duties,

• clear separation and traceability of customer access activities (logical separation by individual

user profile including password protection / separation of productive and test infrastructure),

• separate Processing of purpose-specific data.

(15) Adjustment of internal company organization to the specific requirements of data protection.

The Contractor has submitted to the following standards of data protection:

• preparation of an IT security and data protection concept,

• preparation of internal data protection and security policies and work instructions,

• appointment of an external data protection officer,

• recurring inspections by the data protection officer,

• periodical information and exhortation to raise problem awareness,

• occasional unexpected checking of compliance with data protection and data safeguarding

measures.

The Contractor guarantees that all Services are performed in German computing centres and in compliance

with German data protection law.

In addition, ProfitBricks’ services follow the standards for ISO-27001 Certification as far as possible. The

workflow aiming to approach and meet the standards is based on the ITIL Framework. In addition, the

Contractor observes the processes in order to meet the requirements of ISO 20000 (preparation for





certification, in particular Incident & Service Request Management; Problem management; Business

Relationship Management; Budgeting and Accounting for Services; Service Level Management; Capacity

Management; Design and Transition of new or changed Services; Change Management; Release and

Deployment; Configuration Management; Information Security Management; Service Continuity and

Availability; Supplier Management; Internal Auditing).

Moreover, the Contractor dimensioned the operative performance components (storage systems, infiniband

switches and uplink router switches) with double redundancy according to the generally acknowledged rules

of science and technology.

3. Modifications

Any modifications shall be reconciled and fixed accordingly.

Download - Schedule 2 to the Agreement on Contract Processing · version 4.0 Schedule 2 to the Agreement on Contract Processing NAME page 1 ProfitBricks GmbH ... resilience as well as procedures

Top Related