Technical and Organization Measures

Introduction

All entities that collect, process or use personal data are obliged to take appropriate technical and organizational measures to protect personal data. The requirements for the measures to be taken in detail arise from the annex to Section 9 of the Federal Data Protection Act.

This document contains an overview of the technical and organizational measures for the protection of personal data implemented by qamaas GmbH in accordance with Article 32 GDPR.

Qamaas GmbH regularly checks the technical and organizational measures taken to see if they correspond to the state of the art and the organizational possibilities. In this respect, Qamaas GmbH is permitted to implement alternative adequate measures. This ensures that the level of security of the measures set out in this document is not undercut.

Organizational control

The in-house organization must be designed in such a way that it meets the special requirements of data protection.

Measures are:

A directive lays down the requirements for the handling of personal data, the regulations for compliance with the EU GDPR and the use of IT systems.
In accordance with Article 37 GDPR, qamaas GmbH has appointed an expert and independent company data protection officer.
The Data Protection Officer shall keep a list of the processing activities
In accordance with Art. 32, paragraph 4, all employees are obliged to deal confidentially with business and business secrets in accordance with the confidentiality of data and, in addition, in the contract of employment.
All employees are informed about data protection and data security in connection with the obligation to keep data secret.
Employees with access to switching or telephone systems are obliged to comply with telecommunications secrecy in accordance with Section 88 TKG and are instructed accordingly
All employees are regularly informed about current data protection issues.
Employees are trained annually on data protection issues. The curriculum of the training is planned by the Data Protection Officer

Confidentiality (Art. 32 sec. 1 lit. b GDPR)

Physical Access Control

Security locks at the main entrance and access with key card, locking of the access door outside business hours
Burglar-resistant door at the main entrance of the building and in the entrances of the used units
Key control (key or key card issuance only to trusted employees, documented with key monitoring, return on departure is monitored)
Access to servers is via independent closure
Careful selection of cleaning staff
Regulation on access for third parties (accompaniment)

Data Access Controll

Assignment of user rights with rights/role concept in domain
Creating user profiles
Protection class concept for data and systems
Password assignment (12 characters, complexity requirement according to Win-AD standard)
Authentication with username / password
Mapping user profiles to IT systems
Use of VPN technology
Use of anti-virus software
Using a hardware firewall

Data Usage Controll

Number of administrators reduced to the “most necessary”
Authorization concept with written documentation
Managing access rights by system administrator

Separation rule

Regularly, no copy of the data of the client is carried out in the systems of the contractor. If the production of copies becomes necessary for troubleshooting, this is only done with the consent of the client. The data is then logically kept separate from other data and deleted immediately after completion of the task.

Integrity (Art. 32 sec. 1 lit. b GDPR)

Transfer control

Facilities of service lines or VPN tunnels
During physical transport, careful selection of transport personnel and vehicle
Secure storage of disks
proper destruction of data carriers (DIN 66399-1 ff)
Use of shredders or service providers incl. logging of destruction
Crypto-conzep t for mobile disks

Input control

Traceability of input, modification and deletion of data by individual user names (not user groups)
Granting of rights to enter, modify and delete data on the basis of an authorization concept
Logging inputs, changes, and deletions in specific applications.

Availability and resilience (Art. 32 sec. 1 lit. b GDPR)

Availability control

Uninterruptible Power Supply (UPS)
Protective socket strips in server rooms
Fire extinguishers in front of server rooms
Server rooms not under sanitary facilities
Monitoring of the servers regarding temperature development
Sufficient air conditioning
Emergency concept regarding continuation and restart

Rapid recoverability (Art. 32 sec. 1 lit. c GDPR);

Backup & recovery concept including regular data recovery testing
Retention of data backup in a secure, outsourced location
Documentation of the IT infrastructure
Emergency concept regarding continuation and restart

Regular review, evaluation and evaluation procedures (Art. 32 sec. 1 lit. d GDPR; Article 25(1) GDPR)

Order control

Selection of the contractor from a point of view of due diligence (in particular with regard to data security)
prior examination and documentation of the security measures taken by the contractor
written instructions to the contractor (e.g. by contract data processing contract) in accordance with Section 11 (2) of the German Data Protection Act (BDSG)
Obligation of the Contractor’s employees to keep data
secret (Section 5 BDSG)
Contractor has appointed Data Protection Officer (if required by law)
Effective control rights agreed with the contractor
Ongoing review of the Contractor and its activities

Other measures

Privacy Management
Privacy-friendly preferences (Art. 25 sec. 2 GDPR)

Cookie	Type	Duration	Description
Cookie Consent	persistent	1 hour	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
Cookie Consent Infobox	persistent	1 year	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Non-necessary".
cookielawinfo-checkbox-necessary		1 year	Set by the GDPR Cookie Consent plugin, this cookie is used to record the user consent for the cookies in the "Necessary" category .
viewed_cookie_policy		1 year	The cookie is set by the GDPR Cookie Consent plugin to store whether or not the user has consented to the use of cookies. It does not store any personal data.

Cookie	Type	Duration	Description
Freshservice _x_m	third_party	session	We are using freshwservice to manage your feedbacks. This cookie is needed to connect our page with freshservice app.
Freshservice _x_w	third_party	session	We are using freshwservice to manage your feedbacks. This cookie is needed to connect our page with freshservice app.

Cookie	Duration	Description
IDE	1 year 24 days	Google DoubleClick IDE cookies are used to store information about how the user uses the website to present them with relevant ads and according to the user profile.
test_cookie	15 minutes	The test_cookie is set by doubleclick.net and is used to determine if the user's browser supports cookies.
VISITOR_INFO1_LIVE	5 months 27 days	A cookie set by YouTube to measure bandwidth that determines whether the user gets the new or old player interface.
YSC	session	YSC cookie is set by Youtube and is used to track the views of embedded videos on Youtube pages.
yt-remote-connected-devices	never	YouTube sets this cookie to store the video preferences of the user using embedded YouTube video.
yt-remote-device-id	never	YouTube sets this cookie to store the video preferences of the user using embedded YouTube video.

Cookie	Duration	Description
_ga	2 years	The _ga cookie, installed by Google Analytics, calculates visitor, session and campaign data and also keeps track of site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognize unique visitors.
_ga_PY1RRK042M	2 years	This cookie is installed by Google Analytics.
CONSENT	2 years	YouTube sets this cookie via embedded youtube-videos and registers anonymous statistical data.