TOM

07.07.21 / Version 2.1

Technical and organisational measures (TOM) within the meaning of Art. 32 GDPR

Preamble

The Locaboo GmbH web server is located in a data centre of Hetzner Online GmbH in Gunzenhausen (Germany). The documentation of the technical and organisational measures (TOM) for the web server can be found in the document "Technical and organisational measures" from Hetzner.

1. access control

Deny unauthorised persons access to data processing equipment with which personal data are processed or used or in which personal data are stored.

Implementation of the measure:

1. The premises of Locaboo GmbH in which customer data is collected, processed and/or used shall be used and entered exclusively by employees and contractual partners of Locaboo GmbH who are bound by these provisions. Excluded from this are persons who have to be on the premises in order to fulfil the obligations arising from the framework agreement and who are accompanied throughout their stay by persons authorised to enter within the meaning of sentence 1 of this clause 1.1.

2. The entrances to the premises are secured with security keys against access by unauthorised persons.

3. Doors, gates and windows are firmly locked outside operating hours; the entrance door on the ground floor and all other easily accessible entrances to the rooms are secured in such a way that they are only accessible to unauthorised persons with considerable difficulty.

4. The allocation of access authorisations and keys is documented in a comprehensible manner. Access to the premises shall be recorded immediately upon entry and for a period of one month after entry.

5. Data backups are permanently stored in locked backup cabinets. Access is only possible for the employees of Locaboo GmbH deployed for the purpose of fulfilling the contract.

6. Web server, see "Technical and organisational measures" by Hetzner.

2. access control

Prevent data processing systems from being used by unauthorised persons.

Implementation of the measure:

1. Protection through authentication and authorisation systems; we use user IDs and complex passwords, as well as graduated access rights.

2. Access to the collection, processing and use of customer data with the systems used only to the employees deployed to provide the service and only for the scope required.

3. Person-specific user access.

4. Technical restriction for use by third parties, e.g. for technical maintenance. No access to client data by third parties without written permission from the client.

5. Every allocation of access and access authorisations is documented.

6. Password rule: Secure passwords with special characters and at least 8 characters.

7. Passwords change by the user himself every 3 months.

8. Passwords are stored securely and are not passed on to third parties.

9. Transmission of passwords encrypted if possible and only to authenticated authorised recipients.

10. Web server, see "Technical and organisational measures" by Hetzner

3. access control

It must be ensured that those authorised to use a data processing system can only access the data subject to their access authorisation, and that personal data cannot be read, copied, modified or removed without authorisation during processing, use and after storage.

Implementation to the measure:

• User administration with password protection

• Logical authorisation concept with roles and rights per provider

• Management of the rights by the provider itself

• Password policy including password length

• Web server, see "Technical and organisational measures" by Hetzner.

4. transfer control

Ensure that personal data cannot be read, copied, altered or removed by unauthorised persons during electronic transmission or while being transported or stored on data media, and that it is possible to verify and establish to which bodies personal data are intended to be transmitted by data transmission equipment.

Transposition to measure:

• Access exclusively via encrypted data transmission (SSL)

5. input control

It must be ensured that it is possible to check and establish retrospectively whether and by whom personal data have been entered into, modified or removed from data processing systems.

Implementation of the measure:

• Traceability of input, modification and deletion of data through individual logging with user name.

• Allocation of rights to enter, change and delete data on the basis of an authorisation concept.

6. order control

It must be ensured that personal data processed on behalf of the client can only be processed in accordance with the client's instructions.

Implementation of the measure:

• In accordance with the provisions of this Commissioned Data Processing Agreement.

• Appropriate training of the contractor's staff and contractual arrangements with subcontractors.

• Regular audits by the Contractor with regard to the execution of this Agreement.

7. availability control

Ensure that personal data is protected against accidental destruction or loss.

Implementation to the measure:

• Data backup concept, data backup hard disk per workstation.

• see "Technical and organisational measures" by Hetzner.

• Regular data backups (backup and recovery concept).

• Emergency procedures for data recovery (disaster management).

8. separation control

Ensure that data collected for different purposes can be processed separately.

Transposition to the measure:

• Logical client separation per provider

• Role and authorisation concept
  

• Separation of productive and test system

• see "Technical and organisational measures" by Hetzner.

9. encryption and pseudonymisation

Ensure that sufficient procedures for encryption and pseudonymisation are applied if this is required due to the activity.Implementation on the measure:

• Encrypted connection via SSL

• Password encryption of the user accounts
  

• Separation of client accounts

• Pseudonymisation is not necessary due to the way the portal works

10. procedures for regular review, assessment and evaluation (data protection management system).

List the measures implemented to ensure a continuous improvement process:

• Conduct regular internal audits.

• Use of an incident management system for proactive system monitoring and error or attack detection. In particular, it is ensured that data protection incidents are recognised and reported immediately by all employees. If data processed on behalf of customers is affected, care is taken to ensure that they are informed immediately about the type and scope of the incident.
  

• Disaster management concept: Maintaining operations due to different emergency scenarios

• A backup concept with daily status checks, outsourcing of the data backup, recovery tests and full backup over a sufficient period of time is in place.

• Version management of the software source code

• When processing data, if the conditions of Art. 33 GDPR are met, a notification will be made to the supervisory authority within 72 hours of becoming aware of the incident.

• If external service providers or third parties are involved, appropriate data protection regulations shall be established in accordance with the applicable data protection law. Conclusion of an agreement on commissioned processing pursuant to Art. 28 DS-GVO.

• Contractors are also regularly inspected during the contractual relationship.

• Training of all employees with access rights. Regular follow-up training.