Hereinafter, a description of the principal measures of Dlubal for the adherence to the data protection regulations pursuant to Art. 32 of GDPR will follow. However, it must be pointed out that not all security measures can be disclosed; rather, particularly in the interest of data protection and data security, forgoing confidential and detailed descriptions is indispensable.
1 Confidentiality (Art. 32(1)(b) of GDPR) b DS-GVO)
1.1 Physical Access Control
Measures, which are suitable to deny unauthorized persons access to data processing systems with which personal data is processed or used:
- The office premises are only accessible via a central entrance. Access areas are monitored with a camera and occupied by reception staff. In case no reception staff is present, the access doors are closed and secured with an alarm system.
- The server rooms are additionally under permanent lock and only accessible by authorized personnel.
- Troubleshooting of the Dlubal product in which personal data is stored, if required
- Important server systems outside the office premises are secured in a datacenter via multi-factor person authorization, video surveillance linked to the police, and against terror attacks.
1.2 Electronic Access Control
Measures, which are suitable to prevent unauthorized persons from using data processing systems:
- The data is only available to Dlubal employees to the extent necessary via a role-based CRM system, manageable with configurable rights.
- The employees have role-based access rights.
- The computers are protected by authentication with a user name and password (Active Directory).
- Passwords with increased security (structure, length, expiration date).
- External systems are connected via VPN tunnels. Only known addresses are permitted access via an IP whitelist. All external communication is encrypted.
- The computer systems are centrally provided with anti-virus software.
- The data networks are secured with firewalls.
- Only specifically authorized persons have access to the server systems.
1.3 Internal Access Control
Measures, which ensure that the persons authorized for the use of a data processing system can only access the data within their access privilege, and that personal data cannot be read, copied, altered, or deleted without authorization during processing, utilization, and after storage:
- Rights: All services use the "deny by default" access model. Only authorized persons and groups have appropriate access. The rights matrix of each individual service is monitored and can be exported into the admin panel for every * service. All rights are managed by system administrators. The number of system administrators is reduced to a minimum.
- Log files: The network storage servers possess Audit logs including version history of the files (CRUD). The Active Directory server logs every authorization query to services in the network.
- Version control system: All data in the network is secured via VSS and BTRFS snapshots. Databases are secured via hourly snapshots.
1.4 Separation Control
Measures, which ensure that data compiled for different purposes can be processed separately:
- Physically separate storage on separate systems or data mediums
- Creation of an authorization concept
- Encryption of datasets, which are processed for the same purpose
- Assignment of purpose attributes/data fields to datasets
- Establishment of database rights
- Logical separation of customer data according to competency and function
1.5 Pseudonymization and Encryption (Art. 32(1)(a) of GDPR; Art. 25(1) of GDPR) a DS-GVO; Art. 25 Abs. 1 DS-GVO)
The processing of personal data in such a way that the data cannot be attributed to a specific data subject without the consultation of additional information, as long as this additional information is stored separately and is subject to appropriate technical and organizational measures:
If possible for the respective data processing, the primary identifying features of the personal data are removed from the respective data application and stored separately.
2 Integrity (Art. 32(1)(b) of GDPR) b DS-GVO)
2.1 Data Entry Control
Measures, which ensure that it is possible to retroactively check and determine, whether personal data has been entered, altered, or deleted in data processing systems, and by whom:
- Logging of input, alteration, and deletion of data
- Traceability of input, alteration, and deletion of data via individual user names
- Allocation of rights for the input, alteration, and deletion of data based on an authorization concept
- Document management
2.2 Data Transfer Control
Measures, which ensure that personal data cannot be copied, altered, or deleted without authorization in the course of electronic transmission, or during their transport or storage on data mediums:
- The email server uses the Sender Policy Framework (SPF) to prevent unauthorized use of our domains. This way, the email recipient can check whether the email originates from an authorized server.
- Emails are signed with DKIM signatures to ensure authenticity.
- Sensitive emails may additionally be encrypted via end-to-end encryption.
- FTP and VPN services operate with SSL/TLS encryption.
3 Availability and Resilience (Art. 32(1)(b) of GDPR) b DS-GVO)
3.1 Availability Control
Measures, which ensure that personal data is protected from accidental destruction or loss:
- Backup & recovery concept
- Uninterruptible power supply (UPS)
- Hard disk mirroring
- Use of RAID systems
- BTRFS and ReFS data systems for error detection and correction, and for prevention of concealed loss of data
- High-availability clusters and mirroring of data and services across several locations
- Backup of the Internet connections and routers to prevent lengthy downtimes
- ECC memory on all servers to detect memory errors, data modifications, and data loss
- Microsoft System Data Protection Manager agent installed on every server
- Backup via DPM Storage at least once per day
- Windows Backup + iSCSI LUNs
- Important services are monitored by network tools and report failing services, downtimes, DoS and DDoS attacks.
- Secured server room
- Protection socket boards in the server room
- Regular inspection of the electrical equipment by a specialist company
- Fire and smoke alarms, fire-extinguishing equipment
- Emergency plans and crisis management
- Firewall with antivirus and intruder detection, protection, and prevention (AV/IDS/IDP, Zywall Security Gateway)
- ESET Mail Security for Exchange to safeguard the e-mail server against spam, viruses, ransomware, scams, etc.
- ESET Security Antivirus on all computers as endpoint user protection with ESET Remote Administration Console
- ClamAV open source Antivirus for the protection of the network servers and storage
- Periodic system updates managed via WSUS
- Active Directory Group Policy for all computers
3.2 Recoverability
Measures, which allow for the availability of personal data and the access to it to be quickly restored after a physical or technical incident: All data is protected against loss via periodic backups. Different tools allow for this data to be recovered with minimal effort in the event of physical or technical incidents. Specific measures are:
- Backup & recovery concept
- Backup via DPM Storage at least once per day
- Windows Backup + iSCSI LUNs
4 Procedures for Regular Testing, Assessment, and Evaluation (Art. 32(1)(d) of GDPR; Art. 25(1) of GDPR) d DS-GVO; Art. 25 Abs. 1 DS-GVO)
4.1 Data Protection Management
- Employee training courses in data protection
- Obligation of the employees to the confidential handling of personal data
- Nomination of a data protection officer
- Employee guidelines for the handling of personal data
- Maintaining a record of processing activities within the meaning of Art. 30(1)(2) of GDPR
- Implementation of a data protection management system
4.2 Processing Control
Measures, which ensure that personal data that is processed in the order can only be processed according to the instructions of the client within the meaning of Art. 28 of GDPR:
- Clear contract design
- Formalized order management
- Selection of the contractor under careful consideration
- Written instructions to the contractor via the data processing contract
- Obligation of the contractor to confidentiality
- Continuous supervision of the contractor and their activities
