Technical & Organizational Measures
The following is a list of the specific technical and organizational measures taken for commissioned processing pursuant to Art. 24(1) of the EU General Data Protection Regulation (GDPR).
heylogin GmbH complies with the obligation laid down in the GDPR to protect the processing of personal data by appropriate technical and organizational measures and, as far as possible, to anonymize or pseudonymize personal data. All measures taken must take into account the risk of the respective data processing operation and correspond to the state of the art. In particular, the effectiveness of the measure should take into account the protection goals of confidentiality, availability, integrity and resilience.
Definition of protection goals:
- Confidentiality: Protection of data, information and programs from unauthorized access.
- Integrity: Factual and technical accuracy and completeness of all information and data during processing.
- Availability: Information, data, applications, IT systems and IT networks are accessible for processing.
- Resilience: Refers to an aspect of availability and thus the ability of information, data, applications, IT systems and IT networks to function in the event of disruptions, failures or heavy use.
1 Ensuring confidentiality
1.1 Access control
Measures suitable for preventing data processing systems (computers) from being used by unauthorized persons.
- No unauthorized system use.
- All own IT systems are secured with secure passwords.
- When leaving the workstation, the desktop is locked.
- The system enforces a minimum length of 8 characters, which must include numbers AND letters.
1.2 Access control
Measures that ensure that those authorized to use a data processing system can only access the data subject to their access authorization and that personal data cannot be read, copied, modified, or removed without authorization during processing, use, or after storage.
- Data is secured by software against unauthorized reading, copying, modification, or removal.
- Logins are logged.
- Logins on production systems generate notifications.
1.3 Segregation control
Measures that ensure that data collected for different purposes is processed separately. This can be ensured, for example, by logical and physical separation of data.
- Separate processing of data collected for different purposes.
- The production system is multi-client capable and ensures separation of data for individual customers on the software side.
- Each customer can be identified by his login to access only the data managed by him.
2 Ensuring integrity
2.1 Transfer control
Measures to ensure that personal data cannot be read, copied, altered, or removed without authorization during electronic transmission or while being transported or stored on data media, and that it is possible to verify and determine to which entities personal data is intended to be transmitted by data transmission equipment.
- All data transfers between heylogin and external systems take place exclusively via encrypted connections.
2.2 Input control
Measures that ensure that it is possible to subsequently check and determine whether and by whom personal data has been entered into data processing systems, changed or removed.
- Data processing is carried out directly by the customer.
Measures that ensure encryption of data.
- Encryption procedures are used in accordance with the current state of the art.
- Data is transmitted in encrypted form during electronic transmission or while in transit.
- Content-related customer data is stored exclusively in end-to-end encrypted form.
4 Guarantee of availability, resilience and recoverability
4.1 Availability (of data)
Measures to ensure that personal data is protected against accidental destruction or loss - ensuring availability of data.
- All customer data is backed up hourly to at least one external system.
- The systems of the subcontracted processors used are secured against power failure by UPS.
- A firewall protects external access to all systems.
- All productive systems are redundant so that if one component fails, another component can immediately take over.
4.2 Resilience (of systems)
Measures to ensure that personal data is protected against accidental destruction or loss - ensure resilience of systems.
- Monitoring of productive systems.
- Alerting in case of unexpected deviations in monitoring.
4.3 Recoverability (of data / systems).
Measures to ensure that personal data is protected against accidental destruction or loss - ensuring recoverability of data and systems.
- Complete restoration of operations from a current backup within approximately two hours.
5 Procedures for periodic review, assessment and evaluation
5.1 Order control
Measures to ensure that personal data processed on behalf of a client can only be processed in accordance with the client's instructions.
- Conclusion of the necessary commissioned data agreements.
- Conclusion of the necessary standard contractual clauses.
- Selection of the contractor under due diligence aspects.
- Obligation of the contractor's employees to maintain data secrecy.
- Ensuring the destruction of data after completion of an order.
5.2 Data protection management
Measures to ensure that methods have been evaluated to systematically plan, organize, manage and control the legal and operational requirements of data protection.
- Compliance with the information requirements pursuant to Art. 13 DSGVO.
- Compliance with the information requirements pursuant to Art. 14 DSGVO.
- Documentation of all data protection procedures and regulations.
- Implementation of data protection impact assessments (if required).
- Regular sensitization of employees to data protection.
- Review of the effectiveness of the TOMs (conducted at least annually).
- Commitment of employees to data secrecy.
5.3 Incident response management.
Measures to ensure that security incidents can be prevented or, in the case of security incidents that have already occurred, that data and systems can be protected and that rapid analysis and remediation of the security incident can be carried out.
- Documentation of security incidents.
- Use of firewall and its regular updating.
- Use of spam filters and their regular updating.
- Use of virus scanners and their regular updating.
5.4 Data protection-friendly default settings
Measures that ensure that a certain level of data protection already exists in advance through the appropriate technical design (privacy by design) and factory settings (privacy by default) of a software.
- Personal data is only collected if it is required for a specific purpose.