Technical and Organizational Measures

Preamble

The branchly GmbH, hereinafter referred to as "branchly", takes the following technical and organizational measures to ensure data security in accordance with Art. 32 GDPR:

1. Confidentiality

Access Control

Measures in the data centers (Azure Cloud Services platform Frankfurt (Germany West Central) and Amsterdam (Europe West)): Access is heavily regulated. Only individuals who require physical access for operational reasons are granted access. Access rights are regularly reviewed based on this criterion, and rights are revoked without delay if necessary. External visitors are not permitted access to the data center; however, the security of the facilities is certified by external auditors. The facilities are monitored by video surveillance around the clock, and the site is alarm-secured. The security personnel have been carefully selected and are always present on the premises. Access to the data center is restricted through biometric access controls.

Measures at the company headquarters: Access is regulated. Visitors have no direct access without accompaniment. Employees have access via keys. The issuance of keys is regulated and documented. The cleaning staff has been carefully selected.

Access Control Access to data and systems is granted according to the "Principle of Least Privilege": Employees only have access to information, data, and systems that they absolutely need to perform their work. This is ensured by the management only granting access to systems and permissions in systems when necessary for the execution of activities. This assessment is made on a case-by-case basis. The granting and revocation of permissions are documented by our management. Permissions are re-evaluated upon changes in roles and responsibilities.

Access to systems is generally done through personal accounts with a username and password. There are password requirements (e.g., a minimum length of 20 characters) that are enforced technically. Additionally, employees are trained to choose passwords securely to minimize dictionary attacks. Passwords must be changed regularly (every 90 days). This is technically mandated by the use of a password management system.

All relevant systems, including notebooks, are encrypted with a strong password (minimum 20 characters, changed at least every 90 days, preventing dictionary attacks). Mobile storage devices are also encrypted. A regular security check (including viruses and malware) is conducted.

Remote access to security-relevant systems can only be done via VPN access.

Various systems and measures, such as the use of firewalls, restrictive rights management, encryption, "Threat Detection Software", and "Intrusion Detection Systems" are used in the cloud to prevent third-party access to the servers. Our carefully selected subcontractors who come into contact with personal data are externally certified and have concluded a Data Processing Agreement (DPA) with us. In particular, Microsoft is certified for the Azure services we use according to ISO27001.

Employees are encouraged to establish an automatic screen lock through IT security training, which occurs upon employee entry and at regular intervals, and to manually lock the screen when leaving their workplace.

Access Control

Access to data and systems is granted according to the "Principle of Least Privilege": Employees only have access to information, data, and systems that they absolutely need to perform their work. This minimizes the number of authorized users and administrators in each system. The granting and revocation of permissions are documented by management. Permissions are re-evaluated upon changes in roles and responsibilities.

Access to local systems as well as access to cloud servers are logged. In principle, storage media are managed by our certified cloud providers. Storage media that are no longer used and managed by us will be securely destroyed by an external provider. No paper documents are generated in operational activity.

Separation

Customer data and all other data are completely isolated systemically. Within the customer data database, cross-access (by customers with access to the system to data of other customers) is excluded through technical methods such as tagging.

Development, testing, and production environments are completely isolated from each other through the use of separate environments with independent resources.

Pseudonymization & Encryption

All data is encrypted during transport using modern encryption technologies (HTTPS, SSL/TLS). Backup copies are also encrypted to ensure data security. Logged IP addresses are anonymized.

Copyright

The contents of this website are subject to copyright, unless otherwise indicated, and may not be distributed, modified, or copied in whole or in part without the prior written consent of branchly GmbH. The images integrated into this website may not be used without prior written consent of branchly GmbH. Images contained on the websites are partly subject to third-party copyright. As far as the content on this page is not created by the operator, the copyrights of third parties are observed. In particular, third-party content is marked as such. If you become aware of any copyright infringement, we ask you to provide appropriate notice. Upon becoming aware of legal violations, we will promptly remove such content.

2. Integrity

Input Control

By targeted user role assignment, it can be traced which users have the ability to enter, change, or delete personal data. Individual actions within the systems are not logged.

Transfer Control

All data is transported in a digitally encrypted format according to modern security standards (HTTPS; SSL/TLS). No physical transport of the data takes place, as this is a purely digital solution.

Upon completion of the order, all accounts associated with the client will be deleted and all associated data will be removed from the systems. This can be confirmed in writing by branchly at the client's request.

3. Availability and Resilience

Redundant server systems in different geographical locations (so-called availability zones) ensure high availability. The server rooms are air-conditioned and equipped with fire and smoke detectors, temperature and humidity sensors, and fire extinguishers. In addition, there is a UPS. Access to the server rooms is monitored by video surveillance and alarm-secured.

All systems and databases are redundantly constructed to prevent data loss. Regular data backups both in the cloud (provider: Microsoft Azure Cloud Services platform) and locally are the basis for rapid data recovery in the unlikely event of a complete system failure. Backups in the cloud are performed automatically at 30-minute intervals. All backups are encrypted.

There is an IT emergency plan.

4. Procedures for regular review, evaluation, and assessment

Employees are contractually obligated to handle personal data carefully.

An internal data protection officer (Mr. Markus Linnenberg, Auerfeldstraße 18, 81541 Munich, E-Mail: datenschutz@branchly.io) has been appointed.

No more personal data is collected than is necessary for the respective purpose. Subcontractors are selected with regard to due diligence (especially concerning data protection and data security).

A Data Processing Agreement is concluded with the subcontractors.

branchly®