Technical and Organizational Measures (EN) Version 4.0 (11.05.2021)

Technical and organizational measures (EN) Version 4.0 (11.05.2021)

Technical and organizational measures (EN)

The Processor (hereinafter referred to as XQueue GmbH) shall take the following technical and organizational measures for data security in accordance with Art. 32 DSGVO:

1. Conﬁdentiality

1.1 Access control (facilities)

The premises of the processor at Christian-Pless-Str. 11-13 in 63069 Offenbach am Main are located in an oﬃce building used exclusively for business purposes on ﬂoors OG 2.

The premises of the office in Rehlingstr. 6d in 79100 Freiburg im Breisgau are located in an office building used exclusively for business purposes on the floors OG 6.

All entrances are adequately secured against unauthorized access, which means that:

● All external doors are equipped with a manual and technical locking system and are locked as a matter of principle; ● the keys provided to employees are registered on a personal basis and the issue of keys is acknowledged; ● visitors are only allowed to move around the premises when accompanied by a member of staff; ● third party personnel, especially for cleaning and maintenance tasks, are carefully selected; ● there are stipulations regarding access authorization and visitor regulation (visitor management). ● all external doors and entrances to critical areas (e.g., server rooms) are under 24/7 video surveillance.

As part of data center operations, care is taken to ensure that:

● access to the data center is only permitted to authorized persons;

● access is secured by a physical (RFID chip) and a mental (PIN) identiﬁcation feature. A distinction is made between permanently assigned access authorizations and those deposited with the security service for collection. For access authorizations

Technical and organizational measures (EN) Seite 1/7 XQueue GmbH - Christian-Pless-Str. 11-13 - 63069 Offenbach am Main Technical and organizational measures (EN) Version 4.0 (11.05.2021)

deposited for collection, authorization is ensured by checking the ID card version. The data is deposited with a security service (whitelist), thus ensuring that only authorized persons can enter the data center;

● access to the individual customer cabinets or areas is only possible by the customer and the responsible personnel;

● the access control systems as well as the alarm systems are secured against power failure by means of a UPS and a backup power supply system;

● the data center, in particular access to security areas, is equipped with video surveillance;

● the data center is regularly inspected by a security service within specified time windows. The points to be checked by the security service in the data centers are defined. Any anomalies are reported. The specified routes taken by the security personnel are logged.

1.2 Access control (systems)

Authenticated user identiﬁcation takes place, in particular by:

● all technical systems (centralized and decentralized), hardware and software firewall are protected; ● the existing virus protection (anti-virus software) is maintained and updated; ● access to server rooms is only allowed to a limited number of people (restricted area); ● employees work exclusively with the personalized user profiles, which require the entry of an alphanumeric code to be changed at least every three months and consisting of at least ● alphanumeric password with at least 8 digits, which must be changed at least every three months; ● screens are automatically locked after 5 minutes at the latest and accesses are locked for 30 minutes in the event of more than five unsuccessful attempts; ● VPN technology (SSL/TLS) is used; ● mobile data carriers (laptops) are separately encrypted.

Technical and organizational measures (EN) Seite 2/7 XQueue GmbH - Christian-Pless-Str. 11-13 - 63069 Offenbach am Main Technical and organizational measures (EN) Version 4.0 (11.05.2021)

1.3 Acces control (data processing)

Unauthorized activity in data processing systems outside of granted authorizations is prevented in particular by:

● access rights (for both users and administrators) are based on task-related and data protection requirements; ● access to applications (entry, modiﬁcation and deletion) is logged and can be evaluated (for at least 14 days); ● protection against unauthorized internal and external access is provided by encryption and ﬁrewalls (see Access control).

1.4 Segregation

Separate data processing is ensured by:

● lack of possibility of physical access through dedicated rights and duties; ● clear separation and traceability of customer access (logical separation by individual user proﬁle with password protection); ● separate processing of earmarked data.

1.5 Pseudonymization & Encryption

The transmission of personal data is encrypted. Pseudonymization does not take place; where deletion is not possible for legal or other reasons, anonymization takes place. Encryption procedures and password assignment are carried out according to the state of the art.

2. Integrity

2.1 Entry control

The control of inputs is ensured by:

● Logging and traceability of entries, changes and deletion of data (through log ﬁles); ● Access rights (for both users and administrators) are based on task-related and data protection requirements.

Technical and organizational measures (EN) Seite 3/7 XQueue GmbH - Christian-Pless-Str. 11-13 - 63069 Offenbach am Main Technical and organizational measures (EN) Version 4.0 (11.05.2021)

2.2 Transfer control

The aspects of the transfer of personal data is implemented here by:

● VPN technology (SSL/TLS) is used for data communication; ● e-mail messages or other information are always sent in encrypted or anonymized form; ● suitable transport persons or companies are carefully selected for physical transport.

3. Availability and resilience

To enforce availability, XQueue GmbH has ensured that:

● there is an uninterruptible power supply (UPS); ● premises are divided into fire compartments equipped with individual fire protection devices (fire and smoke detection systems; fire extinguishers); ● air-conditioning systems are in place; ● an emergency management system with a recovery plan is in place.

Within the scope of data center operation, particular attention is paid to ensuring that:

● the power supply is ensured by redundancies (emergency power generators as well as UPS systems with n+1 redundancy; bridging time at least 15 min. until the emergency power generators restore the power supply - start-up time incl. load transfer load transfer 1 - 2 min.) ● the data center is equipped with room air conditioning (average temperature 22° C +/-4°, redundantly designed (n+1), the installed air filters comply with DIN EN 779 G4) ● the data center has structurally separated fire compartments. a fire alarm system and an early fire detection system are installed in the premises ● the flood and earthquake criticality has been tested in accordance with DIN.

4. Procedures for regular review, assessment and evaluation

The contractor has subjected itself to the following data protection standards:

● Development of an IT security and data protection concept; ● Regular control and updating of the IT security and data protection concepts (min. 1x

Technical and organizational measures (EN) Seite 4/7 XQueue GmbH - Christian-Pless-Str. 11-13 - 63069 Offenbach am Main Technical and organizational measures (EN) Version 4.0 (11.05.2021)

per year); ● Production of internal data protection and security guidelines (policies) and work instructions; ● Appointment of an internal data protection oﬃcer; ● Regular monitoring by the data protection oﬃcer; ● Regular notices and reminders to promote awareness of problems; ● Regular data protection training for employees (at least 1x per year); ● Occasional unsuspected checks on compliance with data protection and data security measures.

The Contractor guarantees that the services are provided in German data centers and in compliance with German data protection law.

The Contractor's services shall also be based as far as possible on the specifications of the standards of ISO 27001 certification. The workflow for approaching and meeting the standards is based on that in the ITIL framework. In addition, the contractor follows the processes to meet the requirements of ISO 20000 (preparation for certification; in particular Incident & Service Request Management; Problem Management; Business Relationship Management; Budgeting and Accounting for

Services; Service Level Management; Capacity Management; Design and Transition of new or changed Services; Change Management; Release and Deployment; Conﬁguration Management; Information Security Management; Service Continuity and Availability; Supplier Management; Conducting internal audits). The Contractor has also designed the operational service components (storage systems/inﬁniband switches and uplink routers/switches) with double redundancy in accordance with the generally recognized rules of science and technology.

5. Subcontractors

XQueue GmbH engages the following subcontractors for data processing. In doing so, the processor controls and guarantees that all subcontractors have the same requirements for secure and confidential processing as the client and himself. In this context, this document serves as a specification of the minimum required security requirements, which each subcontractor must demonstrate and confirm in an appropriate manner. XQueue GmbH concludes a data processing contract with each subcontractor in accordance with the GDPR.

Technical and organizational measures (EN) Seite 5/7 XQueue GmbH - Christian-Pless-Str. 11-13 - 63069 Offenbach am Main Technical and organizational measures (EN) Version 4.0 (11.05.2021)

5.1 Other processors within the meaning of Art. 28 DSGVO

XQueue GmbH also uses the services of third parties ("subcontractors") for the processing of data on behalf of XQueue GmbH.

These are the following companies:

Service provider Subject and purpose of Certiﬁcation / Veriﬁcation data processing

Hetzner Online GmbH Rechenzentrum (Hosting) ISO/IEC 27001:2013 Sigmundstraße 135 90431 Nürnberg

5.2 Service providers that are not processors according to Art. 28 DSGVO

XQueue GmbH uses the services of third parties for the processing of data on its behalf, but these third parties do not process personal data on its behalf.

These are the following companies that are not considered processors under the GDPR, but are listed here for transparency reasons:

Service provider Subject and purpose of data Certiﬁcation / processing Veriﬁcation

Claranet GmbH Rechenzentrum (Housing1) ISO/IEC 27001:2013 Hanauer Landstraße 196 60314 Frankfurt am Main

AWS Amazon Web Service Rechenzentrum (Hosting) ISO/IEC 27001:2013 EU (Frankfurt am Main2, Deutschland)

1Housing: XQueue GmbH exclusively operates its own hardware and software in the premises of a data center. The data center operator and employees there have no access to these systems. XQueue GmbH only uses the infrastructure of the data center.

2For security reasons, Amazon does not disclose a speciﬁc address. In principle, XQueue never processes personal data or data transmitted by customers at Amazon, but, for example, company IP address pools for sending e-mails are managed there.

Technical and organizational measures (EN) Seite 6/7 XQueue GmbH - Christian-Pless-Str. 11-13 - 63069 Offenbach am Main Technical and organizational measures (EN) Version 4.0 (11.05.2021)

6.0 Versions

Person responsible for documents: Data Protection Oﬃcer XQueue GmbH Contact: [email protected]

Version Date Changes Author

0.1 Okt 2018 Draft DPO

1.4 Okt 2018 Additions DPO

1.5 Mar 2019 Update CCTV DPO

1.6 Apr 2020 - DPO

1.7 Jun 2020 Updated subcontractors DPO

4.0 May 2021 Changes subcontractor, change to document DPO auto-versioning by ZOHO

Technical and organizational measures (EN) Seite 7/7 XQueue GmbH - Christian-Pless-Str. 11-13 - 63069 Offenbach am Main