General technical and organizational measures
pursuant to Art. 32 para. 1 DSGVO
Introductory provisions
Invitario has provided the security acc. Artt. 28 para. 3 lit. c, 32 GDPR, in particular in conjunction with Art. 5 para. 1, para. 2 GDPR must be established. Overall, the measures to be taken are data security measures and measures to ensure a level of protection appropriate to the risk with regard to the confidentiality, integrity, availability and resilience of the systems.
The technical and organizational measures are subject to technical progress and further development. In this respect, Invitario is permitted to implement alternative adequate measures. The safety level of the defined measures must not be undercut. Significant changes must be documented.
General technical and organizational measures (TOM)
Since the Contractor operates the Invitario Internet service exclusively on the infrastructure of the sub-processor Amazon Web Services EMEA SARL (AWS), which specializes in external server hosting, at the Frankfurt am Main location and no personal data of participants is stored or processed on the Contractor’s premises, the following TOMs are limited to the security measures taken by the Contractor on its premises.
Information on the TOM for external server hosting can be found at:
https://aws.amazon.com/de/compliance/data-center/controls/
The sub-processors used by Invitario are available at:
https://support.invitario.com/portal/kb/articles/sub-auftragsverarbeiter
The contractor encrypts all personal data in the Invitario Internet service securely (256bit) using the AWS Key Management System, so that unauthorized access to this data is impossible.
In addition, the Contractor shall take the following measures:
1. access control
Measures to prevent unauthorized persons from gaining access to data processing systems that are used to process personal data:
- Handing over keys to employees with handover protocol
- Door security (electric door opener, beam lock built into the floor and ceiling)
- Double security lock on the office door
- Careful selection of service providers and sub-processors
2. access control
Measures to prevent data processing systems from being used by unauthorized persons:
- All systems are password-protected
- Secured access to the development and administration area with a password procedure (including special characters, minimum length)
- Organizational measures upon termination of an employment relationship with an employee (access is deleted)
- Setting up a user master record per user
- Data is transmitted exclusively via an SSL-encrypted connection
3. access control
The authorization concept and access rights, as well as their monitoring and logging, are based on requirements.
4. transfer control
Measures to ensure that personal data can be read, copied, modified or deleted without authorization during electronic transmission or storage on data carriers and that it is possible to determine where such data is to be transmitted in the IT system.
The exchange of personal data takes place exclusively within the systems of the contractor and, if applicable, their sub-processors. Data is transferred between the individual systems either locally or via an SSL-encrypted data connection.
Personal data is not changed in the course of transfer and processing and remains intact, complete and up-to-date. The Contractor shall do everything necessary to prevent data from being falsified or incorrect data from being processed. At the same time, it ensures that changes to data can be tracked.
5. input control
Measures for retrospectively checking whether and by whom data has been entered, changed or removed (deleted). Personal data can be assigned to their origin at any time and can only be created and/or processed by the participant, the client (and its users) and by Invitario’s user support. Each change is documented with the user and a time stamp. In addition, log files are used for logging.
6. order control
Measures to delimit the competencies between client and contractor. The Contractor shall take the following measures to ensure that the data to be processed in the order is only processed in accordance with the order confirmation:
- Clear contract design
- Formalized order placement (order confirmation)
- Criteria for selecting the contractor
- Confidentiality and data protection agreement with service providers
7. availability control
Measures to protect personal data against accidental destruction or loss are available here: https://aws.amazon.com/de/security/
8. separation control
Measures for separate processing (storage, modification, deletion, transmission) of data with different purposes: The contractor’s systems are used by several clients simultaneously (multi-client capability) and ensure a logical separation of the clients’ data. At the same time, the systems are physically separated by function into development system, test system and production system.
Payment processing data is not processed or stored by the contractor. Processing takes place exclusively via the means of payment selected by the buyer. Invitario only saves the time and status of the transaction.