TECHNICAL AND ORGANIZATIONAL MEASURES

Last updated on October 24, 2025.

Technical and organisational security measures implemented by the processor to ensure an appropriate level of security, taking into account the nature, scope, context and purpose of the processing, as well as the risks for the rights and freedoms of natural persons:

Organizational measures:

• Risk Management Policy based on the requirements of the internationally recognized ISO/IEC 27005 standard and the BSI standard 200-3 of the German Federal Office for Information Security and Auditing Policy describing the requirements for internal auditing and the auditing of service providers.
• Internal IT and IT security governance and management
  • Information Security Policy describing which information security regulations must be observed by all employees of deltaDAO AG.
  • Organization of Information Security Policy describing the organization of information security at deltaDAO AG in terms of roles, responsibilities, core information security processes, and ensuring continuous improvement.
  • Secure Development Policy based on the BSI's guidelines for secure web development and the guidelines and recommendations of the Open Web Application Security Project (OWASP) and describing security requirements for all (web-based) applications or application components.
  • Classification of Information Policy ensuring all employees handle information securely to ensure its protection by setting out criteria according to which employees assess, classify, and label information with regard to its confidentiality. To ensure protection, it also sets out requirements for how information should be handled depending on its confidentiality.
  • Access management
    • Access to data and systems is regulated and described in guidelines and processes including the Personnel and Authorization Management Policy, Secure IT Operations Policy, Authorization Management Process, and Personnel Security Process.
    • Implementation of the need-to-know principle.
  • Managing incidents
    • Managing Security Incidents Policy.
    • Personal data breach response and notification procedure.
  • Procedure for processing requests of data subjects to exercise their rights.
  • Persons authorised to process personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
  • Conducting regular data protection trainings and information security trainings for all employees.
• All new product implementations and planned changes of existing product implementations affecting personal data are always reviewed in terms of data protection law prior to implementation and carried out with the involvement of the data protection officer, ensuring the data minimization and purpose limitation principles are met, so that
  • Processed personal data is adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.
  • Personal data is processed only for the specified, explicit and legitimate purposes.
• Personal data is processed for the minimum time necessary and deleted in accordance with deltaDAOs Data Retention Policy.
• Adequate personal data processing by suppliers, service providers, and external companies.
  • Suppliers, Service Providers, and External Companies Policy which outlines the requirements for third parties that supply services and products.
  • Selection of sub-processors providing sufficient guarantees to implement appropriate technical and organisational measures.
  • Conclusion of Data Processing Agreements with sub-processors.
• Organization and User Data is stored by ISO 27001 certified hosting provider(s) located within the EU or in countries for which an adequacy decision is in place.

Technical measures:

• Implemented suitable measures for user identification and authorization.
  • User Authentication including two-factor authentication where adequate.
  • Using unique credentials per user.
• Implemented measures for the protection and confidentiality of data during transmission.
  • Secure transmission between client and server and to external systems by using industry-standard encryption.
• Implemented measures for the protection and confidentiality of data during storage.
  • Stored data is encrypted where appropriate, including any backup copies of the data.
• Implemented measures for ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and services.
  • Backup Concept.
  • Distributed data storage across multiple availability zones.
• Implemented measures for ensuring the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident.
• Implemented measures for ensuring events logging.
  • Logging of transmissions of data from IT systems that stores or processes personal data.
• Implemented measures that prevent data processing systems from being used without authorization.
  • Automatic account locking.
  • Suspending inactive sessions.
• Implemented measures to ensure that data collected for different purposes can be processed (storage, amendment, deletion, transmission) separately.
  • Segregation of responsibilities and roles.