Technical and organizational measures

This includes measures that are suitable for preventing unauthorised persons from accessing data processing systems with which personal data is processed or used.

The offices of top.legal are located in an office building in Munich. The entrances to the office building and also to the offices of top.legal are closed day and night. Only the landlord and the tenants of the office space have access to the office building. An electronic locking system is used, which is managed by the landlord. Unauthorized persons are not allowed to access top.legal's premises. All persons who have access to the offices are recorded electronically.

The presence of people on top.legal's premises is recorded via attendance records.

An employee is only granted access rights when this has been requested by the respective manager and/or the HR department. When granting authorizations, the principle of necessity is taken into account.

Visitors are only allowed access to the office building and then to the offices after the door has been opened through the reception. The front desk can see the front door and ensures that every visitor reports to the reception.

Each visitor is recorded in a visitor book and then accompanied by the receptionist to their respective contact person. Visitors are not allowed to move freely in the offices without supervision.

Our own data centers and server rooms are not located on top.legal's premises.

Access control prevents top.legal's data processing systems from being used by unauthorised persons. If the person controlled upon access is already in a room in which the top.legal data processing system is located, it is ensured that the person concerned may use this data processing system. It is always possible to see who used which data processing system and when.

The following measures have been taken by top.legal for access control:

In order to gain access to IT systems, users must have the appropriate access authorization. For this purpose, appropriate user authorizations are assigned by administrators. However, this is only if this has been requested by the respective supervisor. The application can also be submitted via the HR department or management.

Every top.legal user receives a user name and an initial password, which must be changed the first time they log on. The password requirements include a minimum password length of 12 characters, and the password must consist of upper/lowercase letters, numbers and special characters. Passwords are changed every 90 days. The password history of the individual users is stored. This ensures that passwords that have been used once cannot be used again. All employees are required to lock their IT systems when they leave them. Passwords are always stored in encrypted form.

All login attempts on all IT systems are logged. If an incorrect entry is made 3 times, the respective user account is usually blocked.

An additional two-factor authentication, which requires a further proof of the user's identity by combining two different and in particular independent components when logging on, provides additional security when logging on.

Remote access to top.legal's IT systems is always carried out via encrypted connections.

All accesses to data and applications for processing data are logged as part of an audit-proof audit log. The location, date and user ID of top.legal employees are recorded. The logs can only be viewed by top.legal administrators.

In the event of employee departure, HR managers immediately inform the IT administration of upcoming changes so that the IT administration can revoke appropriate authorizations. The revocation of authorizations must have been carried out within 24 hours of an employee leaving the company.

This includes measures which ensure that those authorized to use a data processing system can only access the data subject to their access authorization, and that personal data cannot be read, copied, modified or removed without authorization during processing, use and after storage.

top.legal ensures that authorized persons can only access the data for which they have access authorization (need-to-know principle) and that personal data cannot be read, copied, modified or removed without authorization during processing, use and after storage. Access to personal data is controlled by logging it in the system's log files in a tamper-proof manner. If an authorized person is in a room with a data processing system and uses the system, it is ensured that they can only access the data for which they have the appropriate authorization (authorization concept). This makes it possible to understand who accessed which data and when.

Authorizations for top.legal IT systems and applications are set up exclusively by administrators. The prerequisite for authorization is a corresponding request for authorization for an employee by a manager. The application can also be submitted to the Human Resources Department.

There is a role-based authorization concept with the option of differentiated allocation of access authorizations, which ensures that employees receive access rights to applications and data depending on their respective area of responsibility and, if applicable, on a project-based basis. In addition, individual files can be approved by the administrator if necessary. In order to grant approval, an application must be submitted by the supervisor or the managing director.

Data carriers and paper are destroyed by a service provider who ensures destruction in accordance with DIN 66399. All employees at top.legal are instructed to insert information containing personal data and/or information about projects into the destruction containers designated for this purpose.

For the processing of personal data, top.legal employees are required to use only tested and approved application software. Employees are generally prohibited from installing unapproved software on IT systems.

Personal data is stored on secure DS-GVO compliant data servers. There is no provision for saving data to local disks. Local storage of data on a local disk requires approval by the manager.

All server and client systems are regularly updated with security updates.

All IT systems used by top.legal for customers are multi-client capable. The separation of data from different customers is always guaranteed.

Administrative access to server systems generally only takes place via encrypted connections.

In addition, data is stored on server and client systems on encrypted data carriers. Appropriate encryption systems are in use.

This includes measures that ensure that it is possible to subsequently check and determine whether and by whom personal data has been entered, changed or removed from data processing systems.

The entry, amendment and deletion of personal data processed by top.legal on behalf of top.legal is generally logged.

Employees are required to always work with their own accounts. User accounts may not be shared or shared with other people.

Measures to ensure that personal data cannot be read, copied, modified or removed without authorization during electronic transmission or during transport or storage on data carriers, and that it is possible to check and determine to which places a transfer of personal data through data transmission devices is intended.

Personal data, which is carried out on behalf of top.legal customers, may only be passed on to the extent agreed with the customer or to the extent necessary to provide the contractual services to the customer.

All employees working on a customer project are instructed on the permitted use of data and the modalities of data transfer. As far as possible, data is transmitted to recipients in encrypted form.

Employees are prohibited from using private data carriers in connection with customer projects. If employees leave, any existing access rights to transfer data will be revoked.

Employees at top.legal are regularly trained on data protection topics. All employees are required to handle personal data confidentially.

top.legal ensures that personal data is protected against destruction or loss. The availability of data is regularly checked, i.e. it is ensured that the personal data is made available to a specified extent at fixed times. The availability itself meets legal and operational requirements, so that, for example, maintenance windows for the care and maintenance of systems and software do not have a negative impact on ongoing operation.

top.legal uses a cloud service provider to store and manage personal data and to provide servers and does not operate its own servers on its own premises. top.legal regularly ensures the suitability and security of the services provided and checks any existing certification by the test centers used.

All data from top.legal is stored in encrypted form, both when it is on a local data carrier, stored on backup media, or when it is transferred over the Internet.

Personal data is always available in multiple redundant form in independent data centers, i.e. the data is mirrored and locally separated.

Data on top.legal's server systems is backed up incrementally at least daily and completely weekly. The backup data is encrypted and stored and managed separately in virtually separate cloud storage. Importing backups is regularly tested.

The data centers used are designed to anticipate and tolerate functional failures while maintaining service levels. If a function failure occurs, data traffic is diverted from the area affected by the failure to another area. If there is a functional failure in a data center, sufficient capacity is available so that data traffic can be distributed among the remaining locations.

The access of data centers used by top.legal is regularly checked by the operator. Physical access points to server rooms are monitored by CCTV cameras with recording capabilities. Recordings are stored in accordance with regulatory and compliance requirements.

Physical access points to server rooms are monitored by CCTV cameras with recording capabilities. Recordings are stored in accordance with regulatory and compliance requirements.

Physical access is controlled by professional security personnel at the building entrances. Monitoring, alarm systems and other electronic devices are used for this purpose. Authorized personnel gain access to data centers via multi-factor authentication mechanisms. The entrances to the server rooms are secured with devices that trigger an alarm if the door is broken open or kept open.

Electronic burglar alarm systems are installed in the data level, which detect safety-relevant events and automatically alert the responsible employees. The entrances and exits of the server rooms are secured by devices on which personnel must go through multi-factor authentication procedures before they can enter or leave the room. These devices trigger an alarm when the door is broken open or kept open without authorization. The door alarm systems are configured to detect when someone enters or leaves a data layer without multi-factor authorization. In this case, an alarm is triggered immediately.

Media storage devices on which personal data are stored are classified as critical by the data center operator and are therefore treated as extremely urgent over their entire life cycle. The data center operator has existing standards for how the devices are installed, operated and destroyed at some point when they are no longer in use. When a storage device has reached the end of its life cycle, it is decommissioned in accordance with certified techniques. Media on which customer data has been stored are only released after closure has been completed.

The electrical systems of the data centers used were developed in such a way that they are completely redundant and can be maintained without impairing operation. This ensures that the data centers are equipped with an emergency power supply to ensure the operation of critical plant loads in the event of a power failure.

The data centers used have air-conditioning systems to control the operating temperature for servers and other hardware to prevent overheating and reduce the risk of service outages. Temperature and humidity are monitored and regulated in an appropriate manner by personnel and technical systems.

The data centers are equipped with automatic fire detection and suppression equipment. The fire detection systems use smoke sensors in networked, mechanical and infrastructure areas. These areas are also protected by fire fighting systems.

In order to be able to detect water leaks, the data centers are equipped with water detection sensors. If water is detected, it is removed to prevent additional water damage.

The data centers used by top.legal are designed to anticipate and tolerate functional failures while maintaining service levels. If a function failure occurs, data traffic is diverted from the area affected by the failure to another area. An N+1 standard applies to important applications. If there is a functional failure in a data center, sufficient capacity is available so that data traffic can be distributed among the remaining locations.

Critical system components are backed up at multiple, isolated locations (called availability zones). Each availability zone is designed to operate independently with a high level of reliability. The availability zones are connected. This allows you to use applications that are set up for automatic, non-disruptive failover between Availability Zones. Extremely fail-safe systems and the resulting service availability are part of the system design.

Threat and vulnerability checks of the data centers are also carried out regularly by the operator. The ongoing assessment and prevention of potential vulnerabilities is carried out through the risk assessment activities of the data centers. Regional regulatory and environmental risks are also taken into account.

An operator's business continuity plan includes measures to prevent and reduce disruptions caused by environmental influences. The plan provides operational details of the measures that will be taken before, during, and after a corresponding event. The business continuity plan is supported by tests that also include simulations of various scenarios.

As part of order control, it is ensured that personal data processed on the order is only processed on the basis of the contract in accordance with the instructions of the client (person responsible).

When external service providers or third parties are involved, an order processing contract is concluded by top.legal's data protection officer in accordance with the requirements of applicable data protection law after a previous audit. Contractors are also regularly checked during the contractual relationship.

As early as the development of the software, top.legal ensures that the principle of necessity is taken into account even in connection with user interfaces. For example, form fields and screen masks can be flexibly designed. In this way, mandatory fields can be provided or fields can be partially deactivated.

The top.legal software supports both input control through a flexible and customizable audit trail, which enables the immutable storage of changes to data and user authorizations. Authorizations for data or functions can be set flexibly and granularly.

Data protection management is implemented at top.legal. There is a guideline on data protection and data security and guidelines that ensure the implementation of the objectives of the guideline.

The Data Protection and Information Security Team (DST) has been set up to plan, implement, evaluate and make adjustments to measures in the area of data protection and data security.

The effectiveness of the guidelines is regularly evaluated and amended.

In particular, it is ensured that data protection incidents are identified by all employees and reported immediately to DST. This will immediately investigate the incident. Insofar as data that is processed on behalf of customers is affected, care is taken that they are immediately informed of the nature and extent of the incident.

When processing data for own purposes, if the requirements of Article 33 GDPR are met, a notification will be made to the supervisory authority within 72 hours of becoming aware of the incident.