Technical and organizational measures pursuant Article 32 GDPR

Wikando GmbH
Peter Kral (Managing Director)
Schießgrabenstraße 32
86150 Augsburg
Germany
Phone: +49 821 66609000l
Email: info@fundraisingbox.com

Status: 11/22/2023

1.1 Introduction

Organizations that collect, process, or use personal data themselves or on their behalf must take the technical and organizational measures (TOMs) necessary to ensure compliance with the provisions of data protection laws. Measures are only necessary if their cost is proportionate to the intended protective purpose.

1.2 Company & authority

The following provisions represent the data protection concept of the

Wikando GmbH
Peter Kral (Managing Director)
Schießgrabenstrasse 32
86150 Augsburg
Germany

Phone: +49 821 66609000l
Email: info@fundraisingbox.com

2.1 Guarantee of confidentiality

2.1.1 Access control

These are measures suitable for preventing unauthorized access to data processing systems with which personal data is processed or used.

Measures: Review and evaluation of the mobile workplace.

2.1.2 Access control

These are measures suitable for preventing data processing systems (computers) from being used by unauthorized persons.

Measures:

• General data protection and/or security policy
• “Manual desktop lock” instructions
• Antivirus software
• Application of 2-factor authentication
• Automatic desktop lock
• Use of a software firewall
• Use of VPN for remote access
• Login with username and password
• Mobile Device Policy
• Password assignment
• “Secure Password” guidelines that are appropriate to the identified level of protection
• Encryption of notebooks/tablets
• User authorization management
• Rights managed by a system administrator
• Assignment of user profiles to IT systems
• Assignment of user rights
• Authentication with SSH keys
• Intrusion detection systems
• “Clean Desk” policy
• Access blocking after more than three login attempts

2.1.3 Access control

These measures ensure that persons authorized to use a data processing system can only access the data subject to their access authorization and that personal data cannot be read, copied, modified, or removed without authorization during processing, use, and after storage.

Measures:

• Data carrier inventories
• granular access permissions (applications)
• granular access permissions (operating system)
• granular access permissions (data)
• Minimize the number of administrators
• Use of disposal companies for the disposal of data carriers
• Use of written authorization concepts
• Deletion log
• Logging the output of data carriers
• Guidelines for the disposal/destruction of data carriers that are no longer in use
• Managing user rights by administrators
• Manual log evaluation

2.1.4 Separation control

These measures ensure that data collected for different purposes can be processed separately, for example, by logically and physically separating the data.

Measures

• Definition of database rights
• Data control through an authorization concept
• Separation of production and test environments
• Logical client separation (on the software side)

2.2 Ensuring integrity

2.2.1 Transfer control

These measures ensure that personal data cannot be read, copied, altered, or removed without authorization during electronic transmission, transport, or storage on data carriers and that it is possible to verify and establish to which bodies personal data are intended to be transmitted by data transmission equipment.

Measures:

• Provision via encrypted connections such as SFTP, HTTPS
• Documentation of deletion periods
• Use of VPN technology
• Email encryption

2.2.1 Input control

These measures ensure the subsequent verification and determination of whether and by whom personal data has been entered, modified, or removed from data processing systems.

Measures:

• Clear responsibilities for data deletion
• Technical logging of data deletion
• Use of access rights
• Manual log control
• Traceability of data processing through individual usernames
• Assigning rights to process data
• Overview of the use of programs for data processing

2.3 Pseudonymization and encryption

2.3.1 Pseudonymization

These measures ensure the pseudonymization of data.

Measures: Internal instructions to at least pseudonymize or delete personal data after the deletion period has expired.

2.3.2 Encryption

These measures ensure the pseudonymization of data.

Measures: Internal instructions to at least pseudonymize or delete personal data after the deletion period has expired.

• Encrypted access to customer databases
• Encryption of data carriers in laptops/notebooks
• Encrypted access to external SaaS solutions
• Encryption of the fundraising box data during transport and storage with key sovereignty at Wikando

2.4 Ensuring availability, resilience, and recoverability

2.4.1 Availability (of the data)

These measures ensure that personal data is protected against accidental destruction or loss—ensuring data availability.

• Backup & recovery concept
• Operation of high-availability web servers
• Data backup concept in place
• Monthly backups
• Weekly backups
• Daily backups
• Offline backups (storage in a secure location)
• SLA with hosting service provider
• 99.99% server hardware availability
• Uninterruptible power supply (UPS)

2.4.2 Resilience (of the systems)

These measures ensure that personal data is protected against accidental destruction or loss—ensuring data resilience.

• Use of software firewalls
• Installing the latest security updates on all application servers
• Installing security updates on all developer systems
• Use of intrusion detection systems

2.4.3 Recoverability (of the data/systems)

These measures ensure that personal data is protected against accidental destruction or loss—ensuring the recoverability of data and systems.

• Restore databases and file systems from the web server backup
• Regular data recovery tests and logging of the results
• Existence of an emergency plan