1. Access control (physical & digital)

• The systems are located in an IONOS data center in Frankfurt am Main (ISO 27001 certified).
• Access is controlled and monitored at the service provider’s sole responsibility.

2. Access control (permissions)

• Access authorizations are assigned based on roles and the principle of minimum access, depending on the specific task.
• No additional user accounts will be assigned to third parties.
• External developers may be granted temporarily restricted access without access to personal data.
• Access to servers, web hosting and WebDAV storage (scan reports) is granted exclusively by the operator using personalized access data.
• Access to administrative systems is via 2-factor authentication where available.
• The systems used to perform vulnerability scans are only accessible via VPN, operate autonomously, and cannot be accessed directly from the Internet.

3. Data access security (data storage, software, network)

• Data transmission takes place exclusively via encrypted connections (HTTPS, SFTP, VPN).
• The web application (WordPress) uses current security plugins and is updated regularly.
• Connections between WordPress and the testing systems are made via secure access and APIs.
• IP addresses and test data are only stored during the testing process and are automatically deleted afterwards.

4. Separation of data

• Audit reports are not stored in the WordPress system, but in a separate WebDAV storage.
• Audit and analysis systems only store data temporarily until the report is generated. After that, it is automatically deleted.
• Customer data (e.g. booking data) and technical results are logically and physically separated.

5. Pseudonymization / Encryption

• IONOS' managed WebDAV storage is based on encrypted infrastructure.
• Sensitive audit and report files are securely stored on this system.
• The testing systems work independently of each other and communicate only in one direction (push model).

6. Backup & Restore

• The WordPress database is backed up daily; 15 backup versions are maintained.
• Website functionality (WordPress files) is backed up weekly, as well as with every update; three backup versions are maintained.
• Test reports are backed up daily, with one version from the previous day available.
• In case of data loss, the security check will be performed again.

7. Availability & Resilience

• The systems are designed redundantly: if one system fails during testing, a new instance is rolled out.
• Critical system components are located in IONOS' highly available hosting environment.

8. Procedures for regular review, assessment and evaluation

• Regular updates and security checks of the systems by the operator.
• If processing activities change, the technical and organizational measures will be reviewed and, if necessary, adjusted.
• Security-relevant logs are checked regularly (e.g. login attempts, API usage).
• Critical changes (e.g. involvement of external developers) are documented.

These technical and organizational measures are based on actual operations and can be adapted in the event of changes. They are not part of an ISO certification but serve to fulfill Art. 32 GDPR.