Technical and organisational measures

This means measures that are suitable to prevent unauthorised persons from accessing data processing systems with which personal data are processed or used.

The offices of top.legal are located in an office building in Munich. The entrances to the office building and also to the offices of top.legal are locked day and night. Only the landlord and the tenants of the offices have access to the office building. An electronic locking system is used, which is managed by the landlord. Unauthorised persons are not permitted access to the top.legal premises. All persons who gain access to the office premises are registered electronically.  

The presence of persons in the premises of top.legal is recorded via attendance records.

Access authorisations are only granted to an employee if this has been requested by the respective supervisor and/or the HR department. The principle of necessity is taken into account when issuing authorisations.

Visitors are only allowed access to the office building and then to the offices after the reception has opened the door. The reception can see the entrance door and ensures that every visitor reports to the reception.

Each visitor is logged in a visitor's book and then escorted by the receptionist to their respective contact person. Visitors are not allowed to move freely in the offices without an escort.

Our own data centres and server rooms are not located on top.legal's premises.

Access control prevents top.legal's data processing systems from being used by unauthorised persons. If the person controlled upon access is already in a room where top.legal's data processing system is located, it is ensured that the person in question is allowed to use this data processing system. It can be traced at any time who has used which data processing system and when.

The following measures have been taken by top.legal for access control:

To gain access to IT systems, users must have the appropriate access authorisation. For this purpose, corresponding user authorisations are issued by administrators. However, this is only done if requested by the respective supervisor. The request can also be made via the HR department or management.

Every user of top.legal receives a user name and an initial password, which must be changed the first time they log in. The password specifications include a minimum password length of 12 characters, whereby the password must consist of upper/lower case letters, numbers and special characters. Passwords are changed every 90 days. The password history of individual users is stored. This ensures that passwords once used cannot be used again. All employees are instructed to lock their IT systems when they leave them. Passwords are always stored in encrypted form.

All login attempts on all IT systems are logged. If an incorrect entry is made 3 times, the respective user account is usually blocked.

An additional two-factor authentication, which requires further proof of the user's identity during login by means of a combination of two different and, in particular, independent components, provides additional security during login.

Remote access to top.legal's IT systems always takes place via encrypted connections.

All access to data and applications for processing data are logged in an audit-proof audit log. The location, date and user ID of top.legal employees are recorded. The logs can only be viewed by top.legal administrators.

In the event of an employee leaving, the HR managers shall immediately inform the IT administration of any pending changes so that the IT administration can revoke the corresponding authorisations. The revocation of authorisations must be carried out within 24 hours of an employee leaving.

This is understood to mean measures that ensure that those authorised to use a data processing system can only access the data subject to their access authorisation and that personal data cannot be read, copied, modified or removed without authorisation during processing, use and after storage.

top.legal ensures that authorised persons can only access the data for which they have access authorisation (need-to-know principle) and that personal data cannot be read, copied, changed or removed without authorisation during processing, use and after storage. Access to personal data is controlled by logging it in the system's log files in a tamper-proof manner. If an authorised person is in a room with a data processing system and uses the system, it must be ensured that he or she can only access the data for which he or she has the corresponding authorisation (authorisation concept). It must be traceable who has accessed which data and when.

Authorisations for top.legal IT systems and applications are set up exclusively by administrators. The prerequisite for an authorisation is a corresponding request for authorisation for an employee by a superior. The request can also be submitted to the human resources department.

There is a role-based authorisation concept with the possibility of differentiated allocation of access authorisations, which ensures that employees receive access rights to applications and data depending on their respective area of responsibility and, if necessary, on a project basis. In addition, a release for individual files can be made by the administrator if necessary. In order to grant access, a request must be submitted by the supervisor or the managing director.

The destruction of data carriers and paper is carried out by a service provider who guarantees destruction in accordance with DIN 66399. All employees at top.legal are instructed to deposit information containing personal data and/or information about projects in the destruction containers designated for this purpose.

For the processing of personal data, top.legal employees are obliged to use only tested and approved application software. Employees are strictly prohibited from installing unauthorised software on IT systems.

Personal data is stored on secure DS-GVO-compliant data servers. Saving data on local data carriers is not intended. Local storage of data on a local data carrier requires the approval of the supervisor. 

All server and client systems are regularly updated with security updates.

All IT systems used by top.legal for clients are multi-client capable. The separation of data from different clients is always guaranteed.

Administrative access to server systems is only possible via encrypted connections.

In addition, data on server and client systems is stored on encrypted data carriers. Appropriate encryption systems are in use.

This is understood to mean measures that ensure that it is possible to check and establish retrospectively whether and by whom personal data have been entered into, modified or removed from data processing systems.

The entry, modification and deletion of personal data processed by top.legal on behalf of the client is always logged.

Employees are obliged to work with their own accounts at all times. User accounts may not be shared or used jointly with other persons.

Measures to ensure that personal data cannot be read, copied, altered or removed by unauthorised persons during electronic transmission or during their transport or storage on data media, and that it is possible to verify and establish to which bodies personal data are intended to be transmitted by data transmission equipment.

Personal data may only be disclosed on behalf of top.legal's clients to the extent agreed with the client or to the extent necessary to provide the contractual services to the client.

All employees working on a client project are instructed with regard to the permissible use of data and the modalities of data transfer. As far as possible, data is transmitted to recipients in encrypted form.

Employees are not permitted to use private data carriers in connection with customer projects. When employees leave the company, any existing access rights to pass on data shall be revoked.

Employees at top.legal are regularly trained on data protection issues. All employees are obliged to handle personal data confidentially.

top.legal ensures that personal data is protected against destruction or loss. The availability of the data is checked regularly, i.e. it is ensured that the personal data is made available at specified times to the specified extent. The availability itself complies with the legal and operational requirements so that, among other things, maintenance windows for the care and maintenance of the systems and software do not negatively affect the ongoing operation.

top.legal uses a cloud service provider for the storage and administration of personal data and for the provision of servers and does not operate its own servers on its own premises. top.legal regularly ensures the suitability and security of the services provided and checks any certification by the testing bodies used. 

All of top.legal's data is stored in encrypted form, both when it is on a local data carrier, when it is stored on backup media, or when it is transmitted via the Internet. 

Personal data is always stored in multiple redundant form in independent data centres, i.e. the data is mirrored and stored in separate locations. 

Data on top.legal's server systems are backed up incrementally at least daily and completely weekly. The backup data is encrypted and stored and managed separately in a virtually separated cloud storage. The import of backups is tested regularly.

The data centres used are designed to anticipate and tolerate functional failures while maintaining service levels. In the event of a functional failure, data traffic is diverted from the area affected by the failure to another area. If a functional failure occurs in one data centre, sufficient capacity is available so that the data traffic can be distributed to the remaining locations.

Access to data centres used by top.legal is regularly checked by the operator. Physical access points to server rooms are monitored by CCTV cameras with recording function. Recordings are kept in accordance with regulatory and compliance requirements. 

Physical access points to server rooms are monitored by CCTV cameras with recording capability. Recordings are kept in accordance with regulatory and compliance requirements. 

Physical access is controlled by professional security staff at the building entrances. Surveillance, detection systems and other electronic devices are used. Authorised personnel gain access to the data centres via multi-factor authentication mechanisms. The entrances to the server rooms are secured with devices that trigger an alarm if the door is broken or held open.

Electronic intrusion detection systems are installed in the data level to detect security-relevant events and automatically alert the relevant staff. The entrances and exits of the server rooms are secured by devices at which staff must go through multi-factor authentication procedures before they can enter or leave the room. These devices trigger an alarm if the door is forced or held open without authorisation. The door alarm systems are configured to detect when someone enters or leaves a data plane without multi-factor authorisation. In this case, an alarm is triggered immediately.

Media storage devices that store personal data are considered critical by the data centre operator and are therefore treated as highly urgent throughout their lifecycle. The data centre operator has existing standards on how the devices are installed, operated and eventually destroyed when they are no longer in use. When a storage device reaches the end of its lifecycle, it is decommissioned in accordance with certified techniques. Media on which client data has been stored is not removed until decommissioning is complete.

The electrical systems of the data centres used have been developed in such a way that they are fully redundant and can be maintained without affecting operations. This ensures that the data centres are equipped with an emergency power supply to guarantee the operation of critical loads of the facility in the event of a power failure.

The data centres used have air-conditioning systems to control the operating temperature for servers and other hardware in order to avoid overheating and reduce the risk of service failures. Temperature and humidity are appropriately monitored and controlled by staff and technical systems.

The data centres are equipped with automatic fire detection and suppression devices. The fire detection systems use smoke sensors in networked, mechanical and infrastructure areas. These areas are further protected by fire suppression systems.

To be able to detect water leaks, the data centres are equipped with water detection sensors. If water is detected, it is removed to prevent additional water damage.

The data centres used by top.legal are designed to anticipate and tolerate functional failures while maintaining service levels. In the event of a functional failure, data traffic is diverted from the area affected by the failure to another. For critical applications, an N+1 standard applies. If a functional failure occurs in a data centre, sufficient capacity is available so that the data traffic can be distributed to the remaining locations.

Critical system components are secured at several locations isolated from each other (called Availability Zones). Each Availability Zone is designed for independent operation with high reliability. The Availability Zones are networked. This allows you to use applications for which automatic, uninterrupted failover between the Availability Zones is set up. Extremely fail-safe systems and a resulting service availability are part of the system design.

Regular threat and vulnerability assessments of the data centres are also conducted by the operator. The ongoing assessment and defence against potential vulnerabilities is carried out through the data centres' risk assessment activities. Regional regulatory and environmental risks are also taken into account.

An operator's business continuity plan includes measures to prevent and reduce disturbances caused by environmental influences. The plan includes operational details of the actions that will be taken before, during and after a relevant event. The business continuity plan is supported by testing, including simulations of different scenarios. 

Within the framework of order control, it is ensured that personal data processed on behalf are only processed on the basis of the contract in accordance with the instructions of the principal (responsible party).

When external service providers or third parties are involved, an order processing agreement is concluded in accordance with the provisions of the applicable data protection law following a prior audit by top.legal's data protection officer. Contractors are also regularly monitored during the contractual relationship.

At top.legal, care is taken during the development of the software to ensure that the principle of necessity is already taken into account in connection with user interfaces. For example, form fields and screen masks can be designed flexibly. Mandatory fields can be provided or fields can be partially deactivated.

top.legal's software supports both input control through a flexible and customisable audit trail that allows for unalterable storage of changes to data and user permissions. Permissions for data or functionalities can be set flexibly and granularly.

Data protection management is implemented at top.legal. There is a guideline on data protection and data security and guidelines to ensure the implementation of the guideline's objectives.

A Data Protection and Information Security Team (DST) has been established to plan, implement, evaluate and make adjustments to data protection and data security measures.

The guidelines are regularly evaluated and adapted with regard to their effectiveness.

In particular, it is ensured that data protection incidents are recognised by all employees and reported immediately to the DST. The DST will investigate the incident immediately. If data processed on behalf of customers is affected, care shall be taken to ensure that they are informed immediately of the nature and scope of the incident.

In the case of processing of data for own purposes, if the requirements of Art. 33 GDPR are met, a notification to the supervisory authority will be made within 72 hours of becoming aware of the incident.