Miscellaneous
      Back to home
      1. onyo FAQ
      2. Miscellaneous

      Technical and Organisational Measures

      Data Protection and Data Security Concept for Customers of onyo GmbH, Paul-Heyse-Str. 31, 80336 Munich

      Foreword
      This document outlines the binding technical and organisational measures related to the commissioned data processing operations carried out between the principals and agents of onyo GmbH and provides information about the valid data protection and data backup concept.

      1. General Considerations

      This data protection policy describes the technical and organisational measures implemented for the secure and compliant processing of personal data. It takes into account the rights of data subjects and the requirements of Articles 24, 25, and 32 of the GDPR, to the extent applicable. The policy deals with three general categories of personal data:

      • Contact Information: Email address and phone number

      • Address Information: Street name, city, postal code, country

      • Personal Information: First and last name

      The following description of technical and organisational measures will be differentiated, where applicable, according to these data categories.

      2. Organisation

      onyo has appointed a data protection officer (DPO) who provides advice on data privacy matters, updates the team on changes in regulations and standards, and, if required, assists with reviews and improvements of the measures. The DPO, Niao Wu, can be reached at datenschutz@onyo.io.

      3. Confidentiality

      3.1 Entry Control

      onyo operates office premises that are not freely accessible. They are locked when employees are away. The following measures have been implemented:

      • Locked building

      • Locked office

      onyo does not maintain its own servers or server rooms.
      The server location is in Frankfurt, Germany.
      Encrypted backups are stored in encrypted form in the Netherlands.
      All server locations are certified with AICPA SOC 2 and 3 Type II, Cloud Security Alliance (CSA) STAR Level 1, ISO/IEC 27001:2013, and PCI-DSS, fulfilling the latest standards.

      3.2 Access Control

      The company has implemented the following measures for access to software systems:

      • Direct server and database access is only possible by IT operations staff. As a security measure, access is only possible from specific IP addresses and only with two-factor authentication (2FA).

      • Access to customer data via the platform is only possible by colleagues in IT Operations and Customer Care.

      3.3 Usage Control

      The company has implemented the following measures when working within software systems:

      • The password rules for access control must also be followed for usage control.

      • Role-based authorisations and administrative user profiles are kept to a minimum.

      • User-dependent authentication with username and password.

      • The use of personal data is limited so that only authorised individuals can use the personal data necessary for their task (De Minimis Principle).

      • Logging of usage and changes.

      • Paperless work by principle and compliant destruction of paper documents with a shredder where applicable.

      • All passwords are hashed asymmetrically with SHA256 in the frontend according to the current standard. Only the hash is stored, and passwords cannot be traced back.

      3.4 Pseudonymisation

      Customer data is pseudonymised as long as the connection to the individual is not absolutely necessary for the result (e.g., upon termination of services from onyo).

      4. Integrity

      4.1 Transfer Control

      The use of single USB flash drives or related data carrier tools is not allowed. Information should only be printed out if absolutely necessary. Printed copies must be shredded immediately when no longer needed.
      All employee mobile devices must be encrypted.

      4.2 Input Control

      The company has implemented the following measures for its software systems:

      • Traceability of inputs, changes, and deletions by personalised users

      • Traceability in assigning, changing, and deleting user authorisations

      4.3 Availability and Reliability

      Employees are provided with state-of-the-art equipment.
      Personal data is processed on data processing systems that are subject to regular and documented patch management.
      Automatic updates are activated on computers and servers.
      Continuous availability of high-speed internet is ensured. (Cloud system services can be used with any internet connection.)
      Continuous availability of data is guaranteed by means of redundant storage media and system backups according to the latest technical standards.
      Cloud provider data centres and server rooms are state of the art (temperature control, fire protection, water protection, uninterrupted power supply (UPS), ensuring controlled shutdown without data loss).

      4.4 Product Development
      4.4.1 Development Tools

      Third-party applications must be approved by the Co-CEOs of onyo before use to ensure compliance with quality management and data privacy requirements.
      Development tools must only be downloaded from secure sources (e.g., the manufacturer's servers).
      Where possible, single sign-on authentication is used for third-party applications to enable complete and compliant access administration within the organisation.
      Less secure third-party applications are disabled by default administrator configurations.

      4.4.2 Privacy-Friendly Settings

      Product development must consider giving users the option to enter only the information necessary for the purpose of processing. Input fields with additional, unnecessary information should be avoided or at least designed as non-mandatory.
      By default, privacy-friendly settings must be preselected.

      5. Employee Workplace

      The company has implemented the following measures:

      • Employees must encrypt their hard drives with state-of-the-art encryption, such as BitLocker or equivalent software for other operating systems.

      • The email provider applies default virus, spam, and phishing filters to detect malicious software and prevent cyber-attacks.

      • Employees are required to set up a fully closed firewall for their home office internet network.

      • Employees are obligated to clear their desks of any documents containing sensitive data, especially when accessible by others.

      • The default option for screen savers must be set to the shortest activation period. When temporarily leaving the workplace and hardware, employees should always lock their devices.

      6. Procedure for Regular Review, Assessment, and Evaluation

      Data protection and IT security within the company are reviewed regularly and, based on these assessments, continuously improved. Internal audits may include data privacy requirements such as:

      • Obligation of employees to maintain data secrecy, training, and education.

      • Regular auditing of data processing procedures.

      • Procedures in case of data breaches and the protection of data subjects' rights.

      The company has implemented the following internal measures:

      • Appointment of a data protection officer

      • Regular auditing of procedures

      • Regular review of technical advancements in accordance with Article 32 GDPR