Data protection and legal matters
      Back to home
      1. Home
      2. Data protection and legal matters

      Technical and organisational measures

      Data protection and data security concept for customers of onyo GmbH, Paul-Heyse-Str. 31, 80336 München

      Foreword

      This document outlines the binding technical and organisational measures associated with commissioned data processing operations carried out between the principals and agents of onyo GmbH and provides information about the valid data protection and data backup concept.

      1. General Considerations

      This data protection policy outlines the technical and organisational measures implemented for secure and compliant processing of personal data. It takes into account the rights of data subjects and requirements of articles 24, 25, and 32 of GDPR to the extent applicable. deals with three general categories of personal data:

      1. Contact information: E-mail address and telephone number
      2. Address information: Street name, city, zip code, country
      3. Personal information: first and last name

      The following description of technical and organisational measures will be differentiated, where applicable, according to these categories of data.

      2. Organization

      onyo appointed a data protection officer (DPO) who provides advice on data privacy issues, updates the team about changes in regulations and standards and, if required, supports with reviews and improvement of the measures. The DPO Niao Wu can be reached via datenschutz@onyo.io.

      3. Confidentiality

      3.1 Entry Control

      onyo operates based on office premises that are not freely accessible. They are locked when employees are away. The company implemented the following measures:

      • Locked building
      • Locked office

      onyo does not maintain servers or server rooms.

      • The server location is in Frankfurt, Germany.
      • Encrypted backups are stored in encrypted form in the Netherlands.
      • All server locations are certified with AICPA SOC 2 and 3 Type II, Cloud Security Alliance (CSA) STAR Level 1, ISO/IEC 27001:2013, and PCI-DSS, fulfilling the latest standards.

      3.2 Access Control

      The company has implemented the following measures for access to software systems:

      • Direct server and database access is only possible by IT operations staff. As a security measure, access is only possible from specific IP addresses and only with 2FA.
      • Access to customer data via the platform is only possible by colleagues in IT Operations and Customer Care

      3.3 Usage Control

      The company has implemented the following measures when working within software systems:

      • The password rules for access control must also be followed for usage control.
      • Role-based authorisation and administrative user profiles are kept to a minimum.
      • User-dependent authentication with username and password.
      • The use of personal data is limited so that only authorised individuals can use the personal data necessary for their task (De Minimis Principle).
      • Logging of usage and changes
      • Paperless work by principle and compliant destruction of paper documents with a shredder where applicable.
      • All passwords are hashed asymmetrically with SHA256 in the frontend according to the current standard. Only the hash is stored, and passwords cannot be traced back.

      3.4 Pseudonymization

      Customer data is pseudonymised so far as the connection to the individual is not absolutely necessary for the result. (e.g. upon termination of the services from onyo)

      4. Integrity

      4.1 Transfer Control

      • The use of single USB flash drives or related data carrier tools is not allowed. Information should only be printed out if absolutely needed. Printed copies must be shredded immediately when they are no longer needed.
      • All Employee mobile devices must be encrypted.

      4.2 Input Control

      The company has implemented the following measures for its software systems:

      • Traceability of inputs, changes, and deletions by personalised users
      • Traceability in assigning, changing, and deleting user authorisations.

      4.3 Availability and Reliability

      • Employees are provided with state-of-the-art equipment.
      • Personal data is processed on data processing systems that are subject to regular and documented patch management.
      • Automatic updates are activated on the computers and servers.
      • Continuous availability of high-speed internet is ensured. (Cloud system services can be used with any internet connection.)
      • Continuous availability of data is guaranteed by means of redundant storage media and system backups according to the latest technical standards.
      • Cloud provider data centres and server rooms are state of the art (temperature control, fire protection, water penetration, uninterrupted power supply (UPS), ensuring controlled shutdown without any data loss).

      4.4 Product Development

      4.4.1 Development Tools

      • Third-party applications must be approved prior to use by (the Co-CEOs of onyo to ensure compliance with quality management and data privacy requirements.
      • Development tools must only be downloaded from secure sources (e.g., the manufacturer’s servers).
      • Where possible, single-sign-on authentication is used for third-party applications to allow for a complete and compliant access administration within the organisation.
      • Less secure third-party applications are disabled by administrator default configurations.

      4.4.2 Privacy-Friendly Settings

      • Product development must take into account giving users the option of entering only the information necessary for the purpose of processing. Input fields with additional, unnecessary information should be avoided or at least designed as non-mandatory.
      • By default, privacy-friendly settings must be preselected.

      5. Employee Workplace

      The company has implemented the following measures:

      • Employees must encrypt their hard drives with state-of-the-art encryption, e.g. BitLocker or equivalent software for other operating systems.
      • The email account provider applies a default virus, spam and phishing filter to detect malicious software and avert cyber-attacks.
      • Employees are required to set up a completely closed firewall for their home office internet network.
      • Employees are obligated to clean their desks of any documents containing sensitive data, especially when accessible by others.
      • The default option for screen savers must be set at the shortest time period until activation. When temporarily leaving the workplace and hardware, employees should always lock their devices.

      6. Procedure for Regular Review, Assessment and Evaluation

      Data protection and IT security within the company are reviewed regularly and, based on these assessments, continuously improved. Internal auditing may include data privacy requirements such as:

      • Obligation of employees to maintain data secrecy, training, and education.
      • Regular auditing of data processing procedures.
      • Procedures in case of data breaches and the protection of data subjects’ rights

      The company has implemented the following internal measures:

      • Appointment of a data protection officer
      • Regular auditing of procedures
      • Regular review of technical advancements in accordance with Article 32 GDPR