We ensure the implementation of and compliance with the required technical and organisational measures in accordance with § 32 DSGVO. These include measures to ensure the ongoing confidentiality, availability and resilience of data processing systems and services. Appropriate technical and organisational measures include, for example, the encryption of personal data and strict access control.


Data Protection Officer

The data protection officer of Startcon GmbH is Peder Iblher. He can be contacted at for your concerns.


Documentation and auditing

We use procedures and documentation that provide for regular auditing, assessment and evaluation of the effectiveness of the technical and organisational measures implemented to ensure the security of data processing.



We conduct training on data protection and data security on a bi-annual basis.


Physical access to servers

Physical access to servers is provided by our cloud service provider. Its servers are located within the EU.


Physical access to data carriers

Data media is also only stored in secure locations where strong physical access controls are in place.



– Access to all customer services and data is protected by identity management. This includes an authorisation concept and strong authentication measures in line with corporate standards.
– All access rights and authorisations for users of the data processing systems are checked and recertified once a year; highly privileged access rights are recertified at least once every six months.


Users, Workplace Policy

– Unsuccessful access attempts are regularly evaluated.
– All servers and workstations have proper security configurations and are continuously checked for vulnerabilities. Any vulnerabilities identified are addressed accordingly.
– All services and workstations require a username and password that complies with our password policy:
– All passwords contain upper and lower case letters, special characters and numbers and have at least twelve digits.
– Passwords must not be shared with anyone. All passwords are to be treated as sensitive, confidential information.
– Standard passwords shall not be used or shall be changed immediately.
– All operator-level passwords must be changed at least once every six months. In the case of critical access authorisation, the change must be made once every quarter.


Data access

We ensure that our authorised staff and consultants only access data to which their access authorisation applies:
– Access to resources is only granted if the person in question is authorised to access them.
– User access permissions to systems and data, including supervisor set-up and granting of access rights, are requested, changed or revoked as part of a predefined workflow.
– A user account is exclusively assigned to a specific user.
– All users are assigned to specific groups.


Data sharing

We ensure that personal data can be verified and confirmed when it is intended to be shared and the parties concerned have provided or submitted their personal data for this purpose.
– All staff are responsible for ensuring that data is communicated only when
– this is done using predefined communication technologies
– a clear lawful or business purpose is pursued
– the relevant staff member has signed a confidentiality agreement accepting responsibility for the protection of data
– this is in accordance with existing confidentiality agreements
– the recipient is authorised to receive the data
– this does not violate the security principles explained during the security training.
– Persons with administrative duties are authorised to communicate directly with servers or applications if
– the connection is secured by strong encryption
– the authenticity of the server or application has been verified.
– Communication of data to employees of non-clients or companies is only permitted if the party concerned can guarantee the security of the data sent.
– The IT infrastructure is protected against unauthorised electronic forwarding by firewalls.
– The IT infrastructure is protected by disabling ports that are not required and by transport protocols.


Data processing

We ensure that it is possible to trace whether and by whom personal data have been entered into the data processing systems and whether and by whom these personal data have been changed or deleted.
– The data processing systems can only be used if the users have previously undergone strong identification and authentication controls.
– A backup and retention policy is in place that defines the procedures for data backups and secure data storage during the retention period.



We ensure that the confidentiality and integrity of data is protected during the transmission of personal data and during the transport of data media:
– Policies and procedures are in place to ensure that
– data sent over public networks is encrypted using strong encryption and valid and correct certificates that are tested at least once a quarter
– all authentication data is encrypted,
– all staff and partners are aware of their responsibilities.
– There is no communication of data in physical form (USB sticks, CDs, etc.).



We ensure that all functions of the data processing systems are operational and that incidents affecting them are reported by:
– procedures to be applied by an incident management officer, including provisions for escalation procedures and a call tree
– Incident management procedures
– Security Information and Event Management (SIEM) procedures for security breaches, information loss, unauthorised disclosure and other emergencies
– standardised change management and testing procedures to ensure service delivery without interruptions.


Data integrity

We ensure that stored personal data is not corrupted by system malfunctions through:
– having a redundant data centre infrastructure and a failsafe data centre
– the use of database management techniques that allow for the recovery of data in the event of system malfunctions.


Data processing mandate

We ensure that personal data can only be processed in accordance with our instructions and those of our clients by:
– regulating all orders for the processing of personal data in written contracts
– regulating the basic requirements regarding liability, assignment of responsibilities, security requirements and measures, and control rights
– assisting contracting authorities in the exercise of their supervisory rights
– supporting our clients’ data protection officers
– verifying compliance with contractual obligations.



We ensure that personal data is protected against accidental destruction or loss through business continuity and disaster recovery rules based on a business impact analysis (BIA).

Our business impact analysis includes the following:
– the definition of the scope of the assets and an identification of the assets included in that scope
– An identification of the existing or planned IT assets, data and control flows and their respective status.
– an identification of the threats presented, the types of threats and their sources
– an assessment of the impact that a loss of confidentiality, integrity, authenticity or availability could have
– derived protective measures in the event of such an impact.

Our Data Protection Centre has implemented appropriate environmental controls, including:
– automatic fire detection mechanisms
– Protective measures against water damage
– Uninterruptible power supply (UPS) units
– Climate and temperature controls
– Monitoring of the environmental conditions of the servers.

We ensure that data collected for different purposes is processed separately:
– Separate data processing for different clients
– Access to processing systems only after strong identification and authentication controls are in place for our personnel
– Performance of functional and non-functional tests
– A standardised procedure for error management.


Berlin in May 2020