- Data center parks in Germany
- electronic physical entry control system with log
- high security perimeter fencing around the entire data center park
- documented distribution of keys to employees and colocation customers for colocation racks (each Client only for his rack)
- policies for accompanying and designating guests in the building
- data center staff present 24/7
- video monitoring at entrances and exits; security door interlocking systems and server rooms
- For people outside of the employment of DENALI (data center visitors), entrance to the building is only permitted in the company of a DENALI employee.
- electronic physical access control system with log
- video surveillance for all entrances and exits
- principal commissions for the following unmanaged product lines: Dedicated Root Servers, Colocation Servers, Cloud Servers, and Storage Boxes
- server passwords, which, after the initial deployment, can only be changed by Client and are not known to the Supplier
- The Client’s password for the administration interface is determined by the Client himself; the password must comply with predefined guidelines. In addition, the Client may employ two-factor authentication to further secure his account.
- principal commissions for the following managed product lines: Managed Servers, Web Hosting, and Storage Shares
- Access is password-protected and only employees of the Supplier have access to the passwords. Passwords must meet a minimum length, and new passwords shall be changed on a regular basis.
for the Supplier's internal administration systems
- The Supplier shall prevent unauthorized access by applying security updates regularly by using state of the art technology.
- a revision-proof, compulsory process for allocating authorization for Supplier employees
- principal commissions for the following unmanaged product lines: Dedicated Root Servers, Colocation Servers, Cloud Servers, and Storage Boxes
- The responsibility for access control is incumbent upon the Client.
- principal commissions for the following managed product lines: Managed Servers, Web Hosting, and Storage Shares
- The Supplier shall prevent unauthorized access by applying security updates regularly by using state of the art technology.
- a revision-proof, compulsory process for allocating authorization for Supplier employees
- Only the Client is responsible for transferred data/software with regard to security and updates.
Data center parks Germany
- Drives that were in operation on canceled servers will be swiped multiple times (deleted) in accordance with data protection polices upon termination of the contract. After thorough testing, the swiped drives will be reused.
- Defective drives that cannot be securely deleted shall be destroyed (shredded) directly in the Falkenstein data center.
for the Supplier's internal administration systems
- Data shall be physically or logically isolated and saved separately from other data.
- Backups of data shall also be performed using a similar system of physical or logical isolation.
for principal commissions for the following unmanaged product lines: Dedicated Root Servers, Colocation Servers, Cloud Servers, and Storage Boxes
- The Client is responsible for isolation control.
for principal commissions for the following managed product lines: Managed Servers, Web Hosting, and Storage Shares
- Data shall be physically or logically isolated and saved separately from other data.
- Backups of data shall also be performed using a similar system of physical or logical isolation.
- Client is responsible for pseudonymization.
- All employees are trained in accordance with Art. 32 Para. 4 GDPR and are obliged to ensure that personal data is handled in accordance with data protection regulations.
- Deletion of data in accordance with data protection regulations after termination of the contract.
- Encrypted data transmission options are provided within the scope of the service description of the principal commission.
for the Supplier's internal administration systems
- Data is entered or collected by the Client.
- Changes in data are logged.
- for principal commissions for the following unmanaged product lines: Dedicated Root Servers, Colocation Servers, Cloud Servers, and Storage Boxes
- The responsibility for input control is incumbent upon the Client.
for principal commissions for the following managed product lines: Managed Servers, Web Hosting, and Storage Shares
- Data is entered or collected by the Client.
- Changes in data are logged.
for the Supplier's internal administration systems
- backup and recovery concept with daily backups of all relevant data
- professional employment of security programs (virus scanners, firewalls, encryption programs, spam filters)
- employment of disk mirroring on all relevant servers
- monitoring of all relevant servers
- employment of an uninterruptible power supply system or emergency power supply system
- permanently active DDoS protection
for principal commissions for the following unmanaged product lines: Dedicated Root Servers, Colocation Servers, Cloud Servers, and Storage Boxes
- Data backup is incumbent upon the Client.
- employment of an uninterruptible power supply system or emergency power supply system
- permanently active DDoS protection
for principal commissions for the following managed product lines: Managed Servers, Web Hosting, and Storage Shares
- backup and recovery concept with daily backups of all relevant data depending upgon the services booked for the principal commission
- employment of disk mirroring
- employment of an uninterruptible power supply system or emergency power supply system
- employment of software firewalls and restricted ports
- permanently active DDoS protection
For all internal systems, there is a defined escalation chain which specifies who is to be informed in the event of an error in order to restore the system as quickly as possible.
IV. Procedures for regular testing, assessment, and evaluation (Art. 32 Para. 1 Clause d GDPR; Art. 25 Para. 1 GDPR)
- The data protection management system and the information security management system have been combined into a DIMS (data protection information security management system).
- Incident response management is available.
- Data-protection-friendly default settings are taken into account for software development (Art. 25 Para. 2 GDPR).
-
DENALI employees are regularly instructed in data protection law and are familiar with the procedural instructions and user guidelines for data processing on behalf of the Client also with regard to the Client's right of instruction. The General Terms and Conditions contain detailed information on the type and scope of the commissioned data processing and use of the Client's personal data.
-
The General Terms and Conditions contain detailed information about the purpose limitation of Client’s personal data.
-
DENALI has appointed a company Data Protection Officer and an Information Security Officer. The data protection organization and the information security management systems integrate both officers into the relevant operational procedures.