Annex to the AV Agreement: Technical and organizational measures

1. confidentiality (Art. 32 para. 1 lit. b) GDPR)

1.1. Access control

All measures to prevent unauthorized persons from gaining access to the data processing systems with which personal data is processed or used are listed below:

• – Doorbell system with camera
• – Chip cards / transponder systems
• – Doors with knob on the outside
• – Key regulation / key book
• – ID card allocation regulation
• – Token allocation regulation
• Visitors / external persons accompanied by employees
• – External cleaning service
• External maintenance service
• – Measures in the event of loss of key / ID / dongle / token / chip card

1.2. Access Control

All measures to prevent unauthorized access to the data processing systems are listed below:

• – Login with user name + password
• – Login with biometric data
• – Anti-virus software clients
• – Firewall – Server
• – External access via mobile / home office (e.g. PC / laptop)
• – External access from external service providers
• – External access via smartphones/tablets
• – Encryption of data carriers
• – Automatic desktop lock
• – Encryption of notebooks / tablet
• – Encryption for WLAN use (WPA2)
• – Create and manage user profiles and authorizations
• – Manual desktop lock” instructions
• – Secure password” policy
• Directive “Delete / Destroy”
• – Clean desk” guideline
• – Home/mobile office” guideline
• – Mobile Device Policy

1.3. Zugriffskontrolle

All measures to prevent unauthorized persons from reading, copying, modifying or deleting within the data processing systems are listed below:

• – File shredder
• – External document shredder
• – Physical deletion of data carriers
• – Authorization concept(s)
• – Minimum number of administrators
• – Data protection vault
• – Management of user rights by administrators

1.4. Separation control

All measures to separate the personal data collected for different purposes are listed below:

• – Separation of production and test environment
• – Physical separation (systems / databases / data carriers)
• – Multi-client capability of relevant applications
• – Needs-based access authorizations for employees
• – Definition of database rights

1.5. Pseudonymization (Art. 32 para. 1 lit. a) & Art. 25 para. 1 GDPR)

The pseudonymization of data records is implemented by the following measures:

The data records are not pseudonymized.

2. integrity (Art. 32 para. 1 lit. b) GDPR)

2.1. Transfer control

Personal data must be adequately protected during electronic transmission so that it cannot be read, copied, changed or removed without authorization. We have taken the following technical and organizational measures for this purpose:

• – Email encryption
• – Provision of tunnel connections (VPN)
• – Provision of encrypted connections
• – Electronic signature procedures
• – Logging of accesses and retrievals in log files
• – Careful selection of transport personnel and vehicles

2.2. Input control

We use the following measures to check whether and by whom personal data is entered, changed, blocked or deleted in the data processing system:

• – Technical logging of the entry, modification and deletion of data
• – Manual or automated control of the logs
• – Software list with data processing programs
• – Assignment of individual user names
• – Authorization concept with assignment of needs-based user rights
• – Secure storage of documents in paper form

3. availability and resilience (Art. 32 para. 1 lit. b) GDPR)

3.1. Availability control

We use the following measures to ensure the availability of personal data against accidental or willful destruction or loss:

• – Storage of backup media in a secure location outside the server room
• – Separate partitions for operating systems and data

Reev GmbH does not operate its own servers, but hosts the data in external data centers of the provider MCON with storage location in Germany. The TOMs are checked regularly as part of the respective order processing relationship.

We ensure the rapid restoration of availability (Art. 32 para. 1 lit. c) GDPR) through the following measures:

Reev GmbH does not operate its own servers, but hosts the data in external data centers of the provider MCON with storage location in Germany. The TOMs are checked regularly as part of the respective order processing relationship.

4. procedures for regular monitoring, assessment and evaluation

(Art. 32 para. 1 lit. d) GDPR & Art. 25 para. 1 GDPR)

Date of evaluation of the technical and organizational measures: 10.01.23

4.1. Data protection-Management

To ensure data protection in our company, we use the following measures for regular review, assessment and evaluation:

• – Software solutions for data protection management in use
• – Central documentation of all data protection procedures and regulations with access for employees
• – A review of the effectiveness of the technical protective measures is carried out at least once a year
• – External data protection officer: Sophie Hohmann, SiDIT GmbH, info@sidit.de
• – Internal information security officer: José Carvalho, reev GmbH, josé.carvalho@reev.com
• – Employees trained and committed to confidentiality / data secrecy
• – Regular sensitization of employees at least annually
• – The data protection impact assessment (DPIA) is carried out as required
• – The organization complies with the information obligations under Art. 13 and 14 GDPR
• – Formalized process for handling requests for information, deletion and data transfer from data subjects

4.2. Incident response management
(in accordance with Art. 33 GDPR)

In the event of detection and reporting of data breaches, we take the following measures:

• – Use of firewall and regular updates
• – Use of spam filters and regular updates
• – Use of virus scanners and regular updates
• – Documented process for detecting and reporting security incidents / data breaches
• – Documented procedure for dealing with
  security incidents
• – Involvement of DPOs in security incidents and data breaches
• – Involvement of ISB in security incidents and data breaches
• – Documentation of security incidents and data breaches
• – Formal process and responsibilities for the follow-up of security incidents and data breaches

4.3. Privacy-friendly default settings

We use the following measures as part of data protection-friendly default settings (Art. 25 (2) GDPR):

• – Data minimization and purpose limitation
• – Simple (technical) exercise of the data subject’s right of withdrawal through technical measures

4.4. Order control (outsourcing)

As part of the outsourcing of the processing of personal data by processors, we use the following measures to ensure an appropriate level of protection:

• – Prior review of the safety measures taken by the contractor and their documentation
• – Selection of the contractor under due diligence aspects
  (especially with regard to data protection and data security)
• – Conclusion of the necessary agreement on order processing or EU standard contractual clauses
• – Written instructions to the contractor
• – Obligation of the contractor’s employees to maintain data secrecy
• – Obligation to appoint a data protection officer by the contractor if the obligation to appoint exists
• – Agreement of effective control rights vis-à-vis the contractor
• – Regulation on the use of additional subcontractors
• Ensuring the destruction of data after completion of the order
• – In the case of long-term cooperation: Ongoing review of the contractor and its level of protection