Privacy Center

In our data protection center, we provide you with all the documents required for the GDPR in one place. In addition, you will find our service catalog, an overview of our subcontractors, and information about our technical and organizational measures (TOM) to protect your data and that of your customers.

You can download the latest version of our contract for commissioned data processing here.

You can download the latest version of our technical and organizational measures (TOMs for short) here.

Specification of services

Business Applications

Subject	Nature and purpose of processing	Data types/categories	Categories of data subjects
Technical (further) development of the Salesforce customer instance, consulting, and project management	Read access to the Salesforce platform in order to provide advice based on the data and its structure	Access to all data stored in the Salesforce customer instance, e.g., communication data (e.g., telephone, e-mail, address), contract master data (contractual relationship, product or contract interest), customer history, order, billing, and payment data, planning and control data, information (from third parties, e.g., credit agencies, or from public directories), credit information, personal information, criminal records, and potentially any electronic communication.	Subscribers Employees Prospective customers Suppliers Sales representatives Customers Competitors Partners Job applicants Consumers
Technical (further) development of the Salesforce customer instance, administration	Read and write access to the Salesforce platform in order to maintain the platform	Access to all data stored in the Salesforce customer instance, e.g., communication data (e.g., telephone, e-mail, address), contract master data (contractual relationship, product or contract interest), customer history, order, billing, and payment data, planning and control data, information (from third parties, e.g., credit agencies, or from public directories), credit information, personal information, criminal records, and potentially any electronic communication.	Subscribers Employees Prospective customers Suppliers Sales representatives Customers Competitors Partners Job applicants Consumers
Technical (further) development of the Salesforce customer instance, programming	Read and write access to the Salesforce platform in order to further develop the platform	Access to all data stored in the Salesforce customer instance, e.g., communication data (e.g., telephone, e-mail, address), contract master data (contractual relationship, product or contract interest), customer history, order, billing, and payment data, planning and control data, information (from third parties, e.g., credit agencies, or from public directories), credit information, personal information, criminal records, and potentially any electronic communication.	Subscribers Employees Prospective customers Suppliers Sales representatives Customers Competitors Partners Job applicants Consumers
Technical (further) development of the Salesforce customer instance, consulting on system architecture	Read access to the Salesforce platform in order to provide advice based on the data and its structure	Access to all data stored in the Salesforce customer instance, e.g., communication data (e.g., telephone, e-mail, address), contract master data (contractual relationship, product or contract interest), customer history, order, billing, and payment data, planning and control data, information (from third parties, e.g., credit agencies, or from public directories), credit information, personal information, criminal records, and potentially any electronic communication.	Subscribers Employees Prospective customers Suppliers Sales representatives Customers Competitors Partners Job applicants Consumers
Technical (further) development of the Salesforce customer instance, evaluation of analysis results and mass data	Read and write access to the Salesforce platform in order to evaluate the data	Access to all data stored in the Salesforce customer instance, e.g., communication data (e.g., telephone, e-mail, address), contract master data (contractual relationship, product or contract interest), customer history, order, billing, and payment data, planning and control data, information (from third parties, e.g., credit agencies, or from public directories), credit information, personal information, criminal records, and potentially any electronic communication.	Subscribers Employees Prospective customers Suppliers Sales representatives Customers Competitors Partners Job applicants Consumers
Technical development of mobile apps, programming	Read and write access to mobile apps, databases, and servers in order to further develop mobile applications	Access to all data stored in the Salesforce customer instance, e.g., communication data (e.g., telephone, e-mail, address), contract master data (contractual relationship, product or contract interest), customer history, order, billing, and payment data, planning and control data, information (from third parties, e.g., credit agencies, or from public directories), credit information, personal information, criminal records, and potentially any electronic communication.	Subscribers Employees Prospective customers Suppliers Sales representatives Customers Competitors Partners Job applicants Consumers

Online presence
(Websites, Landing pages, Online apps, etc.)

Subject	Nature and purpose of processing	Data types/categories	Categories of data subjects
Technical work on the online presence	Access to content and user data stored in the content management system for technical processing and expansion of the platform. Access to log files for securing the server/website.	Personal master data Communication data (e.g., telephone, email) Contract master data (contractual relationship, product or contract interest) Customer history Contract billing and payment data Planning and control data Information (from third parties, e.g., credit agencies, or from public directories)	Customers Prospective customers Subscribers Employees Suppliers Sales representatives Contact persons
Editorial work on the online presence	Access to content stored in the content management system, such as contact details of contact persons.	Personal master data Communication data (e.g., telephone, email) Contract master data (contractual relationship, product or contract interest) Customer history Contract billing and payment data Planning and control data Information (from third parties, e.g., credit agencies, or from public directories)	Customers Prospective customers Subscribers Employees Suppliers Sales representatives Contact persons
Digital strategy / strategic (further) development of online platforms / consulting	If applicable, access to analysis data for evaluating user behavior. Access to content and user data stored in the content management system.	Personal master data Communication data (e.g., telephone, email) Contract master data (contractual relationship, product or contract interest) Customer history Contract billing and payment data Planning and control data Information (from third parties, e.g., credit agencies, or from public directories)	Customers Prospective customers Subscribers Employees Suppliers Sales representatives Contact persons
Development of an online presence including consulting, design, and programming	If applicable, access to analysis data for evaluating user behavior. Access to content intended for the website, such as contact persons, in order to transfer this information to the website.	Personal master data Communication data (e.g., telephone, email) Contract master data (contractual relationship, product or contract interest) Customer history Contract billing and payment data Planning and control data Information (from third parties, e.g., credit agencies, or from public directories)	Customers Prospective customers Subscribers Employees Suppliers Sales representatives Contact persons

Online-Shop

Subject	Nature and purpose of processing	Data types/categories	Categories of data subjects
Technical processing of the online shop	Access to user data and content stored in the online shop for technical processing. Access to log files to secure the server / the online shop.	Personal master data Communication data (e.g. telephone, email) Contract master data (contractual relationship, product or contract interest) Customer history Contract billing and payment data Planning and control data Information (from third parties, e.g. credit agencies, or from public directories)	Customers Prospective customers Subscribers Employees Suppliers Sales representatives Contact persons
Editorial work on the online shops	Access to content of the online shop, such as contact persons.	Personal master data Communication data (e.g. telephone, email) Contract master data (contractual relationship, product or contract interest) Customer history Contract billing and payment data Planning and control data Information (from third parties, e.g. credit agencies, or from public directories)	Customers Prospective customers Subscribers Employees Suppliers Sales representatives Contact persons
Conceptualization and implementation of an online shop including consulting, design, and programming	If applicable, access to analysis data for evaluating user behavior. Access to content intended for the web shop, such as contact persons, in order to transfer this information to the website.	Personal master data Communication data (e.g. telephone, email) Contract master data (contractual relationship, product or contract interest) Customer history Contract billing and payment data Planning and control data Information (from third parties, e.g. credit agencies, or from public directories)	Customers Prospective customers Subscribers Employees Suppliers Sales representatives Contact persons
Digital strategy / strategic (further) development of the online shop	If applicable, access to analysis data for evaluating user behavior. If applicable, access to user accounts for analyzing purchasing behavior and optimizing the shopping experience.	Personal master data Communication data (e.g. telephone, email) Contract master data (contractual relationship, product or contract interest) Customer history Contract billing and payment data Planning and control data Information (from third parties, e.g. credit agencies, or from public directories)	Customers Prospective customers Subscribers Employees Suppliers Sales representatives Contact persons
Technical further development of the online shop	Access to user data and content stored in the online shop for technical administration. Access to log files to secure the server / the online shop.	Personal master data Communication data (e.g. telephone, email) Contract master data (contractual relationship, product or contract interest) Customer history Contract billing and payment data Planning and control data Information (from third parties, e.g. credit agencies, or from public directories)	Customers Prospective customers Subscribers Employees Suppliers Sales representatives Contact persons

Hosting

Subject	Nature and purpose of processing	Data types/categories	Categories of data subjects
Hosting of the website	By providing web space and databases, we may potentially have access to visitor data and website content. Access to log files.	Personal master data Communication data (e.g. telephone, email) Contract master data (contractual relationship, product or contract interest) Customer history Contract billing and payment data Planning and control data Information (from third parties, e.g. credit agencies, or from public directories)	Customers Prospective customers Subscribers Employees Suppliers Sales representatives Contact persons
Hosting of the online shop	By providing web space and databases, we may potentially have access to customer data and website content. Access to log files.	Personal master data Communication data (e.g. telephone, email) Contract master data (contractual relationship, product or contract interest) Customer history Contract billing and payment data Planning and control data Information (from third parties, e.g. credit agencies, or from public directories)	Customers Prospective customers Subscribers Employees Suppliers Sales representatives Contact persons
Hosting of a development environment	By providing a development environment, we may potentially have access to data stored in the databases and on the web space.	Personal master data Communication data (e.g. telephone, email) Contract master data (contractual relationship, product or contract interest) Customer history Contract billing and payment data Planning and control data Information (from third parties, e.g. credit agencies, or from public directories)	Customers Prospective customers Subscribers Employees Suppliers Sales representatives Contact persons

SEO & Online-Marketing

Subject	Nature and purpose of processing	Data types/categories	Categories of data subjects
Management of online campaigns	Access to analysis tools / analysis results for evaluating user behavior.	Personal master data Communication data (e.g. telephone, email) Contract master data (contractual relationship, product or contract interest) Customer history Contract billing and payment data Planning and control data Information (from third parties, e.g. credit agencies, or from public directories)	Customers Prospective customers Subscribers Employees Suppliers Sales representatives Contact persons
Consulting on online marketing (including analysis of results)	Access to analysis tools / analysis results for evaluating user behavior.	Personal master data Communication data (e.g. telephone, email) Contract master data (contractual relationship, product or contract interest) Customer history Contract billing and payment data Planning and control data Information (from third parties, e.g. credit agencies, or from public directories)	Customers Prospective customers Subscribers Employees Suppliers Sales representatives Contact persons
Search engine optimization (on-page and off-page)	Access to analysis tools / analysis results for evaluating user behavior. Access to website content.	Personal master data Communication data (e.g. telephone, email) Contract master data (contractual relationship, product or contract interest) Customer history Contract billing and payment data Planning and control data Information (from third parties, e.g. credit agencies, or from public directories)	Customers Prospective customers Subscribers Employees Suppliers Sales representatives Contact persons

Subject	Nature and purpose of processing	Data types/categories	Categories of data subjects
Management of email marketing campaigns	Access to recipient information for managing email campaigns. Access to newsletter tracking. Access to newsletter content.	Personal master data Communication data (e.g. telephone, email) Contract master data (contractual relationship, product or contract interest) Customer history Contract billing and payment data Planning and control data Information (from third parties, e.g. credit agencies, or from public directories)	Customers Prospective customers Subscribers Employees Suppliers Sales representatives Contact persons
Creation of newsletters including consulting, design, programming, and testing	Access to newsletter content	Personal master data Communication data (e.g. telephone, email) Contract master data (contractual relationship, product or contract interest) Customer history Contract billing and payment data Planning and control data Information (from third parties, e.g. credit agencies, or from public directories)	Customers Prospective customers Subscribers Employees Suppliers Sales representatives Contact persons
Sending of newsletters	Access to recipient information for sending newsletters. Access to newsletter content.	Personal master data Communication data (e.g. telephone, email) Contract master data (contractual relationship, product or contract interest) Customer history Contract billing and payment data Planning and control data Information (from third parties, e.g. credit agencies, or from public directories)	Customers Prospective customers Subscribers Employees Suppliers Sales representatives Contact persons
Management of newsletter recipients	Access to recipient information for sending newsletters. Access to newsletter content.	Personal master data Communication data (e.g. telephone, email) Contract master data (contractual relationship, product or contract interest) Customer history Contract billing and payment data Planning and control data Information (from third parties, e.g. credit agencies, or from public directories)	Customers Prospective customers Subscribers Employees Suppliers Sales representatives Contact persons

(Offline-)Marketing

Subject	Nature and purpose of processing	Data types/categories	Categories of data subjects
Creation of a marketing concept (with evaluation of analysis data)	Access to analysis tools and analysis results, if applicable. Access to content for marketing measures.	Personal master data Communication data (e.g., telephone, email) Contract master data (contractual relationship, product or contract interest) Customer history Planning and control data Information (from third parties, e.g., credit agencies, or from public sources) Verzeichnissen)	Customers Prospective customers Subscribers Employees Suppliers Sales representatives Contact persons
Creation of print media	Access to content for print media.	Personal master data Communication data (e.g., telephone, email) Contract master data (contractual relationship, product or contract interest) Customer history Contract billing and payment data Planning and control data Information (from third parties, e.g., credit agencies, or from public directories)	Customers Prospective customers Subscribers Employees Suppliers Sales representatives Contact persons

Subcontractor

Hosting

Subcontractor (name, legal form, registered office of the company)	Processing site	Type of service
Amazon Web Services, Inc., USA	mixed	Hosting, IaaS, PaaS
Cloudflare, Inc, USA	mixed	Hosting, CDN
domainfactory GmbH, DE	DE, FR	Hosting
Google Cloud Platform (GCP)	mixed	IaaS, PaaS
Hetzner Online GmbH, DE	DE	Hosting
Host Europe GmbH, DE	FR	Hosting
maxcluster GmbH	DE	Hosting
Mittwald CM Service GmbH & Co. KG, DE	DE	Hosting

Marketing

Subcontractor (name, legal form, registered office of the company)	Processing site	Type of service
CleverReach GmbH & Co. KG, DE	EU	Newslettersystem
Dotmailer Limited	UK	Marketing Automation
Inxmail GmbH, DE	DE	Newslettersystem
MailChimp, USA	US	Newslettersystem
Salesforce Marketing Cloud	EU	Marketing Automation
PARDOT EMEA, UK	UK	Marketing Automation
Vimeo.com, Inc.	USA	Streaming Software Platform

Service provider

Subcontractor (name, legal form, registered office of the company)	Processing site	Type of service
VRP Consulting	NL	Development
Agile Networks Technologies GmbH	DE	Development
NICKLAS+NICKLAS	CH	Development
Omikron Data Solutions GmbH	DE	Development
AWESOME Software GmbH	DE	Development
KCS IT S.A	PT	Development

Freelancer

Subcontractor (name, legal form, registered office of the company)	Processing site	Type of service
Anastassia Khasinevich	PL	Development
Eduard Dehgraf	CH	Consulting
Thomas Wegener	DE	Consulting

Tracking

Subcontractor (name, legal form, registered office of the company)	Processing site	Type of service
Google Ireland Limited, IRL	mixed	Tracking
etracker GMBH, DE	DE	Tracking

Subcontractor (name, legal form, registered office of the company)	Processing site	Type of service
DataValidation by Synapp.io	EU
Facebook Ireland Limited, IRL	mixed	Werbeplattform
Google Ireland Limited, IRL	mixed	Werbeplattform
HubSpot Inc., USA	DE, US	Werbeplattform
LinkedIn Ireland Unlimited Company, IRL	mixed	Werbeplattform
Outbrain UK Limited, UK	mixed	Werbeplattform
Plista GmbH, DE	mixed	Werbeplattform
Taboola, Inc., USA	mixed	Werbeplattform
Xing, SE, DE	mixed	Werbeplattform

Tools

Subcontractor (name, legal form, registered office of the company)	Processing site	Type of service
salesforce.com Germany GmbH, DE	DE, FR	CRM-System, Auftragsverwaltung
Atlassian (JIRA,Confluence,Trello), USA	EU	Ticketsystem und Dokumentverwaltung des Auftragnehmers
Google LLC, USA	EU	Cloud-Basierte Office Applikationen und Dokumentenablage, Google G Suite
Slack Technologies, USA	EU	Software zur Teamkommunikation
Adobe Systems Software Ireland Limited, IRL	EU	Creative Cloud, Software as a Service, Cloud-Speicher
Apple Distribution International, IRL	EU	iCloud, Cloud Speicher
SiteLock , USA	EU	Website Security
AgileBits, Inc., CAN	EU	1Password, Passwortverwaltung
Microsoft Corporation, USA	EU	Office365
REISSWOLF Archivservice GmbH, DE	DE	Akten-, und Datenvernichtung
Sage GmbH	DE	Buchhaltung/Rechnungswesen
Robin	EU	Raumplanung
BMW Bank GmbH	DE	Fahrzeugleasing
Volkswagen Leasing	DE	Fahrzeugleasing
COFACE RATING GMBH	DE	Auskunftei/Forderungsversicherung
DATEV eG, Nürnberg	DE	Gehaltsabrechnung
Personio SE & Co. KG	DE	Personalprozesse

Technical and organizational measures

Stand: 30.06.2023

1. Confidentiality (Art. 32 Abs. 1 DS-GVO)

Pseudonymization

(Art. 32 Abs. 1 lit. a DS-GVO; Art. 25 Abs. 1 DS-GVO)
The processing of personal data in such a way that the data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to appropriate technical and organizational measures:

- Encryption of data records
- Pseudonymization: separation of the attribution file
- Transfer of data in anonymized and pseudonymized form

Access control

No unauthorized system use, e.g.: (secure) passwords, automatic locking mechanisms, two-factor authentication, encryption of data carriers:

- Alarm system
- Automatic access control system
- Personnel control
- Locking system
- Key chip control
- Video surveillance
- Visitor logging
- Selection of external contractors in-house/cleaning/security service
- Light barriers and motion detectors

Data carrier check

- Locking external interfaces
- Encryption of laptops/notebooks
- Encryption of smartphone content
- Encryption of data carriers
- Smartphone admin software MDM

Memory check

- Anti-virus software
- Hardware firewall
- Software firewall

User control

- Creation of user profiles
- Assignment of user profiles to IT systems
- VPN technology

Access control

No unauthorized reading, copying, modification, or removal within the system, e.g.: Authorization concepts and needs-based access rights, logging of accesses:

- Creation of an authorization concept
- Authentication with name and password
- Number of administrators reduced to “necessity”
- Password assignment and policy
- Logging of access/input/changes/deletions
- Storage of data carriers
- Proper disposal of data carriers/documents
- Establishment of a dedicated line
- Email encryption
- Documentation of data recipients and time periods
- Creation of an overview of regular retrieval and transmission processes

Separability

2. Integrity (Art. 32 Abs. 1 lit. b DS-GVO)

Input control

- Logging of data entry/modification/deletion
- Traceability of entry/modification/deletion
- Assignment of rights for entry/modification/deletion
- Authorization concept
- Overview of applications for entry/modification/deletion
- Storage of forms for automated processing

Transport control

No unauthorized reading, copying, modification, or removal during electronic transmission or transport, e.g.: encryption, virtual private networks (VPN), electronic signature:
‍
- Careful selection of transport personnel and vehicles
- Physically secure transport containers

Data integrity

- Definition of safety-critical systems
- Safety & Security

3. Availability and resilience
(Art. 32 Abs. 1 lit. b DS-GVO)

Availability

Protection against accidental or deliberate destruction or loss, e.g.: backup strategy (online/offline; onsite/off-site), uninterruptible power supply (UPS), virus protection, firewall, reporting channels, and emergency plans:

- UPS
- Monitoring of temperature and humidity in the server room
- Air conditioning in the server room
- Fire and smoke detection
- Alarm in case of unauthorized access to the server room
- Emergency plan
- Security concept
- Alarm system (fire extinguishers, alarm center, etc.)
- Location of the server room (on site, both internally and externally)

Recoverability

- Data backup type/scope/outsourcing
- Backup and recovery concept

4. Procedures for regular review, assessment, and evaluation (Art. 32 Abs. 1 lit. d DS-GVO; Art. 25 Abs. 1 DS-GVO)

Data protection management

Data protection employee agreements, encryption, passwords, access control, TOMs, updating the procedure directory, availability check

Incident-Response-Management (Incident risk)

Employee training Risk and impact assessment, damage containment, elimination of the cause, restoration of affected systems, documentation, analysis

Privacy-friendly default settings (Art. 25 Abs. 2 DS-GVO)

Privacy by Design - Design and development of IT systems in compliance with data protection regulations Privacy by Default - Databases and user group rights

Order control

No order data processing within the meaning of Art. 28 GDPR without corresponding instructions from the client, clear contract design, formalized order management, such as follow-up checks of technical and organizational measures.

- Selection of the contractor
- Order processing Art. 28
- Effective control rights / contractual penalty Art. 32
- Instruction of employees Art. 29
- Ensuring the destruction/deletion of data after termination
- Ongoing review of the contractor / activities

Privacy Center

Specification of services

Business Applications

Online presence
(Websites, Landing pages, Online apps, etc.)

Online-Shop

Hosting

SEO & Online-Marketing

Newsletter

(Offline-)Marketing

Subcontractor

Hosting

Marketing

Service provider

Freelancer

Tracking

Advertisement

Tools

Technical and organizational measures

1. Confidentiality (Art. 32 Abs. 1 DS-GVO)

Pseudonymization

Access control

Data carrier check

Memory check

User control

Access control

Separability

2. Integrity (Art. 32 Abs. 1 lit. b DS-GVO)

Input control

Transport control

Data integrity

3. Availability and resilience
(Art. 32 Abs. 1 lit. b DS-GVO)

Availability

Recoverability

4. Procedures for regular review, assessment, and evaluation (Art. 32 Abs. 1 lit. d DS-GVO; Art. 25 Abs. 1 DS-GVO)

Data protection management

Incident-Response-Management (Incident risk)

Privacy-friendly default settings (Art. 25 Abs. 2 DS-GVO)

Order control

Talk to our experts

Privacy Center

Specification of services

Business Applications

Online presence(Websites, Landing pages, Online apps, etc.)

Online-Shop

Hosting

SEO & Online-Marketing

Newsletter

(Offline-)Marketing

Subcontractor

Hosting

Marketing

Service provider

Freelancer

Tracking

Advertisement

Tools

Technical and organizational measures

1. Confidentiality (Art. 32 Abs. 1 DS-GVO)

Pseudonymization

Access control

Data carrier check

Memory check

User control

Access control

Separability

2. Integrity (Art. 32 Abs. 1 lit. b DS-GVO)

Input control

Transport control

Data integrity

3. Availability and resilience(Art. 32 Abs. 1 lit. b DS-GVO)

Availability

Recoverability

4. Procedures for regular review, assessment, and evaluation (Art. 32 Abs. 1 lit. d DS-GVO; Art. 25 Abs. 1 DS-GVO)

Data protection management

Incident-Response-Management (Incident risk)

Privacy-friendly default settings (Art. 25 Abs. 2 DS-GVO)

Order control

Talk to our experts

Online presence
(Websites, Landing pages, Online apps, etc.)

3. Availability and resilience
(Art. 32 Abs. 1 lit. b DS-GVO)