Verwalto.xhub LogoVerwalto.xhub

Technical and organizational measures (TOM)

As of June 2026 — annex to the DPA pursuant to Art. 32 GDPR. This English version is a convenience translation; the legally binding version is the German one at verwalto.xhub.io/tom.

1. Confidentiality (Art. 32(1)(b) GDPR)

Physical access control: certified Hetzner data centres (Falkenstein/Nuremberg), 24/7 security staff, video surveillance, entry only with chip card and biometrics, ISO 27001 certified. System access control: bcrypt (cost factor 12), 2FA for administrator/manager accounts, password policy (min. 12 characters), HttpOnly/Secure cookies, auto-logout after 24 h, brute-force protection, staff access via SSH key over a bastion. Data access control: role-based model (manager, owner, advisory board, tenant), tenant separation by tenant_id, audit log, need-to-know, MFA bastion. Separation control: logical isolation by tenant_id, more than 200 test cases against cross-tenant leaks. Encryption: TLS 1.3 (HSTS), AES-256 at rest, encrypted backups with a separate KMS, no personal data in logs.

2. Integrity (Art. 32(1)(b) GDPR)

Transfer control: encrypted transmission, private network between app and DB servers, no transfer to third countries without standard contractual clauses. Input control: gap-free audit log, no hard deletes (soft delete), GoBD-compliant hash signature for booking data, exportable compliance reports.

3. Availability & resilience (Art. 32(1)(b) GDPR)

Backups: daily encrypted full backups, geographically separated; retention 30 days rolling, 12 months, 7 years for bookings; RPO 24 h, RTO 4 h; point-in-time recovery. High availability: redundant app servers, PostgreSQL replication with failover, SLA per Terms § 4, 24/7 monitoring. Disaster recovery: documented plan, semi-annual tests, status page (status.verwalto.xhub.io).

4. Procedures for regular review (Art. 32(1)(d) GDPR)

Data-protection management: records of processing (Art. 30), DPIA, annual training, confidentiality commitment. Security testing: annual external pen tests, daily vulnerability scanning (critical CVEs patched within 24 h), four-eyes code reviews, quarterly backup-restore tests. Incident response: documented plan (severity 1–4), 24/7 on-call, breach notification within 24 h, post-incident review.

5. Sub-processor control

Written contracts with all sub-processors (Hetzner, Resend, Stripe); public list at verwalto.xhub.io/datenschutz; right to object (DPA § 7); regular compliance review.

6. Data-protection-friendly defaults (Art. 25 GDPR)

Privacy by default (data visible only to authorised roles); minimal data set; automatically enforced retention periods; no advertising/cross-site tracking.

7. Staff commitment

Written confidentiality commitment before first access; data-protection training at onboarding and annually; need-to-know; access revoked within 24 hours upon departure.

8. Planned certifications

BSI C5 attestation in preparation (audit date expected Q4/2027); ISO 27001 preparation from Q3/2027.

9. Updating these TOMs

Reviewed at least annually and updated where necessary; material changes are communicated; the level of protection is not lowered below the documented standard.