Security Concept

Confidentiality acc. Art. 32 §1 lit. GDPR

Measures to deny access for unauthorized persons to data processing equipment with which personal data is processed or used.

Technical measures	Organizational measures
Manual locking system	Key regulation / list
Electronic access control system with record keeping	Visitors accompanied by employee
Security locks	Visitor registration and badge
Doors with security knob outside

Measures to prevent data processing systems (computers) being used by unauthorized persons.

Technical measures	Organizational measures
Login with user name + password	Management of user permissions
Login with biometric data	Creation of user profiles
Anti-virus software server	Safe Password Policy
Anti-virus software clients	Delete/Destroy Policy
Firewall	Gen. Policy Privacy and / or Security
Encryption of data carriers	Mobile Device Policy
Encryption of smartphones	Manual "Manual Desktop Lock"“
Automatic desktop lock
Encryption of Notebooks / tablets

Measures to ensure that the persons that are authorized to use a data processing system can exclusively access data that is subject to their access authorization, and that personal data in the processing, in the use and after storing cannot be read, copied, changed or deleted without authorization.

Technical measures	Organizational measures
Physical deletion of data carriers	Use of authorization concepts
Logging accesses to applications, specifically when entering, changing and deleting data	Minimum number of administrators
Encryption of data carriers	Administration of user rights by administrators
Encryption of smartphones

Measures to ensure that data collected for different purposes can be processed separately. This can be ensured, for example, by logical and physical separation of the data.

Technical measures	Organizational measures
Separation of productive and test environment	Control through authorization concept
Physical separation (systems / databases / data carriers)	Definition of database rights
Multi-client capability of relevant applications

The processing of personal data in such a way that the data can no longer be assigned to a specific data subject without the need for additional information, provided that such additional information is kept separate and is subject to appropriate technical and organizational measures;

Technical measures	Organizational measures
In case of pseudonymisation: Separation of the assignment data and storage in separate and secured system (possibly encrypted)	Internal instruction to anonymise / pseudonymise personal data in case of disclosure or even after expiry of the statutory cancellation period

Integrity (Art. 32 Abs. 1lit .b GDPR)

Measures to ensure that personal data cannot be unauthorized read, copied, altered or removed during electronic transmission or during their transport or storage on data carriers, and that it is possible to verify and determine to which places a transfer of personal data is provided by means for data transmission.

Technical measures	Organizational measures
Use of VPN	Care in selecting transport personnel and vehicles
Logging of accesses and calls
Safe transport containers
Provision through encrypted connections such as sftp, https

Measures to ensure that it is possible to retrospectively verify and determine whether and by whom data has been entered, modified or removed in the data processing systems.

Technical measures	Organizational measures
Technical protocol for the entry, modification and deletion of data	Overview with which programs which data can be entered, changed or deleted
Manual or automated control of the protocols	Granting of rights to enter, modify and delete data on the basis of an authorization concept
	Storage of forms from which data has been taken over in automated processes
	Clear responsibilities for deletions

Availability and resilience (Art. 32 Abs 1 lit. b. GDPR)

Measures to ensure that personal data is protected against accidental destruction or loss.

Technical measures	Organizational measures
	Backup & Recovery Concept
	Control of the backup process
	Keep the backup media in a secure location outside the server room

Procedure for regular review and evaluation (Art. 32 lit. 1 (d) of the GDPR, Art. 25 Abs. 1 GDPR)

Technical measures	Organizational measures
	Employees trained and committed to confidentiality / data secrecy
	Regular sensitization of employees, at least annually
	The organization complies with the information obligations under Art. 13 and 14 GDPR

Data Privacy-friendly default settings (Art. 25 Abs. 2 GDPR)

Technical measures	Organizational measures
No more personal data is collected than is necessary for the purpose
Simple exercise of the right of withdrawal of the person concerned by technical measures

SCRIBOS 360 – System Architecture

Redundant web- and data-base servers
Firewalls & secure SSL connection
Load balancing, back-up & access restriction
Encrypted ID codes stored only, decryption impossible
Intrusion prevention & detection system, backup power units
24/7 monitoring & up-time/function control
Fast & reliable high speed internet hub
Certified high security: ISO 27001 certification for Data- & IT security

Name	Purpose	Lifetime	Type	Provider
CookieConsent	Cookie that stores the user's decision about the cookie banner.	1 year	HTML	Website owner
fe_typo_user	Cookie required by the Typo3 web content system. The cookie is stored during the session. It is needed to save certain website settings during the website visit (session).	session	HTTP	Website owner

Name	Purpose	Lifetime	Type	Provider
_gcl_au	Used by Google AdSense to experiment with advertisement efficiency.	3 months	HTML	Google
AMP_TOKEN	Contains a token that can be used to retrieve a Client ID from AMP Client ID service. Other possible values indicate opt-out, request in progress or an error retrieving a Client ID from AMP Client ID service.	1 year	HTML	Google
_dc_gtm_--property-id--	Used by DoubleClick (Google Tag Manager) to help identify the visitors by either age, gender or interests.	2 years	HTML	Google
_ga	Used to distinguish users.	2 years	HTML	Google
_gat	Used to throttle request rate.	1 day	HTML	Google
_gid	Used to distinguish users.	1 day	HTML	Google
_ga_--container-id--	Persists session state.	2 years	HTML	Google
_gac_--property-id--	Contains campaign related information for the user. If you have linked your Google Analytics and Google Ads accounts, Google Ads website conversion tags will read this cookie unless you opt-out.	3 months	HTML	Google

Name	Purpose	Lifetime	Type	Provider
__cf_bm	The cookie used assigns an ID to the site visitor and collects statistical data on the site visits of the site visitor. This serves to individualize the advertising displayed to the user.	30 minutes	Security	Hubspot
__hssc	This cookie stores the domain, the number of visitors and the time when the visits started. It thus determines whether the number of sessions needs to be increased.	31 minutes	Analytics	Hubspot
__hssrc	This cookie measures whether the visitor has restarted his browser and thus determines whether there is a new website visit.	31 minutes	Configuration	Hubspot
__hstc	This cookie stores the domain, the user token, the time of the first, last and current visit, as well as the number of sessions on the page.	6 months	Analytics	Hubspot
hubspotutk	This cookie is used by HubSpot to track or trace visitors to the website.	6 months	Analytics	Hubspot
__gcl_au	This cookie is used by Google AdSense to increase the efficiency of advertising.	3 months	Marketing	Google Ads
test_cookie	This cookie is set to determine whether the website visitor's browser supports cookies.	15 minutes	Configuration	Doubleclick
AnalyticsSyncHistory	The cookie used assigns an ID to the site visitor and collects statistical data on the site visits of the site visitor. This serves to individualize the advertising displayed to the user.	30 days	Marketing	LinkedIn
UserMatchHistory	The cookie used assigns an ID to the site visitor and collects statistical data on the site visits of the site visitor. This serves to individualize the advertising displayed to the user.	30 days	Marketing	LinkedIn
bcookie		24 months	Marketing	LinkedIn
bscookie	The cookie used assigns an ID to the site visitor and collects statistical data about the site visitor's website visits. This serves to individualize the advertising displayed to the user.	24 months	missing translation: type.Marketing	LinkedIn
lang	Stores the language version of a website selected by the user	session	Configuration	LinkedIn
li_gc	This cookie is used to store the consent of guests to the use of non-mandatory cookies.	24 months	Cookie-Banner	LinkedIn
lidc	This cookie assigns an ID to the site visitor. Under this ID, data on visitor behavior is collected on several websites in order to display individual advertising to the site visitor.	24 hours	Marketing	LinkedIn