Skip to main content

Technical and Organizational Measures

Preamble

web DnA GmbH, Homerstraße 10, 80637 Munich ("navable"), implements the following technical and organizational measures for data security pursuant to Art. 32 GDPR:

1. Confidentiality

Physical Access Control

Data Centers (Azure Cloud Services - Frankfurt and Paris):

  • Access strictly regulated - only personnel requiring physical access for operational reasons
  • Access rights regularly reviewed and revoked when no longer needed
  • No external visitor access to data center - security certified by external auditors
  • 24/7 video surveillance and alarm systems
  • Biometric access controls

Company Premises:

  • Regulated access - visitors require accompaniment
  • Employee access via keys (logged and controlled)
  • Carefully selected cleaning personnel

Logical Access Control

  • Principle of Least Privilege: Employees only access information, data, and systems strictly necessary for their work
  • Access rights granted and revoked by management, documented
  • Access rights reviewed when roles change
  • Individual accounts with username/password (min. 20 characters, changed every 90 days)
  • Password policy enforced technically (prevents dictionary attacks)
  • All relevant systems and notebooks encrypted
  • Regular security scans (viruses, malware)
  • Remote access to security-critical systems only via VPN
  • Firewalls, restrictive rights management, encryption, threat detection, intrusion detection systems (Azure + Cloudflare)
  • Certified subprocessors (Azure ISO 27001, Cloudflare SOC 2)
  • Employees trained to use screen locks when leaving workstations

2. Integrity

Input Control

  • User roles ensure only authorized personnel can input, modify, or delete personal data
  • Individual actions within systems logged

Transfer Control

  • All data transmitted via modern encryption (HTTPS, TLS 1.3)
  • No physical data transport (purely digital solution)
  • Account deletion upon contract termination (with written confirmation on request)

3. Availability and Resilience

  • Redundant server systems across different geographic locations (Azure Availability Zones)
  • Climate-controlled data centers with fire/smoke detection, temperature/humidity sensors, fire extinguishers, UPS
  • Video surveillance and alarm systems 24/7
  • High availability Azure cloud infrastructure
  • Daily automated backups (30-day retention, encrypted)
  • Cloudflare Advanced DDoS Protection

4. Procedures for Regular Review, Assessment and Evaluation

  • Employees contractually bound to handle personal data with care
  • Only necessary personal data collected for specific purposes
  • Subprocessors selected with due diligence (data protection and security focus)
  • Data processing agreements concluded with all subprocessors

Last updated: February 2026 – web DnA GmbH