Technical and Organizational Measures

Preamble

web DnA GmbH, Homerstraße 10, 80637 Munich ("navable"), implements the following technical and organizational measures for data security pursuant to Art. 32 GDPR:

1. Confidentiality

Physical Access Control

Data Centers (Azure Cloud Services - Frankfurt and Paris):

• Access strictly regulated - only personnel requiring physical access for operational reasons
• Access rights regularly reviewed and revoked when no longer needed
• No external visitor access to data center - security certified by external auditors
• 24/7 video surveillance and alarm systems
• Biometric access controls

Company Premises:

• Regulated access - visitors require accompaniment
• Employee access via keys (logged and controlled)
• Carefully selected cleaning personnel

Logical Access Control

• Principle of Least Privilege: Employees only access information, data, and systems strictly necessary for their work
• Access rights granted and revoked by management, documented
• Access rights reviewed when roles change
• Individual accounts with username/password (min. 20 characters, changed every 90 days)
• Password policy enforced technically (prevents dictionary attacks)
• All relevant systems and notebooks encrypted
• Regular security scans (viruses, malware)
• Remote access to security-critical systems only via VPN
• Firewalls, restrictive rights management, encryption, threat detection, intrusion detection systems (Azure + Cloudflare)
• Certified subprocessors (Azure ISO 27001, Cloudflare SOC 2)
• Employees trained to use screen locks when leaving workstations

2. Integrity

Input Control

• User roles ensure only authorized personnel can input, modify, or delete personal data
• Individual actions within systems logged

Transfer Control

• All data transmitted via modern encryption (HTTPS, TLS 1.3)
• No physical data transport (purely digital solution)
• Account deletion upon contract termination (with written confirmation on request)

3. Availability and Resilience

• Redundant server systems across different geographic locations (Azure Availability Zones)
• Climate-controlled data centers with fire/smoke detection, temperature/humidity sensors, fire extinguishers, UPS
• Video surveillance and alarm systems 24/7
• High availability Azure cloud infrastructure
• Daily automated backups (30-day retention, encrypted)
• Cloudflare Advanced DDoS Protection

4. Procedures for Regular Review, Assessment and Evaluation

• Employees contractually bound to handle personal data with care
• Only necessary personal data collected for specific purposes
• Subprocessors selected with due diligence (data protection and security focus)
• Data processing agreements concluded with all subprocessors

Last updated: February 2026 – web DnA GmbH