Skip to content
English
  • There are no suggestions because the search field is empty.

Terms of use, privacy policy and data processing agreement of the VERSO Supply Chain Hub

TABLE OF CONTENTS


I. Terms of use (ToU)

Terms of Service

II. Privacy Policy

Privacy Policy

III. Technical and organizational measures to data protection


1. Confidentiality (Art. 32(1)(b) GDPR)

Access Control (Physical) The Supply Chain Hub is operated exclusively on the Open Telekom Cloud (OTC). Physical access to OTC data centres is restricted to authorised operations personnel and secured by access control systems.

Access Control (Logical/Authentication) All employee access to the platform infrastructure is secured by two-factor authentication (TOTP via authenticator app). Passwords are generated and managed exclusively through the 1Password password manager (minimum 50 characters for critical secrets such as the Django SECRET_KEY). Full-disk encryption is applied to all developer laptops using FileVault (XTS-AES-128, 256-bit). Access credentials to GitLab (where our code repository is hosted) require mandatory 2FA. Shared accounts are kept to a minimum and require approval from the ISO.

Access Rights Control Access to the platform, infrastructure, and code repositories follows a role-based access control model (RBAC). User accounts are requested and documented centrally via the Director of Products. Each identity is assigned its own uniquely identifiable user account. Access rights are reviewed at least annually to verify that granted permissions are still necessary and have not been misused. All security-relevant events are logged (logins/logouts, changes to user accounts, permission changes) and retained for a minimum of six months. A task for log review is automatically generated on a monthly basis for the VERSO Supply Chain Hub.

Separation Control Development, test, and production environments are strictly separated from one another. Customer data belonging to different tenants is processed in logical isolation. Production customer data must not be used as test data; exceptions require the explicit approval of the DPO.

Pseudonymisation Sensitive and personal data is masked in accordance with the development security policy. Appropriate techniques are applied depending on the use case: anonymisation, pseudonymisation, encryption (AES-256), or hashing.


2. Integrity (Art. 32(1)(b) GDPR)

Transmission Control All communication with and within the Supply Chain Hub is conducted exclusively via HTTPS/TLS (SSL with AES 128/256-bit, RSA 256-bit). TLS certificates are issued via Let's Encrypt (SHA256withRSA, 2048-bit). Email communication is secured using DKIM (SHA256withRSA, 1024–4096-bit). Platform secrets are transmitted in encrypted form using Sealed Secrets (AES-256-GCM, RSA-OAEP with SHA-256).

Input Control All changes to the source code are fully tracked via the GitLab version control system (Git version history, merge requests, changelogs). Changes to production systems go through a formal merge request process requiring approval from the Development Lead, as well as automated security checks (SAST, Secret Detection, Dependency Checks). Changes to critical cloud services are always carried out under the four-eyes principle.


3. Availability and Resilience (Art. 32(1)(b)/(c) GDPR)

Availability Control The platform has an active monitoring system with automatic alerting via Grafana and Elasticsearch. Incoming alerts are reviewed without delay. On the Open Telekom Cloud, full database backups are created daily, with incremental backups every five minutes; daily cluster backups are additionally performed via OTC's Cloud Backup and Recovery service. Backups are retained for 31 days. CVE reports for deployed software components (Docker, Kubernetes, etc.) are monitored automatically via OpenCVE; security newsletters from heise.de and the BSI are evaluated on a regular basis.

Rapid Recovery Backup copies and recovery procedures are tested and documented on the test server at least quarterly. Results are recorded in GitLab issues within the IT Security project. Source code is fully versioned in GitLab and can be rolled back to any prior state at any time (semantic versioning, Git tags).


4. Procedures for Review, Assessment, and Evaluation (Art. 32(1)(d) GDPR)

 

Data Protection Management The ISO is the owner of all ISMS policies and is responsible for their annual review. New vulnerabilities are recorded as security issues in Confluence and assessed and prioritised for remediation based on severity, impact, and potential risk. Privileged user accounts are reviewed at least once per year.

Incident Response Management All security incidents relating to the Supply Chain Hub or suppliers/service providers must be reported to the ISO without delay. Clear procedures for responding to security incidents are contractually agreed with the Open Telekom Cloud for cloud services. The platform's monitoring system automatically triggers alerts in the event of critical incidents.

Processor Control Cloud service providers are subject to a risk assessment prior to engagement, including verification of compliance with relevant standards (ISO 27001, SOC 2, etc.). The Open Telekom Cloud, as the primary infrastructure provider, holds ISO 27001 certification. Contracts with service providers include mandatory clauses covering confidentiality, data protection (GDPR-compliant), data backup, return of data upon contract termination, and support in the event of security incidents. Sub-processors engaged by the cloud service provider are bound by the same requirements through onward transfer clauses. The quality and security compliance of service providers is reviewed at least annually.