GDPR & Data Privacy

What mechanisms does Helm & Nagel GmbH use to ensure availability?

Helm & Nagel GmbH relies specifically on a redundant design of the server infrastructure with regard to productive data and backups as well as the physical security of the data centers (e.g. uninterruptible power supply, alarm system, fire alarm system, etc.) and also operates a continuous capacity management to monitor the resources used and the distribution of necessary resources.

Are regular backups performed or do customers have to back up their data themselves?

In order to ensure adequate availability, Helm & Nagel GmbH implements a backup concept for the database with the client’s data stored on it according to the latest state of the art. The backups of the database systems are stored exclusively in encrypted form. This means that the customer does not need to carry out his own backups. Regular restore tests are carried out to ensure proper storage of backups and their restoration in the event of data loss.

What happens to the customer data in case of a total failure of our system, for example due to a natural disaster or similar?

In the unlikely event of a total system failure, the redundant design of the data centers (productive and backup data) ensures that your data will not be lost. In this case, we will ensure the fastest possible recovery according to our emergency plan/disaster recovery concept.

Who owns the data?

The customer is and remains the “master of the data” and the responsible body in terms of Art. 24 EU-GDPR. In particular, this means that the customer is also responsible for safeguarding the rights of the persons concerned ( Chapter 3 EU-GDPR). Helm & Nagel GmbH is a commissioned processor and thus processes your data exclusively on your instructions and for the purposes regulated in the contract for commissioned processing.

This means that Helm & Nagel GmbH does not sell or pass on data to third parties under any circumstances. An exception to this is the passing on of data to any subcontractors that may have been commissioned, which is regulated in the contract for processing orders with our customers.

Furthermore, Helm & Nagel GmbH reserves the right to use only completely anonymous data, for example for the purpose of testing or further development of the product. Such anonymisation is carried out exclusively within the framework of legal regulations and takes into account the state of the art and the recommendations of the Article 29 Data Protection Group or the European Data Protection Committee. Anonymised data means that no conclusions can be drawn about individuals or companies. Therefore, there is no risk for our customers.

What happens to the data if the customer terminates the contract or Helm & Nagel GmbH ceases business operations?

Upon termination of the business relationship, persons of the customer who are authorized to give instructions may request the release of the data in a machine-readable format. The data will then be irretrievably deleted after expiry of the contractually defined period. In the unlikely event that Helm & Nagel GmbH should cease business operations, there will be no deviation from this policy, as the customer is the “master of the data” and Helm & Nagel GmbH is merely the processor of the data on behalf of the customer and therefore cannot and will not dispose of the personal data in any other way.

Is customer data stored in encrypted form?

Yes, in all databases and memories of binary files used by Helm & Nagel GmbH, such as a PDF, encryption “at rest” is used according to the state of the art, so that the data can only be read after proper authentication.

Is the transmission of customer data encrypted?

Yes, all personal or personally identifiable data that is transferred from the Konfuzio application to a client or to other platforms must be encrypted using Transport Layer Security (TLS), in particular HTTPS encryption. For this purpose, a secure connection must first be established between the two connection partners (client and server) before a data transmission can take place.

Where is the data stored?

Helm & Nagel GmbH relies on Microsoft and Deutsche Telekom. The data centers used are ISO/IEC 27001 certified and thus meet our high requirements for the physical security of our customers’ data.

Who can access customer data at Helm & Nagel GmbH and its service providers?

In general, neither employees in the data centers nor at Microsoft have access to your data. At Helm & Nagel GmbH, only our infrastructure team (server side) and our AI experts (customer system side) have access to your data but only as required. This is necessary to support the initial setup of the account as well as the processing of service requests. The allocation of access rights is logged and follows the “Need-to-Know” principle. Additionally, access to customer systems is recorded.

How does Helm & Nagel GmbH ensure that no unauthorised persons gain access to the customer’s systems?

Helm & Nagel GmbH uses a host-based attack detection system on the server side to monitor parameters such as conspicuous log entries, signatures of known rootkits and Trojans, anomalies in the device file system, or classic brute force attacks. These parameters are regularly checked for abnormalities. In the event of an anomaly, the responsible employees in operations and development are informed immediately in order to take countermeasures. In addition, all essential activities (especially change, delete and update operations) are logged by the application in order to be able to prove unauthorized access and changes to data on request.

How is user authentication done?

Access is exclusively granted via personalized user accounts, which are clearly assigned to a person. The login takes place with a user name and a password, which must be changed at initial login according to the secure password policy implemented in the application.

Who has access to which data on the customer’s side?

The access rights are basically designed in such a way that the requirements of Art. 24 EU-GDPR are met according to data protection-friendly default settings. This means that newly created employees “by default” have no rights beyond editing their own profile. However, the customer is able to assign rights individually on the basis of their own authorization concept.

Is the Konfuzio application compliant with the EU Data Protection Basic Regulation (EU-GDPR)?

Yes, Konfuzio meets all requirements of the EU data protection basic regulation as an organization as well as a software. As part of the preparations for the EU-GDPR, we have checked our product for the essential legal requirements, such as data protection through technology design and through data protection-friendly default settings (Art. 25 EU-GDPR). We also support the customer in safeguarding the rights of the persons concerned, such as the right to deletion, the right to information or the right to data transferability (Chapter 3 EU-GDPR), and have made appropriate adjustments. For example, the customer can delete document data both automatically and manually and either block or completely and securely delete employee data.

Due to the self-service approach of Konfuzio, users can also directly access their projects at any time. In addition, employees can export uploaded data from the projects themselves in machine-readable format and download their own documents.

Has the application been developed in accordance with the requirements of data protection through technology design and is it preset in a data protection-friendly manner?

Yes, data protection is an integral part of our product strategy and thus we already pay attention to principles such as data economy as well as the use of state-of-the-art measures to ensure an appropriate level of protection when developing our features. As part of the preparations for the EU GDPR, we have also reviewed the entire application with regard to the default settings and adjusted them to the extent that they achieve the highest possible level of data protection friendliness while remaining user-friendly. In addition, the settings are basically designed in such a way that the customer can adjust them according to his needs. In order to ensure this on an ongoing basis, we have also defined a process to continuously feed legal requirements into the product development process and then review the application at regular intervals.

What does Helm & Nagel GmbH do on an organisational level to ensure the protection of personal data and the security of its IT systems?

Helm & Nagel GmbH provides services in compliance with GDPR and takes into account sector-specific requirements, including the specifications of the data protection code of the German Insurance Association (GDV). Helm & Nagel GmbH strives to continuously improve processes and structures in data protection and information security.

The company’s own data protection and information security requirements are sharpened in the course of training and continuing education. Not only are internal processes and protective measures continuously improved, but security gaps at other companies are identified and reported. For example, BASF SE recognized Florian Zyprian, the CTO, as a “Hero of BASF” on the basis of such a report.