| AmmonitOR

Legal notes

T: +49 30 600 31 88 0
F: +49 30 600 31 88 10
E: info@ammonit.com
W: www.ammonit.com

Technical and Organisational Measures

Ammonit Measurement GmbH

Ammonit provides users with web-based remote access software for data loggers and similar devices used for wind and solar measurement campaigns. The devices connect to AmmonitConnect via a secure method, which makes the web interface of each connected device visible in AmmonitConnect.

It is operated using the web browser. Ammonit takes the technical and organisational measures required to ensure compliance with the provisions of the data protection laws for the personal data collected when using the measurement devices.

Confidentiality pursuant to Art. 32 para. 1 lit. GDPR

Ammonit works together with Hetzner Online GmbH. The parties have concluded an order data processing agreement in accordance with Art. 28 GDPR.

Access control is regulated by Hetzer in the data centre parks in Nuremberg, Falkenstein and Helsinki via an electronic access control system; individual accesses are logged. There is a high-security fence around the entire data centre park.

This includes documented key allocation to employees and colocation customers for colocation racks (each customer exclusively for their own colocation rack) as well as guidelines for escorting and labelling guests in the building.

The data centres are staffed 24×7 and video surveillance is in place at the entrances and exits, security gates and server rooms.

Access to the rooms for external persons (e.g. visitors) is only possible when accompanied by a Hetzner Online GmbH employee. Such access will be documented.

Access to web hosting is password-protected; access is only granted to authorised Ammonit employees. System access for our own employees is via an asymmetric key procedure. Work computers from which the production server can be accessed are protected with complex passwords and their hard drives are encrypted.

Users can only access the database via the AmmonitOR web platform with the appropriate rights for database access (Postgres-User-Auth etc.) or, in exceptional cases, via the super user.

Hetzner ensures that unauthorised access is prevented through regular security updates (according to the current state of the art). Hetzner has also introduced an audit-proof and binding authorisation allocation procedure for employees.

As part of the separation control, Hetzner guarantees measures to ensure that data collected for different purposes can be processed separately. This is achieved by logically and physically separating the data. Data is also backed up on logically and/or physically separate systems.

Pseudonymisation (Art. 32 para. 1 lit. a GDPR; Art. 25 para. 1 GDPR)

Ammonit makes it possible to set up an anonymised account for free use. This means that personal data is processed in such a way that the data can no longer be assigned to a specific data subject without the use of additional information.

Integrity (Art. 32 para. 1 lit. b GDPR)

To ensure the transfer control, all employees have been instructed within the meaning of Art. 32 para. 4 GDPR and are obliged to ensure that personal data is handled in accordance with data protection regulations.

All data is stored in a backup for a period of one year and then deleted. Encrypted data transmission is ensured. The connections of the measurement devices to the server are logged. Depending on the configuration of the device by the device users, the information about connections to the AmmonitOR server (name of the server, project key) and possibly XMPP addresses (JIDs) of third parties are used and logged for instant notifications.

If the user deletes a data logger instance, the attached measurement data and data files are moved to PENDING_DELETE (project instance invisible to the user) in a so-called soft delete. There, the data is usually deleted completely within a week. The soft delete function is used to give a user time to undo the process if core data has been deleted ‘by mistake’.

If a data file instance within the database is deleted by the user, the physical file is also removed from the file system.

Input control measures are implemented to ensure that it is possible to subsequently check and determine whether and by whom personal data has been entered, changed or removed in data processing systems. Input control is achieved through logging that takes place at various levels (e.g. operating system, network, firewall, database, application).

Measurement data is available on the one hand in the form of physical data files (simple text files, CSV files) and is stored in the file system and on the other hand as imported data within the database, which is then used for data processing.

Access to the data files is limited by user rights within the file system. The AmmonitOR software has a corresponding user and the corresponding rights to read and delete the data.

The data files are stored in project-related folders using a data logger. The data files may contain geographical position data, location names and company names. Personal data is not included.

Availability and resilience (Art. 32 para. 1 lit. b GDPR)

The availability of the data is ensured by measures that protect personal data against accidental destruction or loss. These include an uninterruptible power supply, air conditioning systems, fire protection, regular data backups, secure storage of data carriers, up-to-date virus protection, raid systems and disk mirroring.

A backup and recovery concept with daily data backups has also been implemented.

An escalation chain has been defined for all internal systems, which specifies who is to be informed in the event of a fault in order to restore the system as quickly as possible.

Procedures for regular review, assessment and evaluation (Art. 32 para. 1 lit. d GDPR; Art. 25 para. 1 GDPR)

Both data protection management and incident response management have been introduced.

Data protection-friendly default settings (Art. 25 para. 2 GDPR)

Data protection-friendly default settings (such as creating user profiles in the best possible data protection-friendly manner and enabling pseudonymised use as well as encrypting data) are taken into account in software developments (Art. 25 para. 2 GDPR).

Order control (outsourcing to third parties)

When selecting service providers who process personal data on our behalf, Ammonit has taken the necessary measures to ensure that personal data is only processed in accordance with the instructions issued in each case. This also includes control over the performance of maintenance and system support work, both on site and via remote maintenance.