Technical and Organizational Measures

The offices of top.legal are located in an office building in Munich. Access to the office building and to the offices of top.legal is locked day and night. Only the landlord and the tenants of the office space have access to the building. An electronic locking system managed by the landlord is in use. Unauthorized persons are not permitted to enter the premises of top.legal. All persons who gain access to the offices are recorded electronically. The presence of persons on the premises of top.legal is logged via attendance records.

Access authorizations are only granted to an employee once requested by the relevant manager and/or the HR department. When assigning authorizations, the principle of necessity is taken into account.

Visitors are granted access to the office building and then to the offices only after the door has been opened by reception. Reception can see the entrance door and ensures that every visitor reports to reception.

Every visitor is logged in a visitor book and then escorted by the receptionist to their respective contact person. Visitors are not permitted to move freely around the offices without an escort.

top.legal does not operate its own data centers or server rooms on its premises.

top.legal has implemented the following measures for system access control.

top.legal ensures that authorized persons can only access the data for which they hold an access authorization (need-to-know principle), and that personal data cannot be read, copied, modified or removed without authorization during processing, use or after storage. Access to personal data is controlled by recording it in tamper-proof system log files. If an authorized person is in a room with a data processing facility and uses the system, it is ensured that they can only access the data for which they hold the corresponding authorization (authorization concept). It is traceable who accessed which data and when.

Authorizations for IT systems and applications of top.legal are set up exclusively by administrators. The prerequisite for an authorization is a corresponding request for the employee from a manager. The request may also be submitted to the HR department.

There is a role-based authorization concept allowing differentiated assignment of access permissions, ensuring that employees receive access rights to applications and data depending on their respective area of responsibility and, where applicable, on a project-by-project basis. In addition, individual files can be released by the administrator on a case-by-case basis. To grant such a release, an application from the manager or the managing director must be on file.

Data carriers and paper are destroyed by a service provider that guarantees destruction in accordance with DIN 66399. All employees of top.legal are instructed to deposit information containing personal data and/or information about projects into the destruction containers designated for this purpose.

For the processing of personal data, the employees of top.legal are required to use only tested and approved application software. Employees are generally prohibited from installing unapproved software on IT systems.

Personal data is stored on secure, GDPR-compliant data servers. Storing data on local data carriers is not envisaged. Local storage of data on a local data carrier requires approval from the manager. All server and client systems are regularly updated with security patches.

All IT systems used by top.legal for customers are multi-tenant capable. The separation of data belonging to different customers is ensured at all times.

Administrative access to server systems generally takes place only over encrypted connections.

In addition, data on server and client systems is stored on encrypted data carriers. Appropriate encryption systems are in use.

The entry, modification and deletion of personal data processed by top.legal on behalf of a customer is logged as a matter of principle.

Employees are required to always work with their own accounts. User accounts must not be shared or used jointly with other persons.

Any disclosure of personal data carried out on behalf of customers of top.legal may only take place to the extent agreed with the customer or as necessary to provide the contractual services to the customer.

All employees working on a customer project are instructed regarding the permissible use of data and the procedures for disclosing data. Where possible, data is transmitted to recipients in encrypted form.

The use of private data carriers is prohibited for employees in connection with customer projects. When employees leave the company, any existing access rights for the disclosure of data are revoked.

Employees at top.legal receive regular data protection training. All employees are bound to handle personal data confidentially.

top.legal ensures that personal data is protected against destruction or loss. The availability of the data is checked regularly, meaning that personal data is made available at defined times and to the defined extent. Availability itself meets the legal and operational requirements, so that, among other things, maintenance windows for the care and upkeep of systems and software do not negatively impact ongoing operations.

top.legal uses a cloud service provider to store and manage personal data and to provide servers, and does not operate its own servers on its premises. top.legal regularly verifies the suitability and security of the services provided and reviews any certifications carried out by the applicable auditing bodies.

All data held by top.legal is stored in encrypted form, whether it resides on a local data carrier, on backup media or while being transmitted over the internet. Personal data is always held in multiple redundant copies across independent data centers, meaning the data is mirrored and stored at separate locations. Data on the server systems of top.legal is backed up at least daily incrementally and weekly in full. Backup data is encrypted and stored and managed separately in a virtually segregated cloud storage area. The restoration of backups is tested regularly.

The data centers used are designed to anticipate and tolerate operational failures while maintaining service levels. In the event of an operational failure, data traffic is rerouted from the affected area to another. If a failure occurs at one data center, sufficient capacity is available to distribute data traffic across the remaining sites.

Access to the data centers used by top.legal is reviewed regularly by the operator. Physical access points to server rooms are monitored by CCTV cameras with recording capability. Recordings are retained in accordance with regulatory and compliance requirements.

Physical access points to server rooms are monitored by CCTV cameras with recording capability. Recordings are retained in accordance with regulatory and compliance requirements. Physical access is controlled by professional security staff at the building entrances. Surveillance, alarm systems and other electronic devices are used for this purpose. Authorized personnel gain access to the data centers via multi-factor authentication mechanisms. The entrances to server rooms are secured by devices that trigger an alarm if the door is forced open or held open.

At the data layer, electronic intrusion detection systems are installed that detect security-relevant events and automatically alert the responsible staff. The entry and exit points of the server rooms are secured by devices that require staff to complete multi-factor authentication before entering or leaving the room. These devices trigger an alarm if the door is forced open or held open without authorization. The door alarm systems are configured to detect when someone enters or leaves a data layer without multi-factor authorization. In such a case, an alarm is triggered immediately.

Media storage devices on which personal data is stored are classified as critical by the operator of the data centers and are therefore treated as highly sensitive throughout their entire lifecycle. The operator of the data center has established standards governing how the devices are installed, operated and ultimately destroyed when they are no longer used. Once a storage device has reached the end of its lifecycle, it is decommissioned in accordance with certified techniques. Media on which customer data has been stored are only released from the operator's possession after decommissioning has been completed.

The electrical systems of the data centers used are designed to be fully redundant and can be maintained without impacting operations. It is ensured that the data centers are equipped with backup power supplies so that, in the event of a power outage, the operation of critical loads of the facility is guaranteed.

The data centers in use are equipped with air conditioning systems to control the operating temperature for servers and other hardware, to prevent overheating and reduce the risk of service outages. Temperature and humidity are appropriately monitored and regulated by staff and technical systems.

The data centers are equipped with automated fire detection and suppression devices. The fire detection systems use smoke sensors in networked, mechanical and infrastructure areas. These areas are additionally protected by fire suppression systems.

To detect water leaks, the data centers are equipped with water detection sensors. If water is detected, it is removed to prevent additional water damage.

The data centers used by top.legal are designed to anticipate and tolerate operational failures while maintaining service levels. In the event of an operational failure, data traffic is rerouted from the affected area to another. An N+1 standard applies to critical applications. If a failure occurs at one data center, sufficient capacity is available to distribute data traffic across the remaining sites.

Critical system components are secured at multiple, isolated locations (known as Availability Zones). Each Availability Zone is designed for independent operation with high reliability. The Availability Zones are interconnected, allowing you to run applications that are configured for automatic, uninterrupted failover between Availability Zones. Highly resilient systems, and the resulting service availability, are an integral part of the system design.

Threat and vulnerability assessments of the data centers are also carried out regularly by the operator. The ongoing evaluation and mitigation of potential vulnerabilities is performed through the risk assessment activities of the data centers. Regional regulatory and environmental risks are also taken into account.

An operational continuity plan maintained by the operator includes measures to prevent and reduce disruptions caused by environmental influences. The plan contains operational details on the measures taken before, during and after a relevant event. The operational continuity plan is supported by tests that include simulations of various scenarios.

Order processing control ensures that personal data processed on behalf of a controller is only processed on the basis of the contract and in accordance with the instructions of the controller.

When engaging external service providers or third parties, a data processing agreement is concluded in accordance with the applicable data protection law, following a prior audit by the data protection officer of top.legal. Processors are also reviewed regularly during the contractual relationship.

At top.legal, care is taken from the outset during software development to apply the principle of necessity to user interfaces as well. For example, form fields and screen masks can be configured flexibly. Mandatory fields can be defined or fields can be partially deactivated.

The software of top.legal supports input control by means of a flexible and customizable audit trail, which allows immutable storage of changes to data and user permissions. Authorizations for data or functionalities can be set flexibly and granularly.

A data protection management system is in place at top.legal. There is a guideline on data protection and data security, together with policies that ensure implementation of the objectives of the guideline.

A Data Protection and Information Security Team (DPST) has been set up to plan, implement, evaluate and adjust measures in the area of data protection and data security.

The policies are regularly evaluated in terms of their effectiveness and adjusted accordingly.

In particular, it is ensured that data protection incidents are recognized by all employees and reported to the DPST without delay. The DPST will investigate the incident immediately. Where data processed on behalf of customers is affected, care is taken to inform them without delay about the nature and scope of the incident.

Where data is processed for internal purposes, if the conditions of Article 33 GDPR are met, notification will be made to the supervisory authority within 72 hours of becoming aware of the incident.