Privacy & Security
Technical and Organisational Measures
pursuant to Art. 32 GDPR · Version: March 2025 · Annex 2 to the DPA
Responsible party: IDentity Center GmbH as data processor for the MeinDatensatz service
AES-256-GCM
Encryption
libsodium
Argon2id
Key derivation
OWASP recommended
Deutschland
Server location
EU/DSGVO
OTP only
Authentication
No password stored
Implemented
Technically enforced
Organisationally governed
1. Confidentiality (Art. 32(1)(b) GDPR)
1.1 Physical Access Control
Organisational- Server location: Germany, physically secured (locked server rooms)
- Access limited to authorised operations personnel only
- Server room access logs maintained
- Remote administration exclusively over secured connections (VPN/SSH)
1.2 System Access Control
Implemented- OTP authentication: No password stored — login exclusively via one-time code (6 digits, 10 min validity) delivered by email
- Session timeout: Automatic session termination after 30 minutes of inactivity
- Rate limiting: Max 5 OTP requests per email/hour, 20 per IP/hour; max 5 failed verify attempts
- Security logging: All authentication events logged to
security.log(no PII content) - Passphrase (customer portal): Passphrase is never stored — used only at runtime for key derivation
1.3 Data Access Control
Implemented- Role model: Superadmin / Tenant-Admin / Tenant-Viewer / End customer — strict permission separation
- Tenant isolation: All database queries mandatorily filtered by
tenant_id; cross-tenant access is architecturally impossible - Token gating: Customer portal accessible only via signed single-use tokens; token hash stored, plaintext never persisted
- Need-to-know: Viewer role has read-only access, no write or export permissions
1.4 Transmission Control
Technical- All connections exclusively over HTTPS/TLS 1.2+ (enforced in production via Secure cookie flag)
- Encrypted export packages for return to controller stored in
storage/exports/ - No data transfers outside EU/EEA
- Secure cookies:
Secure,HttpOnly,SameSite=Lax
1.5 Separation Control
Implemented- Multi-tenant architecture: each customer's data is logically fully isolated via
tenant_id - Separate tables for administration, dataset, and audit data
- Separate log files:
app.log,security.log,audit.log
1.6 Encryption and Pseudonymisation
Implemented| Measure | Algorithm | Library |
|---|---|---|
| Payload encryption | AES-256-GCM | libsodium (PHP ext-sodium) |
| Record key | 32-byte random key, encrypted with derived key | libsodium |
| Key derivation (KDF) | Argon2id | libsodium pwhash |
| Token hashing | HMAC-SHA256 | PHP APP_KEY |
| Transport | TLS 1.2+ | Web server |
- Passphrases are never stored — used only at runtime for key derivation
- Plaintext PII is never written to logs, database, or filesystem
- Nonce/IV freshly generated per encryption operation
- GCM authentication tag prevents undetected tampering
2. Integrity (Art. 32(1)(b) GDPR)
2.1 Input Control / Audit Trail
Implemented- Complete audit trail of all accesses, unlocks, corrections, and exports in
dataset_audit_logandaudit.log - Each entry contains: event type, actor type, actor ID, UTC timestamp, tenant ID, dataset ID
- No PII content in audit logs
- Audit logs are read-only for non-superadmin users
2.2 Transmission Integrity
Technical- HTTPS/TLS for all communication channels
- AES-256-GCM with authentication tag prevents undetected data manipulation
- CSRF protection for all state-changing forms in the admin area
3. Availability and Resilience (Art. 32(1)(b,c) GDPR)
3.1 Availability Control
- Dedicated server infrastructure in Germany
- Regular database backups with verified restorability
- Log rotation: daily rotation, 90-day retention
- Encrypted records in
storage/included in backups - System-level monitoring
4. Regular Review and Evaluation (Art. 32(1)(d) GDPR)
4.1 Privacy Management
- Annual review and update of these TOMs
- Regular review of access permissions (at least semi-annually)
- All staff with data access bound by confidentiality obligations
- Privacy awareness and training measures
- Privacy-by-design and privacy-by-default as development principles
4.2 Incident Management
- Documented incident response process for personal data breaches
- Notification to controller within 72 hours of becoming aware of a breach
- Security logging enables complete incident traceability
- Security contact: info@meindatensatz.de