SaaS: Technical and organizational arrangements

1. Introduction

audeoSoft will provide to customer the application stafflTpro WEB and any additional applications in the context of SaaS. audeoSoft shall provide to customer hardware and software therefore. The complete hardware as well as software components Windows Server (operating system), MS SQL Server (database) will be provided by audeoSoft’s subcontractor. The operation of the hardware and software is performed in a data center of the subcontractor. In addition reference is made to the details provided by the subcontractor under Technical and organizational arrangements for subcontractor (SaaS). audeoSoft shall provide the applications agreed with customer, hereinafter referred to as SaaS software via internet. SaaS applications are installed and provided by audeoSoft.

2. Asmission

audeoSoft GmbH does not have access to the computer facilities of the subcontractor. We refer insofar to the terms of the subcontractor under Technical and organizational arrangements for subcontractor (SaaS).

3. Access Control

The software supplied by audeoSoft is protected by passwords and data encryption. The transfer of data between SaaS software and the SaaS server is based on the HTTPS encryption. Upon request, customer can work without data encryption.

The ADM user serves to administrate staffITpro WEB. At the time of the first installation the ADM password will be communicated to customer by telephone. In addition, customer will be provided with the software WebAdmin to be able to create additional users and for changing user information. The customer is strictly advised to change the password for the ADM user immediately. audeoSoft has no knowledge of the passwords assigned by customer for the ADM-users and for the other users necessary for the use of SaaS software. All passwords for the access to the SaaS software are stored encrypted.

To comply with the guaranteed support services and to maintain the functionality of the server operation audeoSoft has access to the hosting servers. The requirements regarding access control, in particular with regard to an authentication system, are met. The servers are secured by login / password method. All SaaS servers are maintained by means of remote desktop technology. Only secure VPN connections are used therefor (tunnel between the router and the router of audeoSoft and the sub-contractor). The logon to the server is executed as administrator. This is imperative for the administration of the system. The passwords are only known to the employees who are entrusted with the support and care of the computer system. All employees in charge were committed in writing to maintain confidentiality. The passwords are at least eight characters long and consist of random combinations of letters, special characters and numbers. After registration audeoSoft has complete access to the operating system Windows Server and the database MS SQL Server. This is necessary to intervene immediately in case of system faults and to be able to execute maintenance work.

audeoSoft performs the following services: Install the following updates: Windows operating system, MS SQL Server database, Web Server IIS, SaaS software and other software components that need an update. Other tasks include clearing of SQL Server Log files, the restart of IIS (Internet Information Server), the restart of MS SQL Server and other services that are necessary for the operation of the SaaS software..

Reference is also made to Subcontractor’s terms and conditions see Technical and organizational arrangements for subcontractor (SaaS).

4. Disclosure, Control

The legal requirements for the disclosure and control of data are met. A disclosure of personal data to third parties will not be made by audeoSoft with consultation. audeoSoft has committed all employees to refrain from inspection of customer data or to create copies. In case access to customer’s data should be necessary from the perspective of the support, customer shall previously give his consent thereto in writing. Backups are performed by the subcontractor. audeoSoft has no direct access to backups of customer data. audeoSoft must identify itself to the subcontractor to be able to download a backup. The saving process takes place internally in the protected area network. Intervention in the storage or transmission process is not possible. The storage and transmission operation is being protected against tampering. Reference is made in addition to the Terms and conditions of the subcontractor under Technical and organizational arrangements for subcontractor (SaaS).

5. Availability Control

ln addition, reference is made to the conditions of the subcontractor under Technical and organizational arrangements for subcontractor (SaaS). audeoSoft uses the following components for its servers to help ensure high availability: Separation of WEB and database server. The database server is NOT accessible via a public IP and thus disconnected from the internet. Complete backup of all servers is made several times a day during operation and can be restored if necessary. RAID hard disk system with redundant data saving (mirroring). High availability is thus ensured.

6. Principle of separation

audeoSoft meets the requirements of the principle of separation. On the productive systems no data collected for other purposes are processed. Changes are tested on logically or physically separated systems before they are migrated into the productive system.

7. Data Backup

audeoSoft will perform multiple data backups of all files and databases of all customers within 24 hours. The backup is performed on a separate backup area.

ENDE

Revision: March 2013