Data Protection & Security

How we handle data, where we host, and why security is not a feature, but a foundation.

Our Principle

We develop operational systems that run at the core of a company. Customer data, employee data, order data, financial data – there are hardly any more sensitive pieces of information.

Therefore, data protection and security are not a checklist for us to tick off at the end. It is an architectural principle that is built into every system from the start.

GDPR Compliance

All systems we develop are GDPR-compliant. This means concrete:

📋Processing of personal data only with a clear legal basis
🔍Transparency regarding what data is stored, where, and why
🗑️Deletion concepts and retention periods are part of the architecture
📄Data Processing Agreements (DPA) with all relevant parties
🛡️Privacy by Design – data protection is integrated into system architecture, not an afterthought

For us, GDPR is not an additional burden. It is the baseline upon which we develop.

Hosting in Germany

Our clients' systems are hosted with German cloud providers. No data processing in insecure third countries. No reliance on US providers where European data protection standards cannot be guaranteed. This means:

  • Server location Germany
  • Data is subject to German and European law
  • No transfer to third parties without a contractual basis
  • Full control over the storage location and data sovereignty

If a project has specific hosting requirements – such as dedicated servers or certain providers – we will implement that. The architecture is flexible enough for that.

Technical Security

Security is not a standalone feature. It permeates the entire architecture:

Encryption

Data is encrypted both during transmission (TLS/SSL) and at rest (Encryption at Rest). Sensitive fields can also be encrypted at the application level – depending on requirements.

Role-Based Access Rights

Not everyone sees everything. Our systems operate with granular permission concepts: Who is allowed to view, edit, or delete which data? These rights are defined at the role and user level and can be adjusted anytime.

Backup and Disaster Recovery

Regular automatic backups are standard. The backup strategy – intervals, retention, recovery times – is defined on a project-specific basis. The goal is always: In case of emergency, nothing is lost, and the system is quickly available again.

Monitoring and Updates

Systems are continuously monitored. Security updates are applied promptly. Vulnerabilities are proactively identified and fixed – not just when something happens.


Handling AI and Data

AI is a central component of our systems. Therefore, the question is warranted: What happens to the data processed by AI? Our answer is clear:

🚫No training with customer data. Your data will not be used to train AI models.
🔒Data stays with you. AI processing occurs within the defined infrastructure.
📋Transparency. The AI services used and how data flows will be documented.
🇪🇺EU-compliant AI services. Where external AI models are integrated, we ensure GDPR-compliant providers and, where possible, data processing within the EU.

When we integrate AI into a system, our clients always know: which data the AI processes, where that happens, and what happens to the results. No black box.

Data Sovereignty Remains with You

A principle that goes beyond data protection: The data belongs to you. The system belongs to you. We do not create dependencies. We rely on open technologies, documented interfaces, and an architecture that allows you to operate the system yourself or continue with another partner at any time. This applies to the code. This applies to the data. And this applies to the entire infrastructure.


Related Documents:

Fragen zum Thema