Security and data protection
at Metasoul

Role of external service providers

For the development and operation of our app and our website, we rely on external service providers who already provide essential security measures as part of their services in a professional manner. We ensure that our data protection and information security requirements are also properly met by these service providers.

Technical and organisational safety measures

Technical measures

• The app and website are operated in ISO27001-certified data centres.
  Third-party security certifications such as ISO27001 provide proof that an organisation has met a certain standard of information security management. They are an important part of building trust with customers and partners.
• Encryption of data: Sensitive stored data (data at rest) and data in transit are encrypted in accordance with the BSI's guidelines for cryptographic procedures in order to protect them from unauthorised access.
  Data encryption for data ensures that sensitive data is stored and transmitted in encrypted format on the respective storage medium to protect it from unauthorised access, especially in the event of theft or loss of the storage device.
• Rights concept for administratorsStrict access controls have been implemented in accordance with the „need to know“ and „least privilege“ principle for personal data. For administrators, this includes in particular the use of MFA, the mandatory use of password managers and randomly generated passwords with at least 20 characters. Administrative rights are assigned using the dual control principle and may only be used for valid purposes. The use of administrative rights is monitored.
  Access controls are measures that restrict who can access certain resources, such as personal data. They are crucial to prevent unauthorised access and ensure that only authorised persons have access to data.
• Offices are adequately protected against unauthorised access, are locked outside business hours and visitors can only enter the offices if accompanied at all times.
  The protection of office premises against unauthorised access and the constant accompaniment of external persons ensures the protection of personal data within office premises.
• Personal data is backed up regularly to prevent data loss.
  Regular data backups are crucial to prevent data loss in the event of incidents such as data breaches or technical failures. They ensure that the organisation can restore the data and continue operations even in the worst-case scenario.
• Handling access data and other sensitive information: Two-factor authentication is used to secure access to personal data. Access data and other sensitive information are stored in a password manager. All access via networks is encrypted.
  Two-factor authentication adds an extra layer of security by requiring users to provide two forms of identification before they can access data. This makes it more difficult for unauthorised persons to gain access.
• Password management tools are used to create, store and manage secure passwords based on internal password policies for systems and applications.
  Password management tools help users generate, store and manage complex and unique passwords for different accounts, reducing the risk of password reuse and improving overall password security.
• Secure, state-of-the-art network protocols and configurations are used as hardening measures to protect data during transmission.
  Secure network protocols, such as properly configured TLS-based HTTPS, provide security measures, including encryption, during data transmission and help protect data in transit.
• Penetration tests are carried out regularly to identify potential vulnerabilities in systems.
  Penetration tests, also known as pen tests, are simulated cyberattacks against your computer system to check for exploitable vulnerabilities. The process involves gathering information about the target before the test, identifying possible entry points, attempting to penetrate and reporting back the results.
• Protection against malware: Anti-malware measures have been implemented to protect systems and data from malware. This includes the installation and operation of malware detection software on relevant systems as well as the monitoring and handling of alarms triggered by potentially detected threats.
  Anti-malware measures include the use of software tools to detect and remove malicious software that could jeopardise system security and data integrity. These tools are crucial for defence against cyber threats.
• System hardeningHardening measures are applied to all relevant systems via a secure configuration based on CIS standards. Hardening measures primarily include the deactivation of unnecessary functions, the restriction of access and rights to a necessary minimum and compliance with manufacturer recommendations for system hardening.
  A secure system configuration means setting up systems and software in a way that minimises the risk of vulnerabilities that could be exploited by malicious parties. This includes measures such as disabling unnecessary services, setting up appropriate user authorisations and updating systems.
• Firewalls are used to monitor and control incoming and outgoing network traffic and only allow necessary, explicitly authorised connections.
  Firewalls are a network security system that monitors and controls incoming and outgoing network traffic based on predefined security rules. They create a barrier between trusted internal network segments and untrusted external networks, such as the Internet.
• Network activity is continuously monitored to detect and respond to security threats.
  Network monitoring is a critical IT process in which all network components such as routers, switches, firewalls, servers and VMs are monitored for errors, security incidents and performance and continuously evaluated to maintain and optimise their availability. Early detection of problems or security incidents can save a company from unexpected downtime.
• Data pseudonymisation techniques are used to reduce the risk of data breaches.
  Pseudonymisation is a data management and de-identification process in which personal identification fields within a data set are replaced by one or more artificial identifiers or pseudonyms in order to protect the privacy of the data.
• patch management process: Regular updates of all software and hardware components are ensured via a dedicated patch management process to protect against known vulnerabilities. Patches are carried out at different intervals depending on the system type, but at least once a quarter and always when a patch affects the treatment of a critical vulnerability.
  Regular updates of software and hardware ensure that they are protected against known vulnerabilities. Updates often include patches for security vulnerabilities that have been discovered since the last version of the software or hardware.
• Electronic access logs are kept to record who has accessed which personal data and when.
  Electronic access logs are used to record when users access systems and data. This can be crucial in the event of a security incident as it helps to track actions and identify potential perpetrators.

Organisational measures

• The principle of data minimisation is adhered to; only the personal data required for the provision of the service is collected.
  Data minimisation is a key principle of the GDPR. It means that an organisation should only collect and process the personal data it needs for its specific purpose. This reduces the risk of data breaches and helps to build trust with customers.
• Deletion procedureBased on a deletion concept, personal data is automatically deleted, as far as legally possible, when the purpose of providing the service has been fulfilled or the data subject explicitly requests this (right to deletion).
  Regularly deleting unnecessary data is an important part of data management and GDPR compliance. It helps to reduce the risk of data breaches and ensures that the organisation does not retain personal data for longer than necessary.
• Regular campaigns (awareness training) to sensitise users to information security are carried out to educate employees about potential cyber threats.
  Information security awareness training campaigns are crucial to educate employees about cyber threats such as phishing, social engineering and malware and to promote best practices in data protection.
• A detailed response plan has been drawn up to deal with potential data breaches or cyber security incidents involving personal data.
  A response plan is a set of instructions that help identify, respond to and recover from security incidents. A robust plan is critical to minimising the impact of a data breach and recovering quickly.
• Regular data protection impact assessments are carried out to identify and minimise risks.
  Data protection impact assessments (DPIAs) identify, assess and mitigate or minimise data protection risks in data processing. DPIAs are important because they help organisations to identify and address issues early, which can reduce the associated costs and reputational damage that could otherwise occur.
• Employees receive regular training on data protection and compliance with the GDPR.
  Regular training ensures that employees are aware of data protection principles and their responsibilities under the GDPR. This can help prevent data breaches caused by human error and ensure that issues are reported and dealt with correctly.
• A data breach notification procedure is in place to inform data subjects and competent authorities.
  In the event of a data breach, the GDPR requires organisations to notify data subjects and competent authorities. This procedure enables prompt notification and can help to mitigate the consequences of a data breach.
• Privacy by design and privacy by default principles are followed.
  Privacy by design and privacy by default means integrating data protection into processing activities and business practices, from the design phase through the entire lifecycle. This helps to ensure that data protection is not an afterthought, but is embedded in the design and architecture of IT systems and business practices.
• A Data Protection Officer (DPO) has been appointed to monitor compliance with the GDPR.
  A data protection officer (DPO) is responsible for monitoring a company's data protection strategy and its implementation in order to ensure compliance with GDPR requirements. The DPO acts as a point of contact for the company, the data subjects and the supervisory authorities.
• Software developers are regularly provided with security training to ensure safe programming practices.
  Regular security training for developers is essential to educate them on the latest security threats and best practices for creating secure code, reducing the likelihood of vulnerabilities being introduced into the software.
• Information security guidelines have been established and are regularly reviewed and updated.
  Information security policies set the framework for what is expected of employees and systems in terms of information security. Regularly reviewing and updating these policies ensures that they remain effective and relevant in the face of the evolving security landscape.
• Information security assessments of processors are carried out and order processing agreements are drawn up to ensure compliance with security standards and to contractually secure them.
  Information security assessments of processors are crucial to verify that external service providers or suppliers adhere to the same data protection and security standards as the organisation. This helps to minimise the risk of data breaches or leaks by third parties. According to the GDPR, this must be formalised in a data processing agreement.