Technical and organisational data protection measures

We offer you a high level of data protection and security in accordance with the German Data Protection Act.

Admission control

Admission control ensure that unauthorized persons cannot physically access the data processing equipment.

The devices (servers, switches, hard disks, …) are located in German data centers operated by third parties. .

Each of these data centers ensures the following:

  • Video surveillance (exterior, doors and shelves)
  • Two-factor authentication for access (e.g. personal password and transponder card) with logging of access.
  • 24-hour alarm services with connected alarm system
  • Separate physical safety zones for
    • General areas
    • Data center infrastructure and
    • Customer-accessible areas
  • Separately locked racks with the option to use custom locks and keys.
Entry control

The machines can be accessed for administrative purposes in various ways: SSH, web interfaces, etc. Access to manage the systems uses only encrypted communications channels.

The identification and authorization of customer applications that are not managed by the Cusy infrastructure are not covered by Cusy’s security responsibility. Our customers are required to ensure the security of their applications themselves.

The user ID must be done with personal lgoin data so that actions can be traced to a single person. Thus the sharing of credentials with other persons is prohibited. Login data may be either a user name and a cryptographic method (e.g. an asymmetric encryption method), or a password, depending on the application.

Users with a Cusy account are required to manage their password securely: unauthorized physical or logical access to objects that can potentially store passwords should not cause compromised passwords. Examples are:

  • Home directory on a laptop,
  • Password manager,
  • backups
  • USB sticks,
  • Smartphones.

All machines have root logins for emergencies, which can only be used by administrators if the usual user authentication does not work correctly. The use of the root login must be documented.

All privileged actions must be securely logged. SSH logins must be executed with SSH keys. Successful SSH logins to machines are logged, but unsuccessful SSH login attempts are not.

Access control

The authorization concept distinguishes between the responsibilities for the maintenance of applications and privileged tasks for updating and configuring the operating system.

Cusy implements an authorization concept to separate tasks for application administration and development of privileged administrative tasks for maintenance of infrastructure and platform.

Privileged administrative access is generally not granted to customers. In cases where another person who is not an administrator is required to solve a problem, a common session must be established between an administrator and the other person (e.g. with a Screen).

Technically, there are three variants of privileged access:

  • Use a user account that has the permissions login and wheel for a particular project. This requires that the user logs in with their SSH key and also enters their password to access privileged operations.
  • Use a user account that is a member of the global group of Cusy administrators that grants access to all machines within the Cusy infrastructure.
  • Root logins for emergencies (see above for entry-control).

Authorized and unauthorized access to privileged operations is logged.

Cusy maintains a set of permissions that allow users to wait for their applications and perform other tasks, Access to service accounts or database management rights. Permissions are given to individual customers according to customer requirements.

Application developers can change to service-user access and database administration access. All permissions are set explicitly and comprehensible. Access for a group of people is not granted to track transactions.

Transfer control

The data transfer controls ensure that data that is stored or transmitted is protected against unauthorized reading, copying, modification or erasure. It must also be possible to check where the personal data were transmitted.

All personal data passed to Cusy machines must use one of the following authenticated and encrypted communication channels:

  • Application data (e.g. database contents) are transferred from or to the customer using the standard SFTP protocol.
  • Persistent data is stored on storage servers. Although the storage traffic is not encrypted for performance reasons, the storage servers are connected to the application servers via a private network.
  • Backups are transferred to a backup server in an encrypted communication channel.
  • In addition to the application data, a system can generate data at runtime that contains sensitive information, such as log files. Log files usually do not remain on the machine on which they were generated, but are transferred to a central log server via an encrypted channel. Only Cusy administrators have access to this central log server.
Input control

The input control ensure that the input, modification and deletion of data are logged.

The security of data entry, modification and deletion is usually part of the customer application. Therefore, the customer himself must ensure that data entry, deletion and disposal are carried out appropriately in accordance with applicable data protection laws.

When performing maintenance, however, administrators may need to enter, change, or delete data to ensure continued operation of the entire system. This only happens after the affected customers have been informed via the service desk and have received an explicit approval.

Log files are automatically rotated by the Cusy infrastructure with meaningful retention times.

Availability control

Personal data are protected against accidental destruction or loss by

  • redundant hardware and virtualization;
  • backup services;
  • contingency plans that detail fault scenarios, precautions, and
  • availability measurements.
Separation control

Data collected for different purposes are processed separately:

  • To separate data from different customers, they are separated by both virtual machines, virtual networks, and SAN. This ensures that customers can only access the data that is assigned to them. Within a virtual machine, access to different files and processes is possible using standard UNIX permissions.

  • Machines (both virtual and physical) are separated in two separate access rings:

    • Ring 0 machines perform infrastructure tasks. They process data from multiple customers. On such machines, only administrative access is allowed. Examples are VM hosts and storage servers.
    • Ring 1 machines process data for a particular customer and are accessible to users associated with that customer. Examples are customer VMs.

    All resources that logically belong together (e.g., VMs, Storages, etc.) are bundled into projects that share the same user accounts and permissions.