Technical and Organisational Measures according to Art. 32 EU GDPR

1. General

The Principal as Controller and Dealcode as Processor shall, in accordance with Article 32 of theGDPR, take appropriate technical and organizational measures to ensure a level of protectionappropriate to the risk, taking into account the state of the art, the costs of implementation and thenature, scope, context and purposes of the processing, as well as the varying likelihood andseverity of the risk to the rights and freedoms of natural persons.The client is responsible for identifying and implementing its own suitable measures in accordancewith Art. 24 of the GDPR. Dealcode recommends following the recommendations of relevantguidelines and standards, such as ISO/IEC 27002 and the Federal Office for Information Security.In the following, those measures are set out which Dealcode itself has taken to ensure the securityof processing. Where necessary, corresponding measures of relevant subcontractors, in particularwith regard to physical security by Infrastructure as a Service providers and data center operators,are also listed and marked accordingly or referred to accordingly.

2. Technical and organizational measures according to Art. 32 DSGVO

Dealcode has implemented the following technical and organizational measures within the meaning of Art. 32 DSGVO to ensure encryption and pseudonymisation, confidentiality, integrity, availability and resilience, recoverability, as well as corresponding procedures for verification. Measures to ensure data protection by technological design and by privacy-friendly default settings Appropriate technical and organizational measures must be implemented which meet the requirements of the GDPR and ensure by means of suitable default settings that only personal data whose processing is necessary for the respective specific processing purpose is processed. Dealcode already takes the requirements of Art. 25 GDPR into account in the conception and development phase of product development. This is ensured by proactively involving the legal department, the data protection officer and the information security manager. Processes and functionalities are set up in such a way that data protection principles such as legality, transparency, purpose limitation, data minimization, etc. as well as the security of processing are taken into account at an early stage. Measures to ensure confidentiality Confidentiality is the protection against unauthorized disclosure of information. Confidential data and information may only be accessible to authorized persons in the permitted manner. Dealcode GmbH - TOM - Version 2024-06-14

2.1 Organizational Control

Ensure that the internal organization meets the specific requirements of data protection.

‍a. Organizational instructions (according to 5 and 6 ISO/IEC 27002:2017)the specific requirements of data protection.
The goals in data protection and information security are defined in a data protection and information security policy and are binding for all Dealcode employees. In addition, further organizational instructions are implemented to provide employees with concrete guidelines in the context of the processing of personal data (e.g., guidelines on working from home and teleworking or guidelines on the use of IT, Internet, and e-mail).

‍b. Appointment of a data protection officer pursuant to Art. 37 GDPR
A data protection officer has been appointed by the management. He works towards compliance with the regulations on data protection and fulfills the tasks within the meaning of Art. 39 DSGVO. This includes, among other things:Support in the establishment and further development of a data protection management system,Drafting, further development, and monitoring of corresponding guidelines, andImplementation of regular awareness-raising measures.

‍c. Commitment to confidentiality and data protection
All employees are obligated in writing to confidentiality and data protection as well as other relevant laws when they receive their employment contract or, at the latest, at the beginning of their employment. The obligation applies beyond the term of employment. Freelance employees or external service providers are bound to confidentiality in writing by means of non-disclosure agreements (NDAs) and also sign an order processing agreement if they process personal data on behalf of Dealcode.

‍d. Data protection training
Every Dealcode employee receives information and leaflets on data protection with the employment contract and confirms that they have taken note of them. In addition, regular training (primarily by the data protection officer) is carried out as awareness-raising measures. Employees from particularly sensitive areas such as the human resources department, product development, or customer service also receive separate information and training on specific specialist topics as required.

‍e. Restriction of the private and business use of means of communication
Dealcode employees are not permitted to use the company e-mail system for private use. The Internet system and telephone services may only be used privately to a limited extent. Strict attention must be paid to the separation of private and company data. Furthermore, the employees of Dealcode are not allowed to process personal data or other data of the client, especially from the order, on private means of communication. The employees of Dealcode commit themselves to the observance of corresponding guidelines, the observance of which is controlled within the permissible and necessary scope.

‍f. Personnel security (according to 7 ISO/IEC 27002:2017)
Dealcode implements measures before, during, and after employment to ensure personal safety. This usually includes:Verification and confirmation of stated academic and professional qualifications,Contractual agreements defining responsibilities and rules of conduct,Implementation of training, awareness-raising, and control measures,Awareness-raising and sanctioning process in the event of data protection violations, andImplementation of a documented offboarding process (incl. withdrawal of keys, revocation of access rights, ensuring sufficient documentation, surrender and transfer of data, information, and knowledge, etc.) upon termination of the employment relationship.

2.2 Encryption and Pseudonymisation of Personal Data

Ensuring that personal data is only stored in the system in a way that does not allow third parties to identify the data subject.

‍a. Key management (according to 10.1.2 ISO/IEC 27002:2017)
For the use, protection, and lifetime of keys as well as for the use of state-of-the-art encryption procedures, Dealcode implements a policy for the use of cryptographic procedures. Accordingly: The generation and management of the master key is performed outside the infrastructure of the Infrastructure as a Service provider and data center operator used by Dealcode. Transmission of keys outside the virtual private cloud and storage within the infrastructure used is exclusively encrypted. Access to the key management is logged and automated, as well as checked for irregularities by authorized personnel of Dealcode in case of concrete suspicion. Keys are rotated at regular intervals, and previously used keys are immediately invalidated and removed. Keys are strictly separated according to networks or databases (e.g., no transfer of a key to another network).Regular security checks ensure that key rotation measures are effective and that old keys have been properly removed.

‍b. Database and storage encryption
State-of-the-art encryption is applied to all databases used by Dealcode, ensuring data can only be read after proper authentication on the respective database system. The storage media ("storage") used to store documents are also encrypted at the file system level. Backups of the database systems are stored exclusively in encrypted form.

‍c. Transmission of data via encrypted data networks or tunnel connections ("data in transit")
All personal data transmitted from the Dealcode application to a client or to other platforms via an insecure or public network are transmitted exclusively in encrypted form. This applies in particular to:
- Accesses to the client and admin system.
Administrative access to server systems and the transfer of backups, which are carried out exclusively via encrypted connections (e.g., Secure Shell [SSH] or Virtual Private Network [VPN]).
- Access to customer systems in the context of home and telework, which uses VPN connections under Dealcode's direct control. Public VPN providers are not permitted.
Dealcode guarantees the use of state-of-the-art encryption methods depending on the encryption algorithm compatible with the client side (e.g., HTTPS connections or Transport Layer Security [TLS]). The client is responsible for using end devices/browsers compatible with state-of-the-art encryption.

‍d. Encryption of mobile data carriers
Mobile data carriers used or processed by Dealcode (e.g., USB sticks, external hard drives) are exclusively encrypted. The use of mobile data carriers for the storage of customer data is not permitted.

‍e. Encryption of data carriers on laptops
State-of-the-art hard drive encryption is implemented on all employee laptops.

‍f. Encrypted exchange of information and files
The exchange of information and files between the principal and Dealcode is encrypted via the Dealcode application. If personal data or confidential information must be transferred to servers outside TLS-encrypted HTTPS uploads, the transfer is performed using Secure File Transfer Protocol (SFTP) or another encrypted mechanism according to the state of the art. The client is responsible for requesting or providing secure data transport as needed.

‍g. Email encryption
All emails sent by Dealcode employees or within the Dealcode application are encrypted with TLS. Exceptions may occur if the receiving mail server does not support TLS. The client is responsible for ensuring that mail servers used within the scope of the order support TLS encryption.

2.3 Access Control

Denying unauthorized persons access to IT systems and processing equipment used in the processing.

‍a. Electronic door security
The entrance doors to Dealcode premises are always locked and electronically secured. They are opened via a personal electronic key.

‍b. Controlled key allocation
There is a central, documented key allocation system for Dealcode employees. These electronic keys can be deactivated centrally by the management or personnel department.

‍c. Supervision and accompaniment of third parties
Access by external service providers and other third parties is only permitted after prior authorization and accompaniment by a Dealcode employee.

‍d. Securing premises with increased need for protection
Rooms or cabinets with an increased need for protection (e.g., router rooms, personnel department offices, or cabinets with contract documents) are always locked after use. Access is restricted to authorized personnel.

‍e. Closed doors and windows
Employees are instructed to keep windows and doors closed or locked outside of office hours.

‍f. Physical and environmental security of the server systems in data centers
Dealcode only uses server systems from data center operators certified according to ISO/IEC 27001. These operators implement appropriate technical and organizational measures for physical and environmental security, including:Housing server systems in inconspicuous buildings not recognizable as data centers from the outside.Protecting data centers with physical security measures (e.g., fences, walls) and electronic access controls.Using alarm systems to prevent unauthorized access.Approving and revoking access authorizations within 24 hours of personnel changes.Requiring all visitors to register and always be accompanied by authorized staff.Monitoring sensitive areas with video surveillance.

2.5 Access Control
‍
Ensure that persons authorized to use an automated processing system have access only to the personal data covered by their access authorization.

‍a. Role and Authorization Concept

i. Role and Authorization Concept for Customer System: Administrators of the client can individually configure a multi-level role concept for assigning rights. This allows differentiation between viewing, suggestion, and editing rights per function or area within Dealcode for individual users.

‍ii. Role and Authorization Concept for Admin System: Access to the admin system is restricted to trained employees in the customer service and product development departments. Employees from the sales and finance teams only have access to customer systems via the admin system during the free trial phase or to billing data, preventing them from viewing customer data.

‍iii. Role and Authorization Concept for Server/Database System: Access to the server/database system is restricted to a limited number of trained employees in the product development and infrastructure departments.

‍b. Control of Access Authorization for Dealcode to Customer Systems by Client: The client can manage access authorization through the system settings in the customer system. By default, Dealcode's access is deactivated and can be activated or deactivated by authorized employees of the client at any time.

‍c. Assignment of Access Rights:
Dealcode assigns access rights based on the "need-to-know" principle. Key guidelines include:
- Access is granted only to individuals who need it and for as long as necessary.
- Requests for access must be justified conclusively, and access is role-based. Deviations from the assigned role must be justified.Access authorizations are documented centrally and withdrawn immediately when no longer needed.
- Approval for access to the admin or server/database systems is managed by the leadership team (management, head of infrastructure, or information security manager) under the dual control principle.
- Regular checks by administrators or the information security manager ensure access rights are still required. Supervisors are responsible for notifying IT administration of task changes to adjust access rights accordingly.HR must inform administrators when employees leave the company to revoke authorizations, ideally within 24 hours.

‍d. Host-Based Attack Detection System (HIDS):
Every server system is equipped with a host-based attack detection system. It monitors:
- System log entries, rootkit and Trojan signatures, anomalies in the file system, and brute-force attacks.
- Most parameters are evaluated in real-time; file systems are checked at least once daily.
- Anomalies trigger immediate email notifications to responsible employees (operations and product development).

‍e. Deployment of a Packet Filter Firewall:
Dealcode’s servers use packet filtering firewalls to ensure no services are directly accessible from the Internet. Publicly reachable services are routed through load balancers or bastion hosts, allowing only the necessary protocols for the service.

‍f. Logging of Logon and Logoff Processes:
Attempts to log in and log out of admin, customer systems, and server systems/software are logged. Logged information includes:
- Email address, user ID, IP address, result of the login attempt, and time stamp.
- These logs are stored for up to 30 days and can be evaluated upon request or in case of suspicion.

2.6 Separability
‍
Ensure that personal data collected for different purposes can be processed separately and segregated from other data and systems in such a way that unplanned use of these data for other purposes is excluded.

‍a. Separation of Development, Test, and Operational Environments (according to 12.1.4 ISO/IEC 27002:2017):Data from the operating environment may only be transferred to test or development environments if it has been completely anonymized before the transfer.The transfer of anonymized data must be encrypted or carried out via a trusted network.Software to be transferred to the operating environment must first be tested in an identical test environment ("staging").Programs for error analysis or software creation/compilation may only be used in the operating environment if unavoidable. This applies particularly when error situations depend on data that would be falsified due to anonymization requirements in test environments.

‍b. Separation in Networks (according to 13.1.3 ISO/IEC 27002:2017):
‍Dealcode separates its networks by tasks. The following networks are used permanently:
- Production environment
- Staging environment
- Office IT staff
- Office IT guests
- Additional separate networks are created as needed (e.g., for restore tests or penetration tests).
Depending on technical capabilities, networks are separated either physically or through virtual networks.

‍c. Software-Based Client Separation:
‍Dealcode ensures separate processing and storage of data from different clients through a logical client separation based on a multi-tenancy architecture. Data allocation and identification are managed by assigning a unique identifier to each client (e.g., customer number/company ID). Integration tests ensure that no database queries are performed without proper query and assignment to this ID, minimizing risks from programming errors. Regular security audits and binding code reviews (4- to 6-eyes principle) additionally secure the architecture.

‍Measures to Ensure Integrity:
Integrity refers to ensuring the correctness (integrity) of data and the correct functioning of systems.

2.7 Transport and transfer control

Ensure that the confidentiality and integrity of personal data is protected during the transmission ofpersonal data and during the transport of data media.

‍a. Transport encryption ("Data in Transit")
‍See "Encryption and pseudonymisation of personal data", ensuring the integrity of data in transit bycalculating checksums.

‍b. Prohibition of disclosure to unauthorized third parties
‍A transfer of personal data, which takes place on behalf of the client, may in each case only to theextent of the instructions and insofar as this is necessary for the provision of the contractualservices for the client. In particular, the disclosure of personal data from the order to unauthorizedthird parties, e.g. by storage in another cloud storage, is not permitted.

‍c. Logging of the transfer of data
‍See "Logging of system activities within the admin and customer system and evaluation" under"2.8. Input control".

2.8 Input control
‍
Ensure that it is possible to verify and establish ex post which personal data have been entered or modified in automated processing systems, at what time and by whom.

a. Logging of system activities within the admin and customer system as well as evaluation
Significant system activities are logged (min. user ID, rights according to role concept, IP address, system components or resources, type of activities performed and time stamp) and currently stored for up to 30 days. This includes in particular the entry, modification and deletion of data, users and authorisations as well as the modification of system settings. Upon request and/or incase of concrete suspicion, a corresponding evaluation of the logs can be carried out. Dealcode GmbH - TOM - Version 2024-06-14
‍
Measures to ensure availability
The availability of services, functions of an IT system, IT applications or IT networks or also of information is present if these can always be used by the users as intended.

2.9 Availability control

Ensure that personal data is protected against accidental destruction or loss.

‍a. Data protection procedures/ backups
‍Dealcode implements a backup concept for the database with the data of the client stored on it as well as the storage medium with corresponding stored documents according to the state of the art to ensure adequate availability.
‍
b. Geo-redundancy with regard to server infrastructure of the productive data and backups
To ensure geo-redundancy in the event of an unforeseen event, such as a natural disaster, Dealcode ensures that appropriate specifications of spatial separation are guaranteed with regard to the server infrastructure of the productive data and backups. This can be ensured by using different data centers within sufficient distance or data centers of different availability zones.

‍c. Capacity management
‍There is a capacity management including monitoring and automatic notification of the responsible employees of Dealcode in case of capacity bottlenecks.

‍d. Warning systems to monitor the accessibility and status of the server systems
‍An alert system is in place to monitor the accessibility and condition of the server systems. In the event of failures, the infrastructure department is automatically notified in order to take immediate action to rectify the problem.

‍e. IT Incident Response Management (according to 16 ISO/IEC 270022017)There is a concept and documented procedures for dealing with disruptions and security-relevant events ("incidents"). This includes, in particular, the planning and preparation of the response to incidents, procedures for the monitoring, detection and analysis of security-relevant events, as well as the definition of corresponding responsibilities and reporting channels in the event of a breach of the protection of personal data within the framework of the legal requirements.

‍f. Further measures to ensure availability in the data centers
‍Dealcode GmbH - TOM - Version 2024-06-14An automatic fire detection and suppression system is installed in the datacenter. The fire detection system uses smoke sensors throughout the datacenter environment, in mechanical and electrical areas of the infrastructure, cold rooms, and in the rooms where the generators are located. All power systems are redundant. An uninterruptible power supply UPS ensures that critical areas of the facility continue to receive power in the event of a power outage. The datacenter also has generators that can provide emergency power to the entire facility. The data centerhas air conditioning and temperature control. Preventive maintenance is performed to ensure the
continued operation of the facilities.