GDPR compliance

We take great effort to comply with the General Data Protection Regulation (GDPR) and continously implement necessary measures to ensure GDPR compliance within our company and the Desk-Net application.

As a matter of fact, we have been subjected to the extremely strict German data protection regulations before GDPR for years. Countless lawyers and data protection officers on our customers‘ side have reviewed and approved both our contractual documents and how we operate.

In case of ambiguity or when a necessary improvement to these aspects had been identified we have made sure to meet the client’s requirements by implementing the necessary changes.

Desk-Net as your data processor

The GDPR distinguishes between the Controller and the Processor of personal data in a customer - client relationship like we at Desk-Net have with our customers.

You as our customer are the Controller and remain the owner of your data whereas we process your data and thus function as your Processor.

What we use your data for

The data you provide us with is being entered and used primarily inside the Desk-Net application by the users in your organisation. We also use personal data to provide support and communications services which are related to your use of the Desk-Net application.

For development and related testing purposes we anonymize data so that it no longer counts as personal data.

We do not sell any of our customers' data and do not use it in any way unrelated to the task of providing our customers with the Desk-Net application.

Main subcontractors

The Desk-Net application is hosted within the European Union (EU).

Our maintenance and operations partner is also located within the EU.

Only the continuous development of our application has been outsourced to a partner company which is located outside the EU. Yet, please note, that only anonymized database copies are sent to this partner.

Hosting

We host at Amazon Web Services (AWS) which is the worldwide leader in hosting for Software-as-a-service solutions like Desk-Net.

Our contractual partner is AWS Europe SARL (Luxemburg) and we host exclusively on servers which are located in the EU (Republic of Ireland).

AWS guarantees compliance to GDPR for these services. AWS‘ data security and protection measures have been certified numerous times.

Maintenance and operations

In day-to-day operations, the application is managed by a dedicated, EU located team (Krakow, Poland) by our partner Intetics. 

The production system and its data resides only on servers inside the EU and a strictly limited and small number of members of that team has access to that system.

Software development

The software code of the Desk-Net application is developed by a dedicated team in the Belorussian development center of our outsourcing partner Intetics.

For this development, only anonymized database copies are used when needed so that these tasks are not subject to GDPR.

Yet, in order to comply with GDPR, this setup is secured via EU Standard Contractual Clauses (SCC). They ensure that the team complies with European data protection standards, i.e. the GDPR. This setup has been checked numerous times by experts on the customers' side.

The entire development center is certified according to ISO27001.

Related documents

The GDPR requires us to create and update a range of documents both for our relationship with you, the customer, as well as with our subcontractors.

Desk-Net GmbH

Below is a list of documents for your review. Some of them are contracts that need to be signed (or that have been signed with our subcontractors) whereas others are internal documents which we are not legally obliged to make publicly available - but we are doing it anyway, even if anonymized or restricted in parts.

• Data Processing Agreement 

(in German: Auftragsverarbeitungsvertrag /Datenverarbeitungsvereinbarung, AVV)                                       This document is an annex to the main Desk-Net Agreement and needs to be signed by both parties.

• Technical and Organisational Measures (TOMs) 

(in German: Technische und Organisatorische Maßnahmen,TOM)                                                                       An annex to the Data Processing Agreement referring to Art. 32 GDPR

• Record of Processing Activities 

(in German: Verzeichnis der Verarbeitungstätigkeiten /Verarbeitungsverzeichnis)                                           A high-level description of the processes we as a processor are handling for our customers, the controllers (Art. 30 (2) GDPR)

 

GDPR requires us to have compliant contracts with our sub-contractors. As we know that certain data protection officers like to check these contracts, please find below a range of contractual and related documents and links.

Intetics (Maintenance and operations)

• GDPR Contract Addendum
  Addendum to our main software development agreement with Intetics GmbH stipulating terms so that our agreement is compliant with Art. 28 (3) GDPR.
• Intetics - Technical and Organisational Measures (TOMs)
• Record of Processing Activities - Processor
  A document outlining the processes related to personal data that Intetics handles for Desk-Net (Art. 30 (2) GDPR).

Intetics (Software development)

• GDPR Contract Addendum
  Addendum to our main software development agreement with Intetics GmbH stipulating terms so that our agreement is compliant with Art. 28 (3) GDPR.
• Intetics - Technical and Organisational Measures (TOMs)
• ISO27001 certificate
  Intetics' development centers have been certified according to this standard.
• Record of Processing Activities - Processor
  A document outlining the processes related to personal data that Intetics handles for Desk-Net (Art. 30 (2) GDPR).

Amazon Web Services (AWS)

• AWS ISO27001 Certificate
• And more comprehensive information on AWS' ISO27001 and the related ISO27018 certification.
• Comprehensive information by AWS about the EU Data Protection Directive
  Includes information to how AWS handles Data Protection Agreements and Standard Contractual Clauses.