Question

Answer

Where are the datacenters located which store the data put into Operations1?

Microsoft Azure Datacenters
Europe West Region and Europe North Region for disaster recovery

Is there a mobile service app available and what about the device access it needs?

Operations1 uses a Progressive-Web-Application (PWA) with no need to install physically on device.
To use the full features of the Operations1 software, we recommend access to the device camera for videos and photos.

Does your solution support authentication against identity management systems for single sign on?

We support the "Single-Sign-On" via OpenID connect

A secure unique password, access token or a certificate is used for infrastructure administrators?

Operations1 Infrastructure Team uses 2-Factor-Authentification for all administrative software, a separate VPN for server management and unique passwords managed by password management software.

How are passwords stored on the Operations1 platform?

Passwords are stored and transmitted cryptographically-protected (hashed using bcrypt).

Who owns access to the infrastructure and services?

Operations1 infrastructure engineers use separate personal accounts on all administrative portals and servers.
​
The authorization concept covers ALL relevant layers and ensures accordance to:
▪ need-to-know principle meaning access rights must be restricted to those who require access to that information,
▪ least privilege meaning that users are only granted the necessary access rights.

Which password policy is in place at Operations1 Platform?

Password Policy

How do we protect your data at Operations1?

For data at rest, all data written to the Operations1 platform is encrypted through 256-bit AES encryption and a virus scan is performed before writing the data.

On top, a Web Application Firewall scans all requests to operations1 against most common threats

What version of TLS with which encryption is used?

HTTPS with TLS 1.2 and TLS 1.3 Protocol, RSA 2048 bits key, SHA256withRSA signature algorithm and the following cipher suites.

TLS 1.3:
▪TLS_AES_128_GCM_SHA256 (0x1301)

▪TLS_AES_256_GCM_SHA384 (0x1302)

▪TLS_CHACHA20_POLY1305_SHA256 (0x1303)

TLS 1.2:

▪TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)

▪TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030)

▪TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (0xcca8)

Are there secure coding practices established appropriately?

Secure coding fulfils ALL of the following requirements:

▪ Documented instructions for secure coding exist based on best practices including error handling, input and output sanitization, and other secure coding principles (e.g. use of secure functions, session management)
▪ Procedures for checking in code and compilation are documented
▪ All new code goes through code review
▪ The secure coding guidelines are available to all members of the development team (e.g. solution architects, developers, administrators, tester) and such receive training
▪ Requirements for third party code are defined and checked

▪ Common security problems are checked by automated static analysis tools

Does Operations1 use open source components and if yes how is licence compliance ensured and what measures for supply chain security are in place?

The Operations1 software is built on many open source components, like much modern software. Licence compliance is ensured via a scanner tool that analyses the codebase and it's dependencies daily and alerts in case code with incompatible licences is detected or if a security vulnerability is present in a dependency.
If a vulnerability is found the impact on the Operations1 app is assessed and if necessary a fix is rolled out as soon as possible.

Are external audits of the application for security risks performed?

Yes. Operations1 aims to undergo a penetration test by an external security research firm once a year. The results can be shared on request.

In the course of development - How are Production and Non-Production Systems separated?

Operations1 develops on separated environments for development, testing and productive systems.

Does the data center has an ISO 27001, SOC 2 or equivalent certification?

As Operations1 is hostings its cloud service on Microsoft Germany Cluster
details can be found in the Microsoft Trust Portal:
​
​https://servicetrust.microsoft.com/
​https://docs.microsoft.com/de-de/compliance/regulatory/offering-home

Is there a data protection program is in place to ensure GDPR compliance?

Operations1 implemented a comprehensive data protection management system, including guidelines and policies for data protection and information security.
Operations1 designated a data protection officer and defined a data protection and information security team.
The data protection and information security team plans, implements, evaluates and adapts measures in the area of data protection and information security.
All guidelines and policies are regularly evaluated and adapted with regard to their effectiveness.

What is the method and frequency of such trainings and how training participation is monitored?

Operations1 conducts regular trainings and awareness presentation on data protection and policy to their employees. For all employees standard legal regulation for GDPR are in place and must be signed on annually basis.
The GDPR training is conducted at least on annually basis.

How is the process and how do you ensure completeness?

Every employee or supplier is legally bounded with an NDA which inherits all data and information exchanged, created or processed.
Every employee receives a confidentiality briefing and regularly IT security trainings.

How often are audits conducted and what is the scope?

Operations1's data protection officer performs regular, at least annual, audits on data protection compliance, including Operations1's products’ and services’ compliance with all relevant data protection laws and regulations (primarily GDPR, but also CCPA/CPRA etc.).

What is your internal process to fulfil data subject rights, and which tools are used for automated or on-request deletion of personal data?

Operations1 as a data controller deals with data subjects rights (DSR) requests as defined in Art. 15 – 23 GDPR.
Operations1 as a data processor supports its customers to comply with their obligations under Art. 15 – 23 GDPR via Operations1's support ticketing system. The due performance and fulfilment of each and every DSR request provided by a customer is confirmed and documented for accountability purposes.
If Operations1 receives a DSR request addressed to a customer, Operations1 will forward the DSR request to the respective customer and only act on instruction of the customer.

Where can we find a subcontractor list with name, address, service scope and contractual obligations (e.g. EU-SCCs, Privacy Shield)?

See data protection policy by Operations1 Attachement 2 and 3
​

How do you ensure in-time notification and authorities in case of a data breach?

It is clearly and continuously communicated to every employee, e.g. in the data protection trainings, that data protection incidents suspected or identified by an employee are immediately to be reported to senior management and to the data protection officer and/or the data protection and information security team. The data protection and information security team will investigate the incident immediately. As far as personal data processes as a data processor on behalf of a customer are concerned, it is ensured that the affected customer is informed immediately about the type and extent of the incident.

Are cookies used in your software?
What are the processing details?

Within the Operations1 app, we leverage an analytics tool and a heat mapping tool to analyse the usage of the app in order to improve the features and functionalities and the user experience of the app. Such tools collect IP addresses, which are to be considered personal data, but such IP addresses and any other personal identifiers collected within the usage optimization analysis are anonymized immediately.
No user profiles are generated and such usage data is not enriched with the respective user’s account information. In addition, the chat and ticketing function uses cookies and the app sets technically necessary cookies, especially authentication and language settings.

Please specify your Data Protection Officer including email and phone number.

Christian Schmoll
Phone: +49894622 7322
Email: [email protected]