Data protection and information security made by Adacor

    Processor

    Adacor Hosting GmbH
    Emmastraße 70a
    45130 Essen
    Per Telefon: +49 69 900 2990
    Per E-Mail: datenschutz(at)adacor.com


    Structure of the data protection and information security organisation

    Adacor Hosting GmbH (Hereafter: Adacor) is a company audited in data security and risk management according to IDW PS 951 and ISAE 3402.

    Data protection and data security are integral parts of our business operation. Adacor has implemented a data protection and information security organisation, consisting of the data protection office, the information security officer and the IT-compliance officer, the information security team, extensive security concepts, internal as well as external audits and security audits. To ensure actuality and offer services compliant with the latest state of data protection and information security, Adacor is a member of Society for data protection and data security (Gesellschaft für Datenschutz und Datensicherheit e. V. (GDD)), Alliance for Cyber Security of the Federal Office for Information Security (Allianz für Cyber-Sicherheit des Bundesamtes für Sicherheit in der Informationstechnik) as well as Initiative Cloud Services Made In Germany.

    The data protection officer for Adacor is Dr. Thomas Jäschke. For enquiries regarding matters of data protection please send an e-mail todatenschutz(at)adacor.com or call the phone number +49 231 543 803 00.


    Your rights

    Regarding your personal data you have the following rights.

    As long as Adacor is solely or jointly responsiblefor the processing of your personal data, you can exercise your rights against Adacor at any time: datenschutz(at)adacor.com

    Right of access (Art. 15 GDPR): :You have the right to obtain confirmation as to whether personal data concerning you is being processed, and, where that is the case, access to the personal data and the purpose of processing, information about who receives the personal data, the envisaged period for which the personal data will be stored and the information which other rights regarding your personal data you have.

    Furthermore you have the right to rectification (Art. 16 GDPR), erasure (Art. 17 GDPR) as well as the right to restriction of processing (Art. 18 GDPR) of your personal data. You can request to receive all personal data, that you have provided us, in a structured, commonly used and machine-readable format.

    Furthermore you have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you.

    If data processing is based on your consent, you have the right to revoke your consent for the future. Revocations are best send via e-mail todatenschutz(at)adacor.com. The legality of the processing of your personal data up until the revocation remains unaffected.

    You also have the right at any time to object to the processing (Article 21 GDPR)of personal data relating to you, which is based on Article 6 (1) (f) GDPR (data processing to safeguard a legitimate interest). In the event of your objection, we will no longer process your personal data unless we can prove compelling legitimate reasons for the processing that outweigh your interests, rights and freedoms or the processing serves to assert, exercise or defend legal claims.

    If you are of the opinion that our processing of your personal data violates data protection laws, you have the right to complain to a data protection supervisory authority of your choice according to Art. 77 (1) GDPR.
    The supervisory authority responsible for Adacor is:

    Landesbeauftragte für Datenschutz und Informationsfreiheit Nordrhein-Westfalen
    Postfach 200444
    40102 Düsseldorf
    0211/38424-0
    poststelle@ldi.nrw.de


    Data processing in the customer portal

    The following processing of your personal data takes place in our customer portal.


    Provision of the customer portal

    1. Description and scope of data processing

    Every time our customer portal is called up, our system automatically collects data and information from the requesting device.

    The following data is collected:

    1. Information about the browser type and browser version used
    2. The used operating system and it's version number
    3. Technical data for displaying the customer portal on the customer's system
    4. The IP address of the user

    2. Legal basis for data processing

    he legal basis for the temporary storage of the data and the log files is the legitimate interest according to Art. 6 (1) (f) GDPR, which results from the purposes of data processing (see next section).


    3. Purposes of data processing

    System data is stored in order to ensure the functionality of the website. In addition, we use the data to optimize the website and to ensure the security of our IT-systems. An evaluation of the data for marketing purposes does not take place in this context.

    The temporary storage of the IP address by the system is necessary to enable the website to be delivered to the user's computer. To do this, the user's IP address must be stored for the duration of the session.


    4. Data transfer

    The collection and analysis of data is only performed on systems managed and hosted by us.


    5. Duration of storage

    Data will be deleted as soon as it is no longer required to achieve the purpose for which it was collected.

    In the case of the collection of data for the provision of the website, this is the case when the respective session has ended.

    If the data is stored in log files, deletion will occur after 30 days at the latest. Any further storage is possible. In this case, the shortening of the users' IP addresses means that it is no longer possible to assign the accessing client to a specific user.

    In order to analyze the use of our customer portal and to identify potential opportunities for improvement, we process the data with the help of the Matomo analysis tool. We avoid personal profiles as far as possible. See also the corresponding section below on the use of Matomo.


    6. Opposition and removal option

    The collection of the data for the provision of the website and the storage of the data in log files is essential for the operation of the website. There is consequently no possibility of objection on the part of the user.


    Access management

    1. Description and scope of data processing

    The content of the customer portal is only accessible to registered users. In addition, there are further differentiated information accesses within the customer portal, which result from the assignment of users to Adacor's customer companies.

    At the beginning of the contractual relationship between Adacor and its customers, persons who shall be authorized to access the customer portal are named by the customer. These persons are to receive customer-specific information access and functions in the customer portal (registered users). Adacor sets up the initial access data and provides options for changing the login data for registered users.

    As soon as data is entered in the registration mask of the customer portal, it is checked against the access data of already registered users. If entered data is correct, the respective user can use the customer portal, otherwise the usage is denied.

    To further secure the access to the customer portal a 2-factor authentication is used. On the initial login users receive an e-mail to the e-mail address that was used to register, containing an authentication code. 24 hours after the initial successful login or when logging in from another device users are required to receive a new authentication code to access the customer portal. An authentication code is valid for 15 minutes. After the initial successful login user can choose wether to receive the authentication code via e-mail or via SMS, for which a phone number has to be set within the customer portal.

    The following data is thus processed:

    1. Any data entered in the login mask
    2. Email address of registered user
    3. Password of registered user
    4. Configured authorizations of registered user
    5. The company name of the customer to whom the registered user is assigned
    6. Authentification code sent
    7. Phone number of registered user, if given
    8. Time and date of the last login of any user

    SoIf necessary for an error analysis, we also analyze the data entered using log files.


    2. Legal basis for data processing

    The legal basis is the processing required to fulfill contractual obligations in accordance with Article 6 (1) (b) GDPR.


    3. Purpose of data processing

    The identification of registered users is used to provide content and services that are only offered to Adacor's customers. The 2-factor authentication is used to further improve security.


    4. Data transfer

    Only to send the authentication code via SMS to the given phone number we use the services of CM.com Germany GmbH, Dr.-Eugen-Schön-Straße 35, 97332 Volkach, Deutschland. For further information regarding their privacy policy see: https://www.cm.com/de-de/app/legal/cm-com/privacy-policy/ . Only the message that contains the authentication code and the phone number it is to be send to are transferred to the service provider.

    All other collection and analysis of data is only performed on systems managed and hosted by us.


    5. Duration of storage

    The information entered in the input mask is only saved for the duration of the active session.

    The 2-factor authentication code as well as the name of the user who had requested it are stored a) until the user has used the code within its 15 minute long validity period or b) for a maximum of one week in order to be able to detect any errors in the 2-factor authentication.

    Registered users are always free to change the personal data provided for identification at any time or to have it completely deleted from the database.


    6. Opposition and removal option

    The processing of the data is essential to guarantee the security and operation of the customer portal. There is consequently no possibility for the user to object to the processing of the data entered in the registration mask.

    Data of users stored in the customer portal can be changed by the users. Data ist checked for correctness of format, but not for correctness of content, to ensure continuation of functionality that the data requires.


    Web analysis by Matomo

    1. Scope of processing of personal data

    We use the self hosted open source software tool Matomo in our customer portal to analyze the use of our customer portal. The tool partly uses the information from the other processing operations mentioned above.

    If individual pages are called up in the customer portal, the following data is stored as part of what is known as "device fingerprinting":

    1. Two bytes of the IP address of the requesting system
    2. The accessed website
    3. The sub-pages that are accessed from the accessed website
    4. The length of stay on the website
    5. The frequency with which the website is accessed
    6. The company name of the customer to whom the registered user are assigned (see previous procedure)
    7. The country from which the access is made, determined by the ip-address
    8. Date and time of access
    9. A unique ID created for the respective session

    The software is set so that the IP addresses are not saved fully, but 2 bytes of the IP address are masked (e.g. 192.168.xxx.xxx). In this way, it is no longer possible to assign the shortened IP address to the requesting device.

    By storing the company name, depending on the number of users assigned to the company, it may be possible to infer a natural person in individual cases. However, such a conclusion is neither made by automated nor by non-automated data processing procedure by Adacor and if nevertheless, it is only coincidental.

    The software runs exclusively on the servers of our customer portal. The personal data used of users is only stored there. The data will not be passed on to third parties.


    2. Legal basis for the processing of personal data

    The legal basis for processing the personal data of users is the legitimate interest on the part of Adacor, Art. 6 (1) (f) GDPR.


    3. Purpose of data processing

    The processing of the personal data of the users enables us to analyze the surfing behavior of our users. By evaluating the data obtained, we are able to compile information about the use of the individual components of our website. This helps us to continuously improve our website and its user-friendliness. For these purposes, our legitimate interest lies in the processing of the data according to Art. 6 (1) (f) GDPR. By anonymizing the IP address, the interests of users in protecting their personal data are adequately taken into account.


    4. Data transfer

    The collection and analysis of data is only performed on systems managed and hosted by us.


    5. Duration of storage

    The data will be deleted as soon as they are no longer required for our recording purposes.
    In our case after six months.


    6. Opposition and cancellation option

    An objection can be lodged against data processing by device fingerprinting within the meaning of the GDPR. The deletion of the above-mentioned data within the meaning of Art. 17 GDPR can also be requested.

    ou can find more information on the privacy settings of the Matomo software under the following link: https://matomo.org/docs/privacy/.


    Surveys and Questionnaires

    The surveys and questionnaires ("surveys") carried out by us are evaluated anonymously. Personal data is only processed insofar as this is necessary for the provision and technical execution of the survey (e.g. processing the IP address to display the survey in the user's browser or to enable a resumption of the survey with the aid of a temporary cookie (session cookie)) or participants have consented.

    Information on legal basis: If we ask the participants for their consent to the processing of their data, this is the legal basis for the processing, otherwise the processing of the participants data is based on our legitimate interests in conducting an objective survey.

    1. Processed data types: Contact data (e.g. e-mail, telephone numbers); Content data (e.g. text input, photographs, videos); Usage data (e.g. websites visited, interest in content, access times); Meta/communication data (e.g. device information, IP addresses).
    2. Data subjects: Communication partner (Recipients of e-mails, letters, etc.).
    3. Purposes of Processing: Contact requests and communication; Direct marketing (e.g. by e-mail or postal).
    4. Legal Basis: Consent (Article 6 (1) (a) GDPR); Legitimate Interests (Article 6 (1) (f) GDPR).

    Further information on processing methods, procedures and services used:

    1. Nicereply: Service provider: Nice Reply s.r.o., Štefanovičova 2971/8, Bratislava 811 04, Slovakia; Website: https://www.nicereply.com/; Privacy Policy: https://www.nicereply.com/product/privacy-policy .


    Self services via the customer portal

    In our customer portal you will find some modules with which you can order services from Adacor or have them carried out directly.


    Support inquiries

    1. Description and scope of data processing

    Registered users can use the provided forms to send support requests and orders to Adacor. The customer portal then sends the emails with the respective content to the Adacor ticket system.

    The following data are processed by the users who use the form:

    1. Name and first name
    2. E-mail address
    3. The company name of the customer to whom the user is assigned (see previous procedure)
    4. The project assignment to which the user is assigned
    5. Any data entered in the form
    6. Time and date of sending
    7. The page within the customer portal from which the form was filled out

    2. Legal basis for data processing

    The legal basis is the processing required to fulfill contractual or at least pre-contractual obligations in accordance with Article 6 (1) (b) GDPR.


    3. Purpose of data processing

    The procedure is used to receive and process support requests from Adacor customers.


    4. Data transfer

    The collection and analysis of data is primarely performed on systems managed and hosted by us. Depending on the kind of order this can be deviated from if services from third parties are necessary to fulfill the request.


    5. Duration of storage

    The information entered in the input mask of the form is only saved in the customer portal for the duration of the active session.

    The data passed on in the Adacor ticket system will be stored up to 10 years after the request has been completed due to tax regulations.


    6. Opposition and removal option

    Processing in the customer portal ends with the active session.

    The deletion of forwarded inquiries in the ticket system can be requested by contacting Adacor at the corresponding support addresses or atdatenschutz(at)adacor.com, provided that tax regulations do not contradict this.


    Self Services

    1. Description and scope of data processing

    Registered users who have been activated for this purpose can use the forms provided to directly use, influence and order services, like CDN-services and DNS-services.

    Then triggered, the customer portal transmits the necessary information for placing the order to the respective systems. The transmitted data will not be cached. The order is stored and assigned to the respective cost center in our invoice management system.

    The following data of the users who use the form is processed:

    1. First name Last Name
    2. E-mail address
    3. URL for which the CDN is requested
    4. The project and cost center assignment to which the user is assigned
    5. The page within the customer portal from which the form was filled out

    2. Legal basis for data processing

    The legal basis is the processing required to fulfill contractual or at least pre-contractual obligations in accordance with Article 6 (1) (b) GDPR.


    3. Purpose of data processing

    The procedure is used to receive and process orders from Adacor's customers.


    4. Data transfer

    The collection and analysis of data is only performed on systems managed and hosted by us.

    To provide CDN-services we use the services of Lumen Technologies Germany GmbH. Lumen Technologies Germany GmbH doesn't receive any personal data from Adacor's customers, Adacor expands it's own contingent with Lumen Technologies Germany GmbH according with orders.


    5. Duration of storage

    The information entered in the input mask of the form is transmitted directly to the customer portal and is therefore only temporarily stored.

    The data stored for billing in Adacor's invoice management will be stored up to 10 years after completion of the order due to tax law requirements.


    6. Opposition and removal option

    Processing in the customer portal ends immediately after execution.

    The assignment can be terminated. However, due to tax law requirements, all billing-relevant information from the order must be stored in an audit-proof manner.


    Information service about commissioned domains

    1. Description and scope of data processing

    Recipients entered under "Domains → Notifications" for the project regularly receive information about the current domain inventory of a company and its soon-to-be-expired domains to the email address stored for the recipient.


    2. Legal basis for data processing

    The legal basis is the processing required to fulfill contractual or at least pre-contractual obligations in accordance with Article 6 (1) (b) GDPR.


    3. Purpose of data processing

    The procedure is used to provide services in the domain area for Adacor's customers.


    4. Data transfer

    The collection and analysis of data is only performed on systems managed and hosted by us.


    5. Duration of storage

    The recipient data stored under "Domains → Notifications" is stored there either until new data is entered or, alternatively, until the end of the service.


    6. pposition and removal option

    The data is maintained by authorized contact persons of the customers. Inquiries should therefore be directed to them. Inquiries to Adacor can be send to datenschutz(at)adacor.com.