Privacy information
The protection of personal data is the basis for the development of Governikus products and solutions. When collecting and processing personal data, §3a of the Federal Data Protection Act stipulates data avoidance and data economy. We implement this requirement in the design and implementation(Privacy by Design) and configuration(Privacy by Default) of our software products and solutions.
Legal basis
The development, implementation and configuration of our products and solutions are based on legal principles:
EU DS GVO
The EU GDPR, there Art. 25 and Recital 78, Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data, on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation).
DSAnpUG-EU draft
The official explanatory memorandum to DSAnpUG-EU draft on this provision.
Product development
Pre-planned development and daily testing of development statuses help to identify and thus prevent gaps in personal data processing. In doing so, the protection of this data is anchored as the basic attitude of our products and secured from the collection of the data to its deletion. In concrete terms, this is implemented through recognized, proven and modern standards.
Data separation into personal data and process data applies to all products, which means, for example, that the log files written by the products do not contain any personal data and can only be used for monitoring and troubleshooting.
Access protection for server products takes place on two levels. Governikus KG recommends operating the server products in secure rooms, in a protected infrastructure with controlled access (firewalls) to the intranet and Internet (DMZ). Within this specially protected area, access to the server products also requires user authentication. Client products are installed on individual workstations, whereby the operating systems require user authentication.
Data protection in Governikus products
The Secure Communication Suite products are based on the OSCI network protocol, among others, in which messages are signed and transmitted end-to-end encrypted. With the OSCI-based XÖV standards (XML in public administration), message content and attachments (content containers) must also be encrypted.
The Secure Identity Suite products authenticate electronic identities. Here too, data is only transmitted in encrypted form. The certificates and signatures used are checked to ensure that valid statements about the integrity of data and the authenticity identities are always available.
The Secure Data Suite contains the long-term archive LZA, which is TR-ESOR-certified (BSI Technical Guideline 03125) and guarantees evidence-preserving, secure long-term storage of documents.
Protected production environment
Governikus products are developed in specially protected premises. Access is secured with transponders and an alarm system. The spatial protection and the protection of the specially secured production infrastructure are described in the Governikus security concept, on the basis of which the evaluation according to Common Criteria is carried out. The trustworthiness requirement "Development Security (ALC_DVS.1)" from the trustworthiness class "Life-Cycle Support (ALC)" is checked. In addition, this concept supplements the data protection concept.
Product configuration
The Governikus server products Governikus Service Components (SC), Governikus Long-Term Archive (LTA) and Governikus MultiMessenger (GMM) are complex systems whose configurations enable protected and data-saving data processing. Only authorized persons have access to configuration and administration. Configurations of server products are designed in such a way that only adaptation to the customer's infrastructure and the use of the customer's own key material is required to ensure that the productive system meets the high standards of data protection and data security.
Evaluation of hazards
As an ongoing process, a technical assessment of threats is performed by our Technology Coaches. This concerns both the technologies used in Governikus products and the third-party products used, as well as the security and availability of the infrastructure. All relevant sources reporting on these products are monitored and evaluated. If a security or availability-relevant threat applies to us, we react immediately via proven procedures such as software updates, mailings or patches. In this way, the security of the delivered Governikus products and thus the security of personal data processing are guaranteed and documented.