Data protection & security · Art. 32 GDPR
How we protect your data
Under Article 32 GDPR we take appropriate technical and organizational measures to ensure a level of security appropriate to the risk for personal data. This overview describes the measures with which BW-Tech GmbH secures the operation of ownCloud.online.
These measures take into account the state of the art, the costs of implementation and the nature, scope, context and purposes of the processing as well as the likelihood and severity of the risks to the rights and freedoms of data subjects.
They are a binding part (annex) of the Data Processing Agreement (DPA) under Art. 28 GDPR and are continuously adapted as the technology evolves.
At a glance
- Legal basis: Art. 32 GDPR
- Place of processing: Germany only
- Certified data center (ISO 27001)
- Encryption in transit & optional end-to-end
- Single-tenancy – dedicated instance per customer
Legal framework
Requirements under Art. 32(1) GDPR
The GDPR names in particular the following protection goals our measures are aligned with:
Pseudonymization & encryption
Encryption of personal data and, where possible, pseudonymization.
Confidentiality, integrity, availability & resilience
Ongoing assurance of these properties of the systems and services.
Rapid restorability
Restoring availability and access after a physical or technical incident.
Regular review
A process for reviewing, assessing and evaluating the effectiveness of the measures.
Our measures in detail
Specific technical & organizational measures
Organized by the protection goals of Art. 32 GDPR and the established control categories:
Pseudonymization & encryption
- Transport encryption: TLS with AES 256 for all data transfers.
- End-to-end encryption: optionally activated client-side via smartcard or password.
- Encryption of stored data (at rest): to confirm / specify
- Pseudonymization: procedure to describe
Confidentiality
- Physical access control: physical protection of the certified German data center. measures to add
- System access control: authentication with available two-factor authentication; password policies.
- Data access control: role- and permission-based authorization concept. to add
- Separation control: single-tenancy – each customer instance is separate, no data pooling.
Integrity
- Disclosure / transfer control: encrypted transfer (TLS) and controlled interfaces.
- Input control: logging of access and changes for traceability. scope to add
Availability & resilience
- High availability: redundant data-center infrastructure in Germany.
- Backups: automated backups with restoration up to 30 days.
- Malware protection: real-time virus scanning on every upload.
- Disaster recovery: defined recovery objectives (RPO/RTO). to add
Process for regular review
- ISMS: information security management system per ISO 27001.
- Audits: regular internal and external reviews / certification audits.
- Incident management: process for handling security incidents and notifying data breaches (Art. 33/34 GDPR).
- Vulnerability management / penetration testing: frequency to add
Instruction & processing control
- Bound by instructions: processing solely on the controller's documented instructions.
- Sub-processors: careful selection and contractual commitment under Art. 28 GDPR.
- Staff commitment: to confidentiality and data secrecy.
Certifications & evidence
Audited security
Operations rely on a certified data center and established management standards:
The scope and issuer of the certificates are evidenced on request. certificates / scope to link
Relation
Annex to the DPA
These technical and organizational measures are a binding part of the Data Processing Agreement under Art. 28 GDPR.
Contact
Questions about data security?
We are happy to provide further information on our safeguards.
info@bw.tech · +49 6202 95323 00
Last updated: 2 July 2026 · Version 1.0. Controller: BW-Tech GmbH, Albert-Bassermann-Strasse 31, 68782 Bruehl, Germany. This page does not constitute legal advice.