ownCloud.online

Data protection & security · Art. 32 GDPR

How we protect your data

Under Article 32 GDPR we take appropriate technical and organizational measures to ensure a level of security appropriate to the risk for personal data. This overview describes the measures with which BW-Tech GmbH secures the operation of ownCloud.online.

These measures take into account the state of the art, the costs of implementation and the nature, scope, context and purposes of the processing as well as the likelihood and severity of the risks to the rights and freedoms of data subjects.

They are a binding part (annex) of the Data Processing Agreement (DPA) under Art. 28 GDPR and are continuously adapted as the technology evolves.

At a glance

  • Legal basis: Art. 32 GDPR
  • Place of processing: Germany only
  • Certified data center (ISO 27001)
  • Encryption in transit & optional end-to-end
  • Single-tenancy – dedicated instance per customer

Legal framework

Requirements under Art. 32(1) GDPR

The GDPR names in particular the following protection goals our measures are aligned with:

a

Pseudonymization & encryption

Encryption of personal data and, where possible, pseudonymization.

b

Confidentiality, integrity, availability & resilience

Ongoing assurance of these properties of the systems and services.

c

Rapid restorability

Restoring availability and access after a physical or technical incident.

d

Regular review

A process for reviewing, assessing and evaluating the effectiveness of the measures.

Our measures in detail

Specific technical & organizational measures

Organized by the protection goals of Art. 32 GDPR and the established control categories:

Pseudonymization & encryption

  • Transport encryption: TLS with AES 256 for all data transfers.
  • End-to-end encryption: optionally activated client-side via smartcard or password.
  • Encryption of stored data (at rest): to confirm / specify
  • Pseudonymization: procedure to describe

Confidentiality

  • Physical access control: physical protection of the certified German data center. measures to add
  • System access control: authentication with available two-factor authentication; password policies.
  • Data access control: role- and permission-based authorization concept. to add
  • Separation control: single-tenancy – each customer instance is separate, no data pooling.

Integrity

  • Disclosure / transfer control: encrypted transfer (TLS) and controlled interfaces.
  • Input control: logging of access and changes for traceability. scope to add

Availability & resilience

  • High availability: redundant data-center infrastructure in Germany.
  • Backups: automated backups with restoration up to 30 days.
  • Malware protection: real-time virus scanning on every upload.
  • Disaster recovery: defined recovery objectives (RPO/RTO). to add

Process for regular review

  • ISMS: information security management system per ISO 27001.
  • Audits: regular internal and external reviews / certification audits.
  • Incident management: process for handling security incidents and notifying data breaches (Art. 33/34 GDPR).
  • Vulnerability management / penetration testing: frequency to add

Instruction & processing control

  • Bound by instructions: processing solely on the controller's documented instructions.
  • Sub-processors: careful selection and contractual commitment under Art. 28 GDPR.
  • Staff commitment: to confidentiality and data secrecy.

Certifications & evidence

Audited security

Operations rely on a certified data center and established management standards:

ISO 27001 – Information security ISO 9001 – Quality management ISO 50001 – Energy management ISAE 3402 (SOC 1 + 2)

The scope and issuer of the certificates are evidenced on request. certificates / scope to link

Relation

Annex to the DPA

These technical and organizational measures are a binding part of the Data Processing Agreement under Art. 28 GDPR.

→ To the Data Processing Agreement (DPA)

Contact

Questions about data security?

We are happy to provide further information on our safeguards.

info@bw.tech · +49 6202 95323 00

Last updated: 2 July 2026 · Version 1.0. Controller: BW-Tech GmbH, Albert-Bassermann-Strasse 31, 68782 Bruehl, Germany. This page does not constitute legal advice.

This site is registered on wpml.org as a development site. Switch to a production site key to remove this banner.