Información legal

Protección de datos

Technical and organizational measures (TOM) pursuant to Art. 32 GDPR

Fitness Nation GmbH – Security Concept

Status: 08.09.2025

1. Purpose and scope

This document describes the technical and organizational measures (TOMs) implemented by Fitness Nation GmbH to ensure a level of protection appropriate to the risk, in accordance with Article 32 of the GDPR. The TOMs cover all processes and systems in which personal data is processed within the responsibility of Fitness Nation GmbH, including processing within the framework of data processing activities and the involvement of sub-processors.

The TOMs serve in particular to ensure:

  • Confidentiality, integrity, availability and resilience of the systems and services,
  • the ability to rapidly restore the availability of and access to personal data in the event of a physical or technical incident,
  • Procedures for regularly reviewing, assessing and evaluating the effectiveness of the measures.

2. Data protection and security organization (in principle)

2.1 Data Protection Management and Documentation

Fitness Nation GmbH operates a company-wide data protection management system (DPMS), compliance with which is continuously monitored and evaluated on an ad hoc basis and at least semi-annually. The DPMS documentation is maintained and managed using the DPMS-Online software from LegalInnovate Technologies GmbH.

2.2 Up-to-dateness of systems and protection software

Operating systems and installed software are kept up to date with the latest available version. Security-related updates (especially operating system updates) are installed automatically, provided they are available and compatible. Antivirus and firewall solutions are in use and are regularly updated.

2.3 Withdrawal of authorization upon role change/departure

Issued keys, access cards, codes, and authorizations to process personal data are immediately revoked or withdrawn upon an employee's departure from the company or a change in responsibilities. The issuance of keys is documented in a traceable manner; authorizations are granted strictly on a task-specific basis and revoked once they are no longer needed.

2.4 Processes for safeguarding the rights of data subjects

A structured process exists to safeguard the rights of data subjects (access, rectification, erasure, restriction of processing, data portability, withdrawal of consent, objection) within the statutory time limits. This process includes defined procedures, responsibilities, and supporting forms/instructions, and is documented in the Data Protection Management System (DSMS). A deletion policy and retention periods are defined and stored in the DSMS.

2.5 Confidentiality, training and employee guidelines

Employees are bound by confidentiality agreements, receive instruction on data protection and information security, and participate in regular training. The confidentiality obligation is part of the employment contract; its compliance is documented in the Data Protection Management System (DSMS). Additional regulations exist for special work situations (e.g., work outside company premises or use of private devices, where permitted) to protect personal data and safeguard client rights.

2.6 Data protection by design and by default (Art. 25 GDPR)

The protection of personal data is already taken into account during the development, selection, and operation of hardware, software, and processes (Privacy by Design & Privacy by Default). Data protection requirements are considered in the conception, specification (requirements/functional specifications), implementation, and acceptance testing phases. This includes, in particular:

  • Data minimization and data economy,
  • Access controls and authorization concepts,
  • Pseudonymization/anonymization where appropriate,
  • appropriate security measures such as encryption and logging,
  • Control options for affected persons within the framework of product/process design.

2.7 Response to data breaches (Data Breach Process)

A concept exists for the immediate and legally compliant response to personal data breaches (investigation, containment, documentation, reporting, notification). Documentation and proof of implementation are maintained within the Data Protection Management System (DSMS). Standardized templates/forms are established for this purpose (including internal reporting, external reporting, and informing data subjects).

2.8 Selection and integration of supporting service providers

Service providers (e.g., cleaning staff, security personnel, other support staff) are carefully selected. Where necessary, organizational measures are in place to ensure they comply with data protection regulations. Activities in sensitive areas are carried out in a controlled manner and according to organizational guidelines.

3. Access control

3.1 Goal

Preventing unauthorized access to data processing facilities and premises where personal data is processed.

3.2 Measures

  • Office access is secured by security locks; the issuance of keys is documented.
  • Access to office premises is restricted to employees only; regular visitor traffic is not permitted.
  • The entrance area to the office premises is under video surveillance.
  • Monitoring equipment such as alarm systems, camera systems and burglar alarm systems are present.
  • Data processing systems where customer data is stored are predominantly located with sub-processors in the cloud (especially AWS ). Employees use terminal/access applications to perform tasks.
  • The cloud provider's documented technical and organizational measures (TOMs) apply to its data center and infrastructure measures. Information regarding AWS compliance and GDPR is available from the provider (AWS GDPR Center).
  • Cleaning services are carried out during operating hours under organizational control.

4. Access control and authorization control

4.1 Goal

Ensuring that only authorized persons have access to IT systems and can only access personal data within the scope of their authorization. Preventing unauthorized reading, copying, modification, or deletion of data.

4.2 Authentication and password policies

  • Personal user accounts are used; generic/shared access is prohibited.
  • A password convention with complex passwords (minimum length 12 characters ) applies .
  • Compliance with the password convention is monitored technically/organizationally.
  • Where necessary, a password manager is used or recommended.
  • Multi-factor authentication (MFA/2FA) is used; access is secured via MFA by default.

4.3 Technical protective measures at the workplace/terminal device

  • Automatic screen lock is active (e.g., after 5 minutes of inactivity).
  • End devices are encrypted (e.g., FileVault, BitLocker).
  • USB ports may be restricted/blocked according to policy; the use of USB sticks is regulated.
  • Secure network connections are used for external access (VPN/SSL or similar).
  • The firewall is active (software firewall) and configured with a rule set.
  • Notebooks/work devices are generally encrypted; mobile data carriers may only be used in encrypted form if such use is necessary.

4.4 Locking mechanisms and session timeout

  • Accounts are temporarily locked after a defined number of failed login attempts (e.g., after three failed attempts) to make brute-force attacks more difficult.
  • Sessions are automatically terminated after a defined period of inactivity; the timeout duration depends on the risk level of the respective application.
  • In MFA systems, additional token-based blocking can be implemented if invalid tokens are entered multiple times.
  • Blocking actions and relevant authentication events are logged.

4.5 Role and authorization concept (Need-to-know / RBAC)

  • Access to personal data is strictly regulated according to need-to-know and segregation of duties.
  • A role-based access control (RBAC) concept is used. Roles have predefined rights; individual additional rights are granted restrictively and documented.
  • The granting/modification/revocation of authorizations takes place according to a regulated process (including review/approval/documentation, generally according to the four-eyes principle, insofar as organizationally applicable).
  • Upon joining, accounts with minimum permissions are set up.
  • Permissions are reviewed for necessity at least annually and adjusted if required.
  • Upon leaving the company or changing roles, access rights will be deactivated or adjusted immediately, but no later than the end of the workday.

4.6 Logging and Monitoring

  • Login events and relevant accesses to systems are logged.
  • Logins to production systems can generate notifications.
  • Changes to data and deletion processes are logged.
  • External access (e.g. VPN/remote access) is logged.
  • Logs are protected against unauthorized access, stored with restricted access, and analyzed to detect security-relevant events. Access to logs is also logged.

4.7 Access to customer systems / remote maintenance

  • Access to customer systems is only granted on the basis of a written agreement (e.g., data processing agreement/customer agreement and remote maintenance contract).
  • Remote maintenance access is provided via secure, dedicated systems/procedures and is logged separately.

4.8 Security software (antivirus)

  • Windows systems have basic protection provided by Microsoft Defender.
  • On macOS, integrated protection mechanisms are used (including Gatekeeper, MRT, and XProtect). An additional anti-malware solution is also employed.
  • The macOS firewall is enabled and configured by default.
  • Automatic software updates for operating systems are enabled.

4.9 Secure destruction of data carriers

  • Data carriers are destroyed in compliance with data protection regulations via a specialized service provider (e.g., Remondis). The destruction process is carried out according to internal guidelines and is organized in a traceable manner.

5. Control of further processing

5.1 Goal

Ensuring that personal data is not read, copied, altered or removed without authorization during transmission/disclosure and that recipients and transfers are traceable.

5.2 Determination and documentation of the recipients

  • Recipients of personal data are documented in accordance with legal requirements.
  • Recipients are recorded in the register of processing activities in accordance with Article 30 GDPR.
  • Internal recipients are regulated by the authorization concept (need-to-know).
  • External recipients are recorded separately (e.g., data processors such as hosting/cloud providers, external service providers; authorities, if legally required; customers/partners for contract fulfillment).
  • Any transfer of data is based on a legal basis (e.g., consent, contract fulfillment, legal obligation, legitimate interest).
  • Recipient lists and records of processing activities are reviewed at least annually; compliance is supported by internal controls.

5.3 Encryption and secure transmission

  • Web applications/portals use HTTPS with current TLS statuses (at least TLS 1.2).
  • Email traffic is secured using transport encryption (e.g. STARTTLS) where technically possible; for particularly sensitive content, end-to-end encryption (e.g. PGP/S/MIME) can be used.
  • Remote access is via VPN; VPN connections are logged.
  • Only encryption methods that are state-of-the-art are used; outdated protocols are deactivated.

6. Input control

6.1 Goal

Traceability of whether and by whom personal data was entered into systems, changed or deleted.

6.2 Measures

  • Rights to enter, modify and delete data are granted based on the authorization concept.
  • Database and system logs record relevant processes with timestamps and user IDs.
  • Administrative actions (e.g., changes to permissions or database structures) are logged.
  • Log data is protected and stored separately from operational data; protection against manipulation and access restrictions are implemented.
  • Logs are regularly reviewed for security-relevant events; in the event of an incident, they serve for forensic analysis.

6.3 Storage of forms/source documents

  • Forms from which data is transferred into automated processing are stored in accordance with legal and internal requirements.
  • Paper forms are kept in secure, lockable areas; access is restricted to authorized persons.
  • Digital forms (e.g. PDF) are stored in secure archives/databases; access is protected by access and authorization controls.
  • Retention periods are based on legal/contractual requirements (e.g. commercial/tax law obligations).
  • After the deadline has expired, data is destroyed in compliance with data protection regulations (shredding, irrevocable deletion); the destruction is carried out in an organizationally traceable manner.

7. Order control

7.1 Goal

Ensuring that personal data is processed on behalf of the client only in accordance with documented instructions and that the processors and sub-processors used implement appropriate TOMs.

7.2 Selection and contractual obligation

  • Contractors are selected based on due diligence criteria (e.g. suitability check, references, evidence/certifications such as ISO 27001, where available and required).
  • A data processing agreement (DPA) in accordance with Art. 28 GDPR is concluded for Data Processor.
  • Instructions, relevant stipulations and documentation are managed centrally.

7.3 Control and evidence

  • Compliance with data protection and security requirements is checked on a risk-based basis (e.g. questionnaires, document review, audits).
  • The right to information and control is contractually enshrined.
  • Data breaches/security-related incidents must be reported immediately by the contractor (contractually agreed).
  • Results and communication regarding audits are documented and serve the purpose of accountability.

7.4 Deletion/Destruction after completion of the order

  • Contractors are obliged to securely delete or return data after termination of the contractual relationship or upon instruction.
  • Secure deletion procedures for digital data are used; physical documents are destroyed according to recognized standards.
  • Destruction/proof is documented (e.g., destruction protocol/confirmation).
  • Fitness Nation GmbH reserves the right to conduct checks (e.g., reviewing protocols or auditing).

8. Availability control and integrity

8.1 Goal

Ensuring the availability of personal data and protection against accidental destruction or loss; maintaining data integrity.

8.2 Redundancy / Disk Mirroring (where required by the system)

  • For critical systems, redundancy mechanisms (e.g. mirroring/RAID) can be used to minimize downtime in the event of hardware defects.
  • Redundancy does not replace data backup; it serves to ensure short-term reliability.

8.3 Backup and Recovery Concept

  • A documented backup and recovery concept exists.
  • Backups are performed regularly and automatically for systems that process personal data; the scope and frequency depend on the criticality of the systems.
  • Backups are stored redundantly and protected against unauthorized access, including encryption of the backup data.
  • Data backup is based on recognized principles (e.g., the 3-2-1 principle: multiple copies, different media, at least one copy off-site).
  • Recoverability is verified through regular, documented restore tests.
  • Backup processes are monitored; errors trigger warning messages and are resolved promptly.

Additional backup copies can be stored geo-redundantly in a separate data center (e.g. at Hetzner), if required for systems.

8.4 Energy supply, climate, data center

For cloud infrastructures (e.g., AWS), measures such as uninterruptible power supply, surge protection, and air conditioning are ensured by the provider within the framework of its data center standards. Fitness Nation is responsible for the secure configuration, permissions, and operation of the applications within the environments used.

8.5 Emergency plan / Business Continuity

  • An emergency plan to ensure business continuity has been established and documented.
  • Risks (e.g., failures, cyberattacks, physical events) are systematically considered; resulting precautionary measures are implemented.
  • Alerting and communication channels are defined; roles/responsibilities are determined.
  • Recovery measures are described as part of the emergency plan (priorities, checklists, responsibilities).
  • Emergency drills and tests (including recovery tests) are conducted and documented at least annually and as needed.
  • Following an incident, a follow-up process is conducted, including root cause analysis and improvement measures.

8.6 Stress tests

  • To ensure the resilience of systems, resilience tests are carried out at appropriate intervals (e.g. before releases, after major changes or at least annually, where appropriate).
  • Tests are conducted in a suitable test environment that does not affect production operations.
  • Results are logged, evaluated, and incorporated into measures for optimization/safeguarding.

9. Ensuring compliance with the purpose-bound and separation requirements

9.1 Logical client separation

In multi-tenant systems, strict logical tenant separation is implemented. This prevents one tenant from accessing another tenant's data. Tenant separation is implemented in particular through:

  • Client retention at the database level (e.g., client ID as a mandatory access criterion or separate databases),
  • Client retention in the application logic (automatic consideration of the client ID),
  • Client-specific authentication/authorization in interfaces (APIs),
  • Restrictively regulated administrative rights.

9.2 Separation of production and test systems

  • Production and test environments are logically and organizationally separated.
  • In test environments, anonymized or pseudonymized data is generally used.
  • The transfer of real personal data from production systems into test/development environments is prohibited, unless absolutely necessary and after it has been appropriately anonymized/pseudonymized.
  • Access to production systems is restricted to a narrowly defined, authorized group of people and is logged; developers/test roles generally work in test environments.

9.3 Pseudonymization/Anonymization

  • Wherever possible, data is processed anonymously (e.g. statistics without personal reference, group metrics, feedback without traceability).
  • If anonymization is not possible, pseudonymization is used as a risk-minimizing measure (e.g. in analyses, reports, development/testing contexts).
  • Assignment information (key/mapping) is stored separately from pseudonymized data, specially protected, and made accessible only to a very narrowly authorized group of people.
  • Access to mapping files is fully logged; mapping information is additionally protected (e.g. encryption, RBAC, separate systems/network zones).
  • If the purpose ceases to exist, assignment data and, if applicable, mapping tables will be deleted.

10. Encryption of data carriers and connections

10.1 Data Encryption

  • Data storage devices of end devices (mobile and stationary) on which sensitive data is processed or stored are protected by full disk encryption (e.g. FileVault/BitLocker).
  • Mobile data storage devices (e.g. external hard drives/USB sticks) may only be used in encrypted form if their use is necessary.

10.2 Transport and communication encryption

  • Web communication takes place via HTTPS with current TLS statuses (at least TLS 1.2).
  • Remote access is via VPN or similarly secure tunnel connections; VPN connections are logged.
  • Email transport encryption is used where technically possible; end-to-end encryption can be used for particularly sensitive data.
  • Only recognized, robust encryption algorithms are used; insecure/outdated protocols are deactivated.

11. Information classification

A guideline for information classification is established to determine the protection requirements of processed information based on risk and to derive appropriate protective measures. Classifications can include, among other things:

  • Public,
  • Intern,
  • Confidential,
  • Secret/Strictly confidential.

The classification is carried out by subject matter experts in consultation with data protection and security functions. Classifications and the effectiveness of the measures are reviewed at least annually or on an ad hoc basis.

12. Regular evaluation of effectiveness

Fitness Nation GmbH regularly reviews, assesses, and evaluates the effectiveness of the described technical and organizational measures (TOMs) as well as on an ad-hoc basis. Results and relevant evidence are documented in the data protection management system (DSMS) and incorporated into the continuous improvement of data protection and information security.

Example wording (directly usable as a text module)

Example: Access control (short, publishable building block)

"Access to personal data is exclusively role-based, following the need-to-know principle. All access is secured via personal user accounts with password protection and multi-factor authentication. Relevant login events, data accesses, and changes are logged and stored in a way that protects against manipulation. Permissions are granted on a task-specific basis, regularly reviewed, and immediately revoked upon role changes or employee departure."