Gatekeeper Systems Privacy Notice

Last Date of Revision: June, 2024

Select Privacy Policy Version

California
European Union
United Kingdom

1. Who this privacy notice applies to

This privacy notice applies to the following data subject categories and covers the use of personal data when:

You visit our website www.gatekeepersystems.com, (website visitor);
Interact with us for product information (contact page, sales contact form or vendor and service company inquiry form, through phone and email enquiries), (sales enquiry);
Sign up to receive more information through the Learn More and MarketWatch pages (newsletter subscriber);
When you access our GDOCS platform, (implementers and GKS staff);
When you apply to a position directly for our vacancies. (job applicant);
When you are interact with us at trade shows or were contacted by us when cold calling (lead or a customer representative);
When you make use of our platform as an employee of our customers;
When you use our platform as a video classifying agent.

This section of the privacy notice applies to all individuals and customers. If you are accessing from California, Europe or the UK, a different section of the privacy notice will also list additional COPPA and GDPR-related information depending on jurisdiction (see links above).

2. Who this privacy policy does not apply to

If you are a store shopper and you believe your personal data was collected in a retail area where Gatekeeper Systems solutions are implemented, whether you are an employee or a patron or store visitor, please approach the store owner for more information on what data protection rights are available to you and how to exercise them. As a data controller (GDPR Art.4.7), making use of our solutions, the retail company owner of the shop you visited is the custodian of your data and your data protection rights.

3. What data we need and why we need it

In the tables below, you will find the following information:

a) Context and data subject category: provides background information and helps determine whether this processing actually applies to you.
b) Activity processing your data: describes a business need or a service that makes use of your data.
c) Purpose served: describes that business need or service.
d) Categories of personal data: outlines the exact data being processed.
e) Legal base for the process of your personal data (GDPR and UK GDPR-relevant only)
f) Retention period for this data: specifies how long that data is retained for the purpose (stated in c.).
g) Selling of information: indicates whether and what PII is sold. (CCPA-relevant only)

There are several scenarios in which we collect and process your personal data.

Please locate the scenario of interest to you in the relevant table below to identify what data is processed in which context.

Please note that the following scenarios apply to all data subjects listed in Section 1 regardless of jurisdiction (unless specified as US-only). The controller for the following processing activities is Gatekeeper Systems Inc., with details included below.

4. Data processing by GatekeeperSystems Inc.

GKS Inc. (USA)

Who We Are

For the data collected in the scenarios below, Gatekeeper System, Inc. is a data controller/business that controls the collection of a consumer’s personal information.

To exercise a subject rights request or to ask questions relative to how your data is processed, this is how you may contact us:

Gaterkeeper Systems, Inc.

90 Icon, Foothill Ranch
CA 92610, USA
+1.949.453.1940
info@GatekeeperSystems.com

4.1. Providing the website, the platform and marketing services

Context and data subject category	Activity processing your data	Purpose served	Data collected / processed	Legal Base (for processing of the data). Relevant for UK and EU users	Retention period for this data
Website Visitors	Capturing information through contact forms & interactive calculators	Allows GKS to provide a means for data subjects to get in touch.	Contact information (first name, last name, company name, email*, phone, post code, country) Msg payload / free text comment Areas of interest (GKS solutions) Agreement to the Privacy Policy (status) Humanity (Recaptcha)	Performance of a contract (GDPR Art.6.1.b)	We retain this information for the period necessary to achieve our purposes.
	Capturing information through the Sales Form	Allows GKS to provide a means for data subjects to get in touch.	Contact information (first name, last name, company name, email*, phone, post code, country, state/province) Msg payload / free text comment Areas of interest (GKS solutions) Agreement to the Privacy Policy (status) Humanity (Recaptcha)	Performance of a contract (GDPR Art.6.1.b)	We retain this information for the period necessary to achieve our purposes.
	Commenting articles on the blog. (mainly used for vertical communication)	Allows GKS visitors the possibility to engage with the company.	Free text (anonymous contributions are possible)	Legitimate Interest (GDPR Art. 6.1.f)	We retain this information for the period necessary to achieve our purposes.
	Pushout Theft News Center Website	Maintaining interest in Gatekeeper push out product offering	E-mail address	Legitimate Interest (GDPR Art. 6.1.f)	Until unsubscription
	Tracking and analytics on the corporate website (see more cookie information below)	Analysing Website traffic to understand who GKS' visitors are.	Google Analytics: Aggregated data (website number of users, duration, events on the website i.e submitted forms in analytics, users location, time when the website was visited, pages viewed) Hotjar: Keystrokes, Heatmaps, Unique User ID, Electronic network activity information (i.e information about the device, operating system; and software, date and time of access to website, browsing history).	Consent (GDPR Art.6.1.a)	We retain this information for the period necessary to achieve our purposes.
Newsletter Subscribers	Subscribing for weekly marketing communication Marketwatch Newsletter	Allowing subscribers to subscribe in order to receive weekly recap on retail & loss prevention news	Email (mandatory), first name, last name and company (optional)	Consent (GDPR Art.6.1.a)	Until unsubscription
Newsletter Subscribers	Sending weekly newsletters	Allowing subscribers to receive weekly recap on retail & loss prevention news	E-mail address	Legitimate Interest (Art.6.1.f)	We retain this information for the period necessary to achieve our purposes.
Registered Users	Logging users (GDocs)	Allows GKS to provide access to resources via its website to staff and implementers.	Registered users : IP address of latest visit associated with account login with email address and password	Legitimate Interest (Art.6.1.f)	We retain this information for the period necessary to achieve our purposes.

4.2. Provision of products and services

Context and data subject category	Activity processing your data	Purpose served	Data collected / processed	Legal Base (for processing of the data). Relevant for UK and EU users	Retention period for this data	The selling of Information (CCPA)
Customer employees	Video access and use of metadata by GKS	Allows GKS to conduct analytics on market trends (e.g evolution of retail during the pandemic)	Time and day, store location, amount of theft, confirmation of theft	Legitimate Interest (GDPR Art. 6.1.f)	We retain this information for the period necessary to achieve our purposes.
Video classifying agents	Performance evaluation of the classifying agent	Allowing GKS to evaluate the performance of the agent and allows for spot-checking of the classifier	Video and classification score	n/a (US-only)	n/a (US-only)

4.3. What third parties do we share/disclose your data with/to?

Processing Activity	Tools Used	Location of the Contracting Entity
Capturing information through this contact form Learn more (contact form) https://www.gatekeepersystems.com/us/learn-more	reCaptcha	US
Capturing information through the Sales Form https://www.gatekeepersystems.com/us/sales	reCaptcha	US
Commenting articles on the blog. (mainly used for vertical communication)	Wordpress	US
Pushout Theft News Center Website	WIX	US
Tracking and analytics on the corporate website	Google Analytics, Hotjar	US, Malta
Subscribing for weekly marketing communication Marketwatch Newsletter	Constant Contact	US
Sending weekly newsletters	Constant Contact	US
Logging users (GDocs)	Jub Jub	US
Video access and use of metadata by GKS	No third party tool	n/a
Performance evaluation of the classifying agent	No third party tool	n/a
Conducting cold calling	Microsoft Dynamics	US
Transforming the lead into customers	Microsoft Dynamics	US
Setting up new clients through tradeshows	Microsoft Dynamics	US
Drop shipping from GKS Inc entity to the retail shops	Microsoft Dynamics	US
Collecting candidate applications on the Career portal	Workforce Career portal now operated by ADP	UK ADP: US

4.4. Are other websites accessible through our website?

Yes. Our site does have links to the websites of affiliates, including the GNET, StorePort and StorePortG2 websites. Your use of such sites is strictly governed by those respective sites’ posted terms and conditions and privacy policies. We encourage you to read such terms and policies.

4.5 How do we protect your information?

To prevent unauthorised access or use of your information, we have put in place commercially reasonable and appropriate administrative, technical and physical procedures to safeguard the information we collect through the Site. These include:

Encryption
Encrypted video transfer, post processing and storage to localized encrypted-at-rest video storage in the EU*. This ensures that video data is encrypted while stored on the servers and in transit. Encryption standard used: HTTPS with TLS 1.2 protocol and AES-256.
Building security camera access control
A switch is maintained in a locked cabinet and by default the keys are not available to store personnel. During an installation the WiFi temporarily enabled.

4.5. Do we use Cookies?

Yes. Cookies enable us to personalise your web browsing experience.

Cookie	Purpose	Duration
Necessary for displaying content
PHPSESSID	This cookie is native to PHP applications. The cookie is used to store and identify a users' unique session ID for the purpose of managing user sessions on the website. The cookie is a session cookie and is deleted when all the browser windows are closed.	Session
exp_csrf_token	This cookie is used for the purpose of website security that is Cross-Site-Request forgery prevention. It is used to identify the trusted web traffic.	2 hours
Performance purposes
_gat	This cookie is installed by Google Universal Analytics to restrain request rate and thus limit the collection of data on high traffic sites	1 minute
Unclassified purposes
_gat_ga2	No description	1 minute
_hjSessionUser_846089	No description	1 year
hjSession_846089	No description	30 minutes
Analytics purposes
_ga	The _ga cookie, installed by Google Analytics, calculates visitor, session and campaign data and also keeps track of site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognize unique visitors.	2 years
exp_last_visit	This cookie is used by the website Content Management System. This cookie is used to store the last visit date of the registered users.	1 year
exp_tracker	This cookie is used by the website Content Management System. This is a temporary cookie which expires when the visitor closes the browser window. This cookie stores the last five pages viewed by the visitor for form or error message returns.	session
exp_last_activity	This cookie is used by the website Content Management System. This cookie is used to record the time of the last page load.	1 year
_gid	Installed by Google Analytics, _gid cookie stores information on how visitors use a website, while also creating an analytics report of the website's performance. Some of the data that are collected include the number of visitors, their source, and the pages they visit anonymously.	1 day
_hjIncludedInSessionSample	Hotjar sets this cookie to know whether a user is included in the data sampling defined by the site's daily session limit.	2 minutes
_hjFirstSeen	Hotjar sets this cookie to identify a new user’s first session. It stores a true/false value, indicating whether it was the first time Hotjar saw this user.	30 minutes
_hjIncludedInPageviewSample	Hotjar sets this cookie to know whether a user is included in the data sampling defined by the site's pageview limit.	2 minutes
_hjAbsoluteSessionInProgress	Hotjar sets this cookie to detect the first pageview session of a user. This is a True/False flag set by the cookie.	30 minutes

4.6. Do we track information about your online activities?

Our Site does not currently respond to “Do Not Track” signals sent from your browser. However, we do not collect information about your online activities over time, across third party websites or through other online services. As mentioned above, we do use Google Analytics and Hotjar to support our Site, which involves the automatic collection of information such as the web address of our Site and your IP address. For more information about the use of Google Analytics, see Google’s privacy policy. For more information about the use of Hotjar, see Hotjar’s privacy policy.

5. US and California residents

Please note that the following scenarios apply to data subjects listed in Section 1 residing in the United states and California. The controller for the following processing activities is Gatekeeper Systems Inc., with details included in Section 2.

5.1. Sales (US-only)

Context and data subject category	Activity processing your data	Purpose served	Data collected / processed
Leads	Setting up new clients through trade shows	Receiving the business card from the lead and the sales team does follow-ups	Name, phone number, email address
Customers	Drop shipping from GKS Inc entity to the retail shops	Allowing GKS to ship products to retail shops in the US	Shipping address, phone number of the recipient
Leads	Conducting cold calling	Calling store managers that GKS considers them as potential leads	Name, phone number, email address
Customers	Transforming the lead into customers	The customer issues a purchase order and then account manager processes the purchase order and then the information is sent to the installation department and the installation is coordinated with the field services department	Purchase order number, Company address,store address, name of the company, credit card information (if the customer pays in advance), name of the contact person you coordinate with and phone number

5.2. Applicants (US-only)

Context and data subject category	Activity processing your data	Purpose served	Data collected / processed	The selling of Information (CCPA)
Applicants	Collecting candidate applications on the Career portal	Receiving the business card from the lead and the sales team does follow-ups	Name, phone number, email address

California Consumer Privacy Act

We will not distribute your personal information to third parties for the purposes of marketing or advertising third party products to you without obtaining your consent in advance.

You have the following additional data subject rights under the California Online Privacy Protection Act:

The right to not be discriminated against for exercising your rights,
The right to object to the selling of your information.

5.1 COPPA – Children’s Online Privacy Protection Act

We do not intentionally collect information from any individual under 13 years of age. Our Site, products and services are all directed to people who are at least 18 years of age or older.

6. UK Resides and UK GDPR provisions

On top of the processing activities listed in Section 2, the following information applies specifically to data subjects located in the United Kingdom.

Data processing by Gatekeeper Systems Ltd.

GKS Ltd. (UK)

Who We Are

For the data collected in the scenarios below, Gatekeeper System, Ltd. is a data controller in the meaning of UK GDPR Art.4.7.

To exercise a subject rights request or to ask questions relative to how your data is processed, you may contact us using:

Gatekeeper Systems, Ltd.

27/28 Eastcastle Street
London, W1W 8DH, United Kingdom
01455882900
privacyuk@gatekeepersystems.com

Our appointed data protection officer

TechGDPR DPC GmbH,
Heinrich Roller Str. 15,
10405 Berlin, Germany
+493054908661
gatekeeper.dpo@techgdpr.com

Supervisory authority of registration

Information Commissioner’s Office
Water Lane, Wycliffe House, Wilmslow- Cheshire SK9 5AF
Nr: + 44 1625 545 700
Elizabeth Denham
https://ico.org.uk

6.1. Sales (UK-only)

Context and data subject category	Activity processing your data	Purpose served	Data collected / processed	Legal Base (for processing of the data). Relevant for UK and EU users	Retention period for this data
Suppliers	Vendor lifecycle management	Allows Ltd to carry out due diligence with its suppliers	Full name of the account representative, associated phone number, company, associated role, associated corporate email address	Legitimate Interest (GDPR Art. 6.1.f)	We retain this information for the period necessary to achieve our purposes.
Visitors	Maintaining a visitor logbook	Allows GKS Ltd. to keep records of external visitors	Date / time arrival + departure / name / phone number (probably minimizable)	Legitimate interest GDPR art.6.1.f)	We retain this information for the period necessary to achieve our purposes.
Vendors	Invoicing accounts receivable & accounts payable	Allows the company to send out accurate records to vendors.	Full name of the account representative, associated phone number, company, associated role, associated corporate email address	Legitimate interest GDPR art.6.1.f)	Records such as invoices are retained for 6 years from the date of issue.

6.2. Applicants (UK-only)

Context and data subject category	Activity processing your data	Purpose served	Data collected / processed	Legal Base (for processing of the data). Relevant for UK and EU users	Retention period for this data
1. Successful Applicants	Reviewing applications	Allows GKS Ltd to determine which applicant best fits the position.	1. CVs are seen on Indeed and downloaded if they are of interest.	Legitimate Interest (GDPR Art. 6.1.f)	duration of the contract (for successful candidates)
2. Unsuccessful Applicants	Reviewing applications	Allows GKS Ltd to determine which applicant best fits the position.	2. CVs passed on by the recruiting agency have their names removed.	Legitimate Interest (GDPR Art. 6.1.f)	duration of the contract (for successful candidates)

6.3. UK Data Subject Rights

As a data subject located in the United Kingdom, you have the following rights with respect to us regarding the data relating to you:

Right to information about your stored personal data, its origin and possible recipients and the purpose of the data processing (Art. 15 GDPR),
Right to rectification of inaccurate data (Art. 16 GDPR),
Right to erasure of processed personal data, unless processed to fulfil a legal obligation or public interest (Art.17 GDPR), or there are statutory retention periods (see point 12.)
Right to restriction of processing (Art. 18 GDPR),
Right to withdraw your consent. We will then no longer continue the processing based on this consent for the future. The lawfulness of the processing carried out on the basis of the consent until the revocation is not affected by the revocation. (Art. 7 GDPR),
Right to data portability but only in instances where data is processed on the basis of consent or performance of a contract (Art. 20 GDPR),
Right to object within the framework of the legal requirements. Should the data processing by us be based on legitimate interests, you have the right to object to the processing of your data at any time for reasons arising from your particular situation. You may object to the processing of your data for direct marketing purposes at any time, even without giving reasons (Art. 21 GDPR).

You have the right to revoke your consent at any time. This means that we will no longer process the data based on this consent in the future. The revocation of consent does not affect the lawfulness of the processing carried out on the basis of the consent until the revocation.

If we process your data on the basis of legitimate interests, you have the right to object to the processing of your data at any time on grounds relating to your particular situation. If it is a matter of objecting to the processing of data for direct marketing purposes, you have a general right of objection, which will also be implemented by us without giving reasons.

How you can exercise your rights

If you wish to exercise your right of revocation or objection, it is sufficient to send a message to the relevant Gatekeeper Systems entity.

On top of the rights indicated in the table above you also have the rights to lodge a complaint with the supervisory authority should we fail to respond to your request within a month or if you judge the response unsatisfactory. We are registered with the UK ICO but you can contact the authority of your choice.

6.4. What third parties do we share your data with?

Processing Activity	Tools Used	Location of the Contracting Entity
Reviewing applications	1. Indeed UK 2. Industria Personnel	UK
Vendor lifecycle management	Gatekeeper, Inc.	US
Maintaining a visitor logbog	No third parties	n/a
Invoicing in / out	Gatekeeper, Inc.	US

7. EU Resides and GDPR provisions

On top of the processing activities listed in Section 2, the following information applies specifically to data subjects located in the European Union.

Data processing by GatekeeperSystems GmbH

GKS GmbH (DEU)

Who We Are

For the data collected in the scenarios below, Gatekeeper System GmbH is a data controller in the meaning of GDPR Art.4.7.

To exercise a subject rights request or to ask questions relative to how your data is processed, you may contact us here:

Gatekeeper Systems GmbH

Albertstr. 2‐6
73054 Eislingen, GERMANY
info@gks-eu.com

Our appointed data protection officer

TechGDPR DPC GmbH,
Heinrich Roller Str. 15,
10405 Berlin, Germany
+493054908661
gatekeeper.dpo@techgdpr.com

Supervisory authority of registration

We are registered with the
Landesbeauftragte für den Datenschutz und die Informationsfreiheit Baden-Württemberg
Lautenschlagerstraße 20, 70173 Stuttgart, GERMANY

7.1. Sales (EU-only)

Context and data subject category	Activity processing your data	Purpose served	Data collected / processed	Legal Base (for processing of the data). Relevant for UK and EU users	Retention period for this data
Customers	Managing the customer database (business customers)	Allows GKS GmbH to manage and monitor the performance and management of customers or services.	email address, possibly date, name, telephone number, miss/mister, gender, tax number, bank account number	Performance of a contract (GDPR Art.6.1.b)	10 years
Suppliers	Managing the suppliers database	Allows GKS GmbH to manage and monitor the performance and management of contracted suppliers or services.	email address, possibly date, name, telephone number, miss/mister, gender, tax number, bank account number	Performance of a contract (GDPR Art.6.1.b)	10 years
1. Customers (preferred terminology) (buyers of goods and services) 2. Suppliers - external service provider (subcontractors of goods) 3. Clients (contracting party that has placed an order with the own company) 4. Applicants (persons who have submitted	Communicating via email	Allows GKS GmbH to communicate internally and externally using Gatekeeper's email service provider.	For customers, clients and suppliers: email address, possibly date, name, telephone number, miss/mister, gender, tax number, bank account number. From applicants: e-mail address, telephone number, anything else shared by the applicant	Legitimate Interest (GDPR Art. 6.1.f)	6 years
1. Customers (buyers of goods and services) 2. Suppliers (subcontractors of goods) 3. Clients (contracting party that has placed an order with the own company)	Managing appointments and using the calendar	Allows GKS GmbH to set client and internal appointments and organise meetings and rooms where these appointments take place.	email address, possibly date, name, telephone number, miss/mister, gender, tax number, bank account number	Legitimate Interest (GDPR Art. 6.1.f)	10 years
Client's representatives	Sharing client's representative data with GKS Inc (data processor)	Allows GmbH to transfer personal data of client's representatives to our parent company for finance and accounting purposes.	Name, company’s affiliation, job position, email address, phone number	Legitimate Interest (GDPR Art. 6.1.f)	We process your data for as long as it serves finance and accounting purposes
Client's representatives	Long term storage of invoices	Allows GmbH to satisfy local legal requirements (Germany) to maintain proof of sale for 10 years.	Full name of the representative, associated company information and invoice information	Legal obligation (GDPR Art. 6.1.c)	10 years

7.2. Applicants (EU-only)

Context and data subject category	Activity processing your data	Purpose served	Data collected / processed	Legal Base (for processing of the data). Relevant for UK and EU users	Retention period for this data
Applicants	Reviewing applicant data	Allows GKS GmbH to review applicants and determine whether someone is a good fit for the company.	Name, address, level of education, birthday, cover letter, CV, reference letter	Legitimate Interest (GDPR Art. 6.1.f)	8 weeks (unsuccessful candidates) We receive the information through email: The emails are deleted after 3 months.
Applicants	Managing appointments and using the calendar	Allows GKS GmbH to set client and internal appointments and organise meetings and rooms where these appointments take place.	Name, email address	Performance of a contract (GDPR Art.6.1.b)	8 weeks (unsuccessful candidates) 10 years for successful applicants turned into employees

7.3. EU Data Subject Rights

As a data subject located in the European Union, you have the following rights with respect to us regarding the data relating to you:

Right to information about your stored personal data, its origin and possible recipients and the purpose of the data processing (Art. 15 GDPR),
Right to rectification of inaccurate data (Art. 16 GDPR),
Right to erasure of processed personal data, unless processed to fulfil a legal obligation or public interest (Art.17 GDPR), or there are statutory retention periods (see point 12.)
Right to restriction of processing (Art. 18 GDPR),
Right to withdraw your consent. We will then no longer continue the processing based on this consent for the future. The lawfulness of the processing carried out on the basis of the consent until the revocation is not affected by the revocation. (Art. 7 GDPR),
Right to data portability but only in instances where data is processed on the basis of consent or performance of a contract (Art. 20 GDPR),
Right to object within the framework of the legal requirements. Should the data processing by us be based on legitimate interests, you have the right to object to the processing of your data at any time for reasons arising from your particular situation. You may object to the processing of your data for direct marketing purposes at any time, even without giving reasons (Art. 21 GDPR).

How you can exercise your rights

If you wish to exercise your right of revocation or objection, it is sufficient to send a message to the relevant Gatekeeper Systems entity.

On top of the rights indicated in the table above you also have the rights to lodge a complaint with the supervisory authority should we fail to respond to your request within a month or if you judge the response unsatisfactory. We are registered with the Landesbeauftragte für den Datenschutz und die Informationsfreiheit Baden-Württemberg, but you can contact the authority of your choice.

7.4. What third parties do we share your data with?

Processing Activity	3rd Parties Used	Location of the Contracting Entity
Reviewing applicant data	Stepstone, GKS, Inc.	Germany, US
Managing the customer database (business customers)	1. GKS, Inc. 2. NextCloud	1. US 2. Germany
Managing the suppliers database	GKS, Inc.	US
Communicating via email
Managing appointments and using the calendar
Sharing client's representative data with GKS Inc

7.5. How do we protect your information?

We implement the following technical measures:

Encryption of data sets
We encrypt the mail contents and data stored in the cloud, as well as the email header and body. For the external digital exchange of data media, care is taken to sufficiently strongly encrypt the data e.g. with BitLocker.
Building security, access control and visitor logging
We implement physical entry security. External visitors request access via an intercom. We also implement system access control and logging of visitors at the reception. The physical security perimeter is defined and visible. Outside of the office hours, access to the building requires a key whereas access to individual offices requires a key at all hours. Visitors are granted access only after registration and have limited access prior to being greeted by a staff member.
System and data, access control, VPN and IP filtering
Remote work is only possible if VPN is used and IP filtering is implemented.
Protection from viruses
Our Microsoft terminals are equipped with a centrally-managed antivirus which cannot be deactivated by the user. Firewalls on mobile phones are updated automatically. WLAN network segregation is implemented. Unused LAN sockets are deactivated
Laptop encryption
We implemented the following two encryptions on laptops:
1. Laptop encryption (type1) : hardware-based SSD encryption in the BIOS (OPAL SSC: AES-128/256bit encryption)
2. Laptop encryption (type2) : hard disk encryption, e.g. Bitlocker with AES-128/256bit, or TrueCrypt/VeraCrypt with AES, Twofish or Serpent, or dm-crypt/crypt-setup/LUKS with AES, Twofish.
Data media security
A governed internal use of mobile media is implemented.
Backup security
Backups are required when installing and configuring files. Backups are password protected.
Data deletion
Deletion is defined for encrypted data.
Management of removable media
The use of private data media is not permitted.
Event logging
External data sharing requires explicit data owner permissions.
Assets handling
Data export to mobile data carriers occurs only after a documented customer request. Data exports are logged and are traceable.
Protection from malware
All windows computers are equipped with a virus scanner. For windows users, signature update intervals take place daily & heuristic detection is enabled (ESET).The virus scanner is also activated in servers. All workstations are equipped with an operating system Software firewall. Outgoing traffic from workstation clients is filtered via an application-level firewall (web proxy), which also breaks open TLS connections and analyzes their content. User rights are achieved through group membership, so that connections are only possible to preconfigured content types of web pages. A software firewall is installed on all servers, the configuration of which maps the requirements of data exchange between the systems, and thus limits communication to the ports/services and, if necessary, IP ranges. Servers with increased protection requirements are in a separate ring of protection and can only be accessed via upstream proxies or load balancers with their own fire
User controls/ authorizations
The user rights are restricted to the areas of activity according to the minimum principle. Each user or their user profile is assigned to a department-dependent role that reflects the necessary authorisations for their tasks. The group / department head works out the authorisation matrix with the data protection officer and forwards it to the specialist department for the allocation of authorisations. When a person joins a department, the role and thus the authorisation is determined on the basis of this matrix; when the person leaves the department, the assignment of rights is reversed.
Access controls
Access authorisations are assigned on a role-based basis. For systems that cannot manage roles, authorisation levels are predefined, requested, assigned and rolled out for a user. Role authorisations are designed by the group/department head based on the task, tested, and documented in a matrix. Individual authorisations are documented for each system. As part of the onboarding process the rights are requested by the group/department and set by the Software Engineering / IT department. In the offboarding process, these assignments are reversed. Passwords secure system access and are therefore at the heart of security requirements. Password policy: at least 8 characters, at least 3 of 4 criteria (upper case letter, lower case letter, digit, special character). For core systems, the password must be at least 12 characters long for administrative access. The use of password management programs is encouraged. Logging of changes made to data sets.
Transfer controls
E-mail communication is encrypted. Automatic data transfers are traceable. When sending e-mails, the target address is read out from the DNS resolution for the determined target domain, starting from the customer configuration. The electronic data transmission is logged with date, time, message ID, sender, recipient, send and receive IP, reverse DNS name, if any, and SMTP error code. The logs are deleted according to the deletion matrix.
Transport controls
Ensures that the confidentiality and integrity of the data physically transported out of our company is protected. For the external digital exchange of digital data media sufficiently strong encryption of the data data is used, e.g. Bitlocker or 7zip. External exchange only takes place with the explicit, documented permission of the data owner.
Restorability
The IT department is responsible for the correct operation, the follow-up of system messages and the configuration of the data backup. This is carried out with open source software or proprietary software. In the event of a malfunction, the operating system, configuration and data can be transferred through partially or fully automated installation (data restore and/or automated deployment). The systems are backed up automatically every 24 hours and the data status of the last 30 days are available. The backup is carried out per Computer centre and office in Schwäbisch Gmünder with local agents via the internal gigabit network centrally on a backup system with hard disk RAID. This allows for a restore to be started within a few minutes. Deletion periods are observed in accordance with legal requirements. Documented test restores take place.A disaster recovery plan is in place. For disaster preparedness, at least one remote data center site in Germany is used for operations, which are maintained by certified operators. This data center has redundant power supply, network supply, air conditioning and extinguishing systems on its own. Data processing is already fully guaranteed with the operation of a single data center. The second and further data centers are used to increase redundancy. Central data systems are additionally doubled with automatic replication as well as hot-fail-over functionalities. Communication and exchange of data is always encrypted.
Data integrity
Specification of functional and non-functional new projects using a customised version. A 4-eyes principle is applied for all changes to live systems. Changes to authorization and configuration objects and personal data are possible via the control panel. Every action – incl. (failed) logon – is recorded in the audit log with date, time, logon name, action, object and original IP address. For the authorization management there are three standard authorization roles: user, customer administrator, partner. Individually definable authorizations, which are also made available as roles are possible. Users are assigned to these roles. Data transfer takes place exclusively over encrypted connections (VPN or TLS). Data transfers from tier 1 (front end) to tier 2 or from tier 2 to tier 3 (back end) are only possible for defined end points.
Data Processing Agreements
We only select processors that meet the requirements of the GDPR and conclude GDPR-compliant DPAs. When awarding contracts to contractors, the points required by the GDPR are contractually fixed. If the processor is not able to do this, a DPA will not be concluded. We ensure the deletion of data after the DPA termination. There is an ongoing review of processors. Gatekeeper Systems GmbH attaches great importance to documented and practised data protection and IT security processes and checks the documentation. Contracts with contractors are only concluded if they clearly commit themselves contractually to compliance with confidentiality and data protection.
Separation controls
We separate the control and test systems. Logically and physically separate systems with their own database and data structure are used for internal purposes (e.g. development, testing and backup).
We implement a logical separation of clients. Client separation is set up so that a client (cloud user) does not receive unauthorized information from other clients (cloud users). It ensures that no client can access the resources of another client, for example, to virtual machines, networks or cloud storage (OwnCloud). All data is stored by the client in dedicated tables for each client.
Organisational controls
We implement regular review and evaluation cycles. An internal reporting process encourages all employees to escalate detected irregularities. An employee receives the information and adjusts existing processes with the involvement of the relevant group leaders. Employees receive feedback on reported issues. Regular checks and, if necessary, adjustments are made to the measures to determine whether they are still state of the art. Regular network scans check for occurrence of unauthorised service provisioning.
Employees (incl. interns, student assistants) are regularly instructed in writing about data protection and must confirm this by signature (1x per semester). Regular information is provided on processes and topics relevant to data protection; participation is mandatory. The contents are available on an internal drive for all employees to read.
We have created a deletion concept. Gatekeeper Systems GmbH distinguishes different personal data per service. A detailed matrix of the regular deletion periods can be found in the deletion matrix, which can be requested separately. Deletion in special situations, which is not covered by the regular deletion periods, is carried out on a case-by-case basis with the specialist department responsible for the data storage. The data protection officer is in charge. Suspension of deletion – particularly in the case of archived e-mails – is possible at the request of the customer or an authorized body. If data is stored beyond the times specified in the matrix for regular deletion periods, this is done anonymously by cumulating the data files.
We have a procedure in place for addressing data subjects rights requests. The GDPR provides a right of access for data subjects (Art. 15 GDPR). RequestS are recorded in the system. A detailed process for requests is made available to staff:
1. verification whether the request is for information at all.
2. verification of the identity of the requestor.
3. checking whether personal data of the data subject have been processed.
4. if no data are available: Negative notification to the data subject. if data are available: Compilation and immediate response within one month of receipt. In cases of extension of the deadline, the applicant will be informed of this immediately.A data carrier disposal concept is implemented. In the event of a defect, data media on which customer data was once stored will not be claimed but sent directly to data media destruction. Reuse of a data carrier once provided with customer data is also excluded. Data media to be destroyed are collected under lock and key. Data media are professionally destroyed by a certified provider who is contracted by Remynd Systems GmbH as required. The destruction of data media is monitored and recorded. If the data carriers to be deleted are servers used abroad with built-in data carriers, the following regulation applies: – Deletion of all personal data, configurations and scripts for the services – Installing and running a wipe Program – Remynd Systems GmbH is responsible for disposal of the data.
Secure storage
Secure long term storage of invoices on NextCloud (Remynd).

8. Changes to our privacy notice and contact details

Changes to our Privacy Policy

If we decide to change our Policy we will post those changes on this Site. Each posted Privacy Policy will include the latest date of revision.

Contact

This site is owned and operated by Gatekeeper Systems, Inc. If you have any questions concerning this Policy and our site’s use of your information, please contact us at: info@gatekeepersystems.com or 888.808.9433.