Business assets and suppliers

Introduction

We manage suppliers, cloud services, business assets, and physical access to buildings and data centers. This includes: (1) selection and periodic evaluation of suppliers, (2) information security measures for cloud services including defined responsibilities and segregation, (3) registration, management, and disposal of business assets, and (4) physical access control to offices and data centers.

Detailed explanation

Supplier management (selection, contracting, and monitoring)

Scope

All contracted suppliers fall within the scope for assessment and monitoring. Critical suppliers (based on their importance for availability and continuity, for example as identified in the BIA register and Supplier Overview) are monitored on a structural basis. Non-critical suppliers may also be reviewed in case of doubts about the quality of delivered services or products.

Selection and contracting

We apply fixed criteria when selecting suppliers, including security and privacy requirements. These criteria are based on the Preferred Requirements List within the ISMS.

For new tools or applications, we carry out a structured selection process, including the use of supporting questionnaires (“Supportive Questions for supplier selection”) where appropriate. A shortlist of suppliers is evaluated, after which the preferred supplier is submitted to management (MT) for decision-making. Decisions on selection, continuation, or termination are taken within this formal management process.

Monitoring and evaluation of suppliers

• Critical suppliers: half-yearly review to ensure continued compliance with agreements and requirements.

• All suppliers: annual general evaluation via the management review.

Supportive questions for supplier selection (due diligence)

Where appropriate, we use a structured questionnaire to assess suppliers consistently and on a risk-based basis. The questions cover, among other things:

• security and privacy policy, certifications, and processor agreements

• screening, confidentiality, and access management for personnel

• logging and monitoring

• data centers, data locations, and network segregation

• cryptography and backups

• incident and data breach procedures

• audit capabilities and audit responsibilities

This supports a traceable and risk-based supplier selection process.

Information security for cloud services

Lifecycle and shared responsibility

We use SaaS and PaaS services to support business processes. Responsibilities between the cloud provider (CSP) and us as the cloud service user (CSU), and where applicable as cloud service provider, are contractually defined. This ensures that shared responsibilities (e.g. access control, incident handling, and backup management) are clearly assigned to avoid gaps or overlaps in responsibilities.

We ensure, among other things, appropriate configuration, access management, monitoring, and contractual arrangements (including data processing agreements where applicable).

Segregation and hardening

• Virtual environments are logically separated to ensure segregation between customers and between customer and internal environments.

• Virtual machines are hardened in accordance with business and security requirements.

• Administrators follow internal guidelines and procedures for secure management of cloud environments.

Monitoring and incident coordination

• Access to real-time monitoring dashboards is available.

• Monthly SLA reports provide insight into performance and security aspects (e.g. backups).

• Mutual notification obligations apply in case of incidents, planned maintenance, and security testing (e.g. penetration tests).

Return and removal upon termination

Information and other assets are removed or returned in a timely manner after termination of the agreement, as defined in contracts.

Management of business assets

CMDB registration

Relevant and critical assets (hardware, mobile phones, office keys) are registered in the CMDB. Assets are uniquely identifiable and include information required for management, ownership, and traceability.

Lifecycle changes such as purchase, onboarding, offboarding, replacement, and out-of-service are recorded in the CMDB.

Issuance and offboarding 

• Laptops and mobile phones are issued to employees and must be returned upon termination of employment.

• Office keys are registered and must be returned upon offboarding.

• CMDB records are updated accordingly.

End-of-life and disposal 

• Devices are fully erased, reformatted, or reset (factory reset) before reuse or disposal, in accordance with generally applicable guidelines.

• Disposal takes place via secure channels, with reference to standards such as DIN 66399 where applicable.

• Disposal of decommissioned assets is ensured in a controlled manner.

Loss/theft

Loss or theft of keys or devices must be reported and is treated as a security incident.

Physical access to buildings and data centers

Objective

Access to buildings and rooms is granted to authorized persons only, and physical security measures are in place.

Office locations and access control

We use office locations in Amsterdam, Cologne, Munich, and Singapore. Access is managed via keys, keycards, or mobile applications (depending on location and building management).

Access measures

• Separate access is applied for common areas and private office spaces.

• Key registration and management are in place.

• Alarm systems, motion detection, and camera security are implemented depending on the location and managed by building owners or co-working providers.

Visitor procedures

Visitors register at reception where available (e.g. via digital registration systems), are collected by an employee, and are not allowed unaccompanied access to private office areas.

Key management

Keys are issued after authorization and registered per location. Return of keys upon offboarding is mandatory. Cleaning services and other third parties have controlled and registered access, typically outside office hours.

Data centers

Primary and backup environments are hosted in professional data centers (e.g. in the Netherlands - Ede (primary) and Rotterdam (disaster recovery) - and Singapore) via our hosting provider. Access is restricted and only possible by appointment. Security measures include:

• camera surveillance and intrusion detection

• double authentication (RFID + biometrics)

• redundant connections to control rooms

• VEB-certified security (class 4)

• certified security standards (e.g. ISO/IEC 27001)