Annex 3 - Technical and organizational measures

1. Confidentiality

Confidentiality Protection

AWS Inc. fulfills the following certifications (SOC1/SSAE 16/ISAE 3402 (formerly SAS 70), SOC2, SOC3, FISMA, DoD SRG, PCI DSS Level 1, ISO 9001 / ISO 27001, ITAR, FIPS 140-2, MCTS Tier3) and implements AWS Inc. the requirements catalog Cloud Computing (C5) of the Federal Office for Information Security.


Unauthorized persons must be denied access to data processing systems.

Office level

– Alarm system – Security locks – Key regulation

Application level (including AWS)

– Video surveillance of the buildings – Electronic Intrusion Detection System – Chip card/transponder locking system – Employee and visitor badges – Wearing of badges in the data center – Reception with logging of visitors – Permanent accompaniment of the visitors by employees

  • It must be prevented that data processing systems can be used by unauthorised persons.

Office level

– Password rules – Key rules – Encryption of data carriers – Authentication with user + password

Application level (AWS)

– AWS Network: Firewalls – AWS Network: Authentication – Password rules – Authentication with user + password

  • It must be ensured that systemic data access is only possible to the extent authorized and required, e.g. through encryption.

– Encryption of data carriers – Authorization concept – Password rules – Reduce the number of administrators to the “essentials – Administration of user rights only through system administrator rights – Data transmission exclusively via HTTPS


  • It must be ensured that personal data is not accessed without authorization during transmission, transport or on data carriers and that it can be determined to which bodies the data has been disclosed, e.g. by means of encryption.

– Data transmission takes place exclusively via HTTPS

2. Integrity

Data separation

  • It must be ensured that data collected for different purposes can be processed separately.

– Storage of data from different systems on data carriers separated by virtualization – Determination of database rights – Logical Customer separation (on the software side) – Creation of an authorization concept

3. Availability

  • It must be ensured that personal data is protected against loss.

Application level

– Replication of data storage – Daily creation of encrypted back-ups of the data

Last updated