Dear customers,

We would like to inform you that we will be using the Cloudflare service for our products from 1 August 2024 on.

 

Why Cloudflare?

This measure will protect our softgarden systems from cyber attacks and further increase our already very high security standards. In particular, the aim is to ward off so-called DDoS attacks ("Distributed Denial of Service"), which aim to overload technical systems through bot attacks and thus limit their availability. By integrating Cloudflare, all access to our systems is protected by an additional firewall (WAF).

 

What is changing? Do we need to sign the DPA again?

Cloudflare will act as an additional subcontractor as part of the commissioned data processing that we carry out on behalf of and on the instructions of you, our customers. This means that Cloudflare will be included in the DPA (agreement on commissioned data processing).  

The new, already signed versions of the GCU are available for download on the data protection page.

If you have already concluded an AVV with softgarden, it is not necessary to sign it again, but is sufficient if you download the new annex with the technical and organisational measures here.

We will adapt the privacy policy in the applicant tracking system until 1st August 2024.

 

Customers who have stored their individual privacy policy must include the following text in their respective privacy policy:

 

softgarden uses the service of the ISO 27001 certified provider Cloudflare Inc, 101 Townsend St, San Francisco, USA or the subsidiary Cloudflare Germany GmbH, Rosental 7, c/o Mindspace, 80331 Munich Germany ("Cloudflare") to increase the security of the platform, in particular to protect against DDoS attacks, and to improve the speed of delivery. Cloudflare provides a network of servers capable of delivering optimised content to the end user and intercepting virus-laden traffic.

The services provided by Cloudflare include the product "Data Localisation Suite" with the components "Regional Services" and "Metadata Boundary for Customers". Both components ensure that the transfer of personal data when using our platform takes place exclusively within the EU.

The "Regional Services" ensure that the customer content traffic, in this case the end customer traffic, is securely transmitted to Cloudflare PoPs within the region selected by softgarden and is checked within a Point of Presence (PoP) in this defined region.

softgarden has chosen Germany as the selected region, so all traffic is checked exclusively on servers in Germany. Metadata Boundary ensures that Cloudflare does not transmit any customer logs originating from the services used outside the European Union.

The personal data processed by Cloudflare includes all content transmitted by customers and applicants, i.e. beyond the IP address, all files (application documents) and multimedia images, graphics, audio or video, as well as any interaction of their browser with the softgarden system.

Cloudflare is the recipient of your personal data and acts as a processor for softgarden. This corresponds to the legitimate interest within the meaning of Art. 6 para. 1 sentence 1 lit. f GDPR to ensure security and security as well as user-friendliness on the platform.

Your personal data will be stored by Cloudflare for as long as is necessary for the purposes described, usually 124 calendar days.

Further information about Cloudflare can be found at Cloudflare DPA 

 

Important note:

 

If you are unable to access our system on 1 August 2024, this could be due to the change of IP address as a result of the redirection. It is possible that your firewall is only enabled for certain IP addresses. The IP addresses currently used by Cloudflare and to be activated in this case can be found here.

 

If you have any further questions, please contact our support team at support@softgarden.de. Our customer service team will be happy to help you.

 

Following the information on Cloudflare, we would like to inform you about another important change:

 

Changing the address of a data centre:

We would also like to inform you that we have put another data centre into operation in Düsseldorf with our contractual partner Equinix GmbH. As a result, an additional data centre address will be included in the agreement on commissioned data processing (AVV). As a result of the move, the data centre at Plusserver will no longer be included in the DPA.

 

Adaptation of the terms of use:

Due to the Digital Services Act, it is now necessary to include a reference to a complaints option for applicants and our customers in our terms and conditions. We will implement this amendment by 1st August 2024.

 

Your team from softgarden

Data protection FAQs

 

Q1: What does softgarden use Cloudflare for?

A1: We will be using Cloudflare in future to protect our systems from cyber attacks and to raise our overall security standards. In particular, we want to ward off so-called DDoS attacks ("denial of service"). Such attacks aim to overload technical systems through bot attacks and thus limit their availability. To prevent this from happening, we protect our systems with Cloudflare.

 

Q2: What are the advantages of using Cloudflare?

A2: Using Cloudflare's service increases the security standard for customer data. Cloudflare is one of the global market leaders in the field of DDoS protection and is an ISO 27001, 27018 and 27701 as well as C5 certified company and offers security technology against cybercrime at the highest level. Cloudflare has been identified as a qualified DDoS mitigation service provider by the German Federal Office for Security and Information Technology.

 

Q3: What personal data is processed by Cloudflare and does the privacy policy need to be adapted?

A3: Cloudflare acts like a protective shield in front of our systems. This means that the data traffic to our systems is scanned by Cloudflare and checked for attacks. As a result, the IP addresses of people who use our services (e.g. the applicant management system) or apply via a careers page are processed by Cloudflare.

We will amend the data protection notices that we provide in the system in good time on 1 August 2024. Customers who have stored their own data protection notices must include the passage prepared by us in their data protection notices.

 

Q4: How long is personal data stored at Cloudflare?

A4: Customer logs are defined as logs of interactions between end users and the service that are made available to the customer via the service dashboard or another online interface during Cloudflare's runtime. Cloudflare is a data processor for customer logs (e.g. logs for DNS, firewall events, HTTP requests).

Cloudflare retains customer logs containing personal data of end users (i.e. IP addresses) for the last quarter plus one month (approx. 124 days). Cloudflare may be required to retain stored content to fulfil legal obligations or to prevent malicious activity/further attacks (e.g. IP addresses of attackers).

Q5: Are cookies set by Cloudflare?

A5: Cloudflare uses various cookies to maximise network resources, manage traffic and protect customers' websites from malicious traffic. These are technically necessary cookies that are required for security purposes and for the secure provision of the service, Section 25 (2) No. 2 TDDDG.

 

Q6: Where is the data processed?

A6: The so-called "Data Localisation Suite" has been agreed with Cloudflare. This means that we, as a Cloudflare customer, can set in our account where our data and the resulting log data are processed. The admin of the softgarden account at Cloudflare is our managing director Stefan Schüffler and only the SysOps team has access to it. We also have a confirmation letter from Cloudflare Germany GmbH about this.

The "Metadata Boundary for Customers" module was activated, which ensures that all log data is processed exclusively within the EU.

In addition, the "Regional Services" were activated, which ensure that the customer content is transmitted securely to Cloudflare PoPs ("point-of-presence") within the region selected by us (in our case Germany) and checked within a point of presence (PoP) in this defined region (Germany) (decryption of this content for checking and subsequent re-encryption). As we have chosen Germany as the selected region, all data traffic with end customer content is checked exclusively on servers in Germany.

To summarise, the Metadata Boundary ensures that Cloudflare does not transfer customer logs originating from covered services outside the European Union, and the Regional Services ensure that no customer traffic is processed outside Germany.

 

Q7: What security measures does Cloudflare take to protect personal data?

A7: The technical and organisational measures taken by Cloudflare can be found in Annex 2 of the standard DPA.

Cloudflare has also undergone various security-related certifications, including ISO 27001/ 27701/ 27018 and C5. Further information on the certifications can be found here. We have reviewed the certificates provided by Cloudflare and will regularly check their validity.

Cloudflare is also listed as a "qualified DDoS mitigation service provider" by the German Federal Office for Information Security.

 

Q8: What certifications or other documents regarding data protection/data security/information security does Cloudflare provide?

A8: Coudflare is ISO 27001 and C5 certified. You can find more information here .

 

Q9: Is personal data transferred to third countries and, if so, which transfer mechanisms apply?

A9: In principle, the processing of personal data takes place within the EU/EEA or Germany, as we have selected this as the region (see above). A standard transfer of data to third countries, i.e. countries outside the EU/EEA, is not envisaged.

In the unlikely event that, contrary to these precautions, personal data must be transferred to third countries, this data transfer is legitimised in accordance with Art. 45 GDPR. Cloudflare has certified itself in accordance with the EU-U.S. Data Privacy Framework (verifiable via this  list), meaning that the adequacy decision issued by the EU Commission for the USA is applicable to Cloudflare.

In addition, our contractual provisions with Cloudflare include the EU standard contractual clauses (Module 3) in the event that the EU Commission's adequacy decision is declared invalid in the future. These constitute a suitable guarantee pursuant to Art. 46 para. 2 lit. c GDPR.  A TIA (Transfer Impact Assessment) for the USA will be provided on request.