<iframe src="//www.googletagmanager.com/ns.html?id=GTM-W8X3P3" height="0" width="0" style="display:none;visibility:hidden">

Appendix 1: Categories of data to be processed and data subjects

A. Types of personal data that can be components of processing by a processor

☒ Name
☒ E-mail address
☒ Address*
☒ Agreement / Buyer data (e.g. PO number)
☒ Usage data (e.g. Website use logfiles)

B. Categories of data subjects

☒ The Principal’s customers
☒ The Principal's employees*
☒ Employees of service providers, used by th Principal*
☒ The Principal’s website visitors

* only applicable if Principal uses the Trusted Shops legal text generator tool or the GDPR-Manager tool.

Appendix 2: Technical and organisational measures of the Contractor

1. Service providers


Trusted Shops relies on the German hosting provider Anexia and Amazon Web Services (AWS) as its infrastructure providers. AWS is also used for fast delivery of web assets such as review stickers or the trustbadge.

Anexia meets stringent data protection and security requirements. It has been certified according to ISO/IEC 27001:2005 since September 2012 and ISO/IEC 27001:2013 since November 2015. All data are processed exclusively in Germany at the locations in Frankfurt and Munich. More information on

Anexia's security standards can be found at the following link:

The AWS data centres meet stringent security and data protection requirements. They have been tested, among others, to the following standards:

» The German Federal Office for Information Security (BSI – Bundesamt für Sicherheit in der Informationstechnik) C5 standard
» ISO/IEC 27001:2013 (where ISO stands for the International Organization for Standardization)
» SOC 1, SOC 2/SSAE, and 16/ISAE3402 (SAS 70 Type II)
» PCI compliance Level 1

The server is located in Frankfurt am Main. Current information on the security arrangements of AWS can be found at https://aws.amazon.com/de/region-frankfurt/.

Dispatch of e-mails

Trusted Shops relies on Mailjet SAS and AWS to send transactional e-mails.

Mailjet operates its servers exclusively in the EU and meets stringent data protection requirements. Mailjet is a member of the Certified Senders Alliance (CSA) and undertakes to comply with stringent legal and technical quality standards.

Current information on the protection of personal data at Mailjet can be found at https://www.mailjet.com/privacy-policy/?_ga=2.57373352.325749057.1530778682-1383273496.1530778682.

2. Pseudonymisation and encryption


Personal data are pseudonymised prior to transmission to enable the Trustbadge to compare them with those contained in the Trusted Shops system.


The transmission of personal data is encrypted using state-of-the-art transport encryption technology. Passwords are stored in encrypted form according to the current state of the art.

3. Confidentiality and integrity

Equipment access control

Measures designed to deny unauthorised persons (physical) access to processing equipment used for processing personal data.

Data processing and storage at AWS take place at the premises of AWS Frankfurt and at Anexia in data centres in Frankfurt and Munich. The location of all the data centres is secret. They all have clearly defined security arrangements.

Except for the access options provided to administrators and moderators as agreed with the client, access to the data centres in which the client's data are stored is impossible for employees of the contractor. No data processing takes place outside the data centre. Therefore, to document the equipment access control measures, the technical and organisational measures at the relevant AWS and Anexia data processing locations are described.

Access to the data centres is strictly controlled by all server and database service providers. The implemented measures include:

» Video surveillance of the data centres and the surrounding area
» Movement sensors, intrusion detection systems, and security service
» Division into safety zones / restricted areas
» Identity check by the gatekeeper or security service
» Electronic access control (two-factor authentication)
» Logging and regular verification of accesses

User control

Measures designed to prevent the use of processing systems by unauthorised persons. In contrast to the above equipment access control measures, these measures are designed to prevent the intrusion into the electronic data-processing system by unauthorised persons, in particular through the use of state-of-the-art encryption procedures. They also include measures designed to ensure that the attempt of unauthorised access does not go unnoticed.

Depending on the scope of services, data are processed either exclusively on the platform operated by AWS or by both AWS and Anexia. Data can only be accessed via the functions provided (administration interfaces, web applications) to authorised persons.

All employees of Trusted Shops, AWS, and Anexia are contractually bound to data secrecy and to observe the respective internal security regulations, according to which they must lock the screen when leaving their workstation. Among others, the following security mechanisms are also used by the client's service providers:

» Password policies and procedures (minimum length, quality, regular password changes)
» Backup of notebooks and data storage devices using hardware encryption
» Logging of all essential administration activities and transactions
» Technical and organisational procedures in case of incidents or attacks

Data access and data media control

Measures designed to ensure that persons authorized to use processing systems have access only to the personal data covered by their access authorisation (data access control), measures to prevent the unauthorised reading, copying or modification of data media, in particular through the use of state-of-the-art encryption procedures (data media control), as well as measures designed to ensure that the attempt of unauthorised access does not go unnoticed.

Data access and data media control measures involve various systems that enable security analysis, change-tracking, and regulatory compliance monitoring. In addition, Trusted Shops, AWS, and Anexia provide employees with differentiated authorisations. The server structure consists of an Active Directory dividing users into groups. Each group has a role on which access control depends. Access to files which are not included in the access authorisation is not possible.

Among others, the following mechanisms are used:

» Dedicated access levels (profiles, roles, transactions, and objects)
» Access evaluation
» Notification of role changes
» Immediate deactivation of accounts when employees leave the company

Transport control

Measures designed to ensure that personal data cannot be read, copied, altered, or deleted without authorisation during electronic transmission, transport or storage on data carriers, in particular through the use of state-of-the-art encryption methods, as well as measures to ensure that data carriers containing personal data are transported to a shredder only in closed containers and in closed vehicles, so that no material can be lost. These measures include:

» Storage, transfer, transport on mobile data carriers does not take place.
» The ways of data transfer via the Internet are agreed individually with the client.
» The client's data carriers are not used.
» Apart from the data access and media control options provided to administrators in agreement with the client, employees of the contractor are unable to access the client's data.
» The disposal of data media is carried out by a certified service provider.

Input control

Measures designed to ensure that it is subsequently possible to verify and establish whether and by whom personal data have been entered into, modified, or removed from data processing systems.
The client’s transmitted data are recorded by the platform in an audit-proof manner. Any subsequent modification or deletion of the client's data is also recorded by the platform. Employees of the contractor have access to the required data only within the framework of the agreement with the client and within the scope of their function (e.g. moderation of feedback).

» Continuous logging of all changes
» Data can only be deleted by the administrator

Processing control

Measures designed to ensure that personal data processed on behalf of the controller can only be processed in compliance with the controller's instructions. These measures include:

» Clear contract design
» Details of data processing on behalf of the controller can be found in the corresponding contract
» Contracts on data processing have been concluded with all subcontractors, whereby the requirements of the contracting authority are also transferred to the subcontractors.


Measures designed to ensure that personal data collected for different purposes can be processed separately (storage, modification, deletion, transmission). Among others, the following measures are implemented:

» Data are imported into the system and displayed according to their intended use
» Separation of data by client / customer
» Separation of functions / production environment / test environment

4. Availability control and recovery

Measures designed to ensure that personal data are available and protected against accidental loss and destruction and that systems may, in the case of interruption, be restored.
At AWS, the platform is operated over several availability zones. By distributing the platform across multiple availability zones, the system remains stable in most types of failures, including natural disasters or system failures.

Detailed measures can be found at this link:

At Anexia, too, primary and backup systems are spatially separated. This spatial separation allows the system to be restored productively in a short time for most failure types.

In general, the measures in this subsection include:

» Automatic backup systems with regular recovery test
» Daily snapshots of system configurations
» Raid data mirroring for hard disks
» Uninterruptible power supply (UPS)
» Antivirus measures / firewall technology
» Fire protection systems in accordance with regulations
» Redundant cooling systems

5. Data protection by default / design

With regard to data protection by default and data protection by design, the Trusted Shops products are developed in such a way that only personal data that are actually required to fulfil the respective purpose are collected.

With regard to the scope of application of the contract on data processing on behalf of the controller, this means that, when the Review Collector or the automatic review collection feature are used, only personal data that are actually necessary for the sending of review reminders and the validation of customer reviews are collected. Further personal data, such as names, are always optional and are processed by Trusted Shops only if specifically instructed to do so by the client.

6. Regular verification procedures

IT security officer

Trusted Shops GmbH has appointed an internal IT security officer whose main tasks include the development, implementation, and monitoring of an information security management system.

Risk analysis

A risk analysis is regularly carried out by the IT security officer in cooperation with the employees in charge of IT in order to assess the current threat level and determine measures to be taken.

Penetration tests

The results of the regular automated scans designed to reveal weak points are checked and processed by the IT security officer.

The Trusted Shops GmbH systems are periodically checked for weak points by an external service provider.


Appendix 3: Subcontractors and server locations


Amazon Web Services (AWS) , Inc., 410 Terry Avenue North, Seattle WA 98109-5210, USA
Server: Frankfurt, Germany

ANEXIA Internetdienstleistungs GmbH, Feldkirchener Straße 140, 9020 Klagenfurt am Wörtersee, Austria
Server: Frankfurt and München, Deutschland