Technical and organisational measures

Updated: 05.07.2021

The technical and organisational measures (TOM) show what Dualoo (hereinafter also referred to as the provider) is doing to protect the data and under what conditions smooth use is guaranteed. These
are updated from time to time by the provider and always reflect the current status.

The contents of this technical and organisational measures have been translated automatically. Only the original in German has legal validity. The online version in German can be found HERE.

Technical requirements

Dualoo is Software as a Service (SaaS) and is executed via the browser ( Documents generated by the application are stored on the server as Microsoft Office (docx) and Adobe (PDF) files. All data is stored in the UTF-8 character set, which allows all languages to be mapped. To use Dualoo, Internet access with a supported web browser and an e-mail address are required. Otherwise, no installation is necessary.

Supported desktop browsers

Chrome: latest version
Firefox: latest version
Edge: latest version
Safari: latest version

Data processing according to the GDPR

If personal data is edited or used automatically, the internal organisation must be laid out in accordance with the Data Protection Act (GDPR) in such a way that it meets the special requirements of data protection. Dualoo supports the user in this.

By definition, commissioned data processing is carried out by the provider. However, the provider can only have access for a limited period of time for support and assistance purposes and only with consent. As the Provider is covered by commissioned data processing, this document lists below these points which are required for commissioned data processing.

The standard contract for commissioned data processing is based on the transparently published terms of use, privacy policy and technical and organisational measures. This is concluded with the acceptance of the terms of use and the data protection declaration.

If deviating changes or a separate contract are required, the costs amount to 300 CHF / hour (based on time and effort) which is necessary for the provider to check or enter into a contract.

Access Control / Access Control

Access to the provider’s premises is ensured by means of an employee ID card and personal keys. Access to the application, respectively to the data, only works via a personal login by means of user name (e-mail address) and password. The password of each individual user is stored in the database in encrypted form (hash function).

User data is stored exclusively on the ISO-27001 protected server and not on employees’ local devices, which ensures data security. In principle, the provider has no access to the user data unless there is explicit authorisation.

Personal data carrier control: Users are responsible for adequate protection of their devices and passwords. The Provider cannot be held liable for any damage caused by neglecting to protect Users’ devices and passwords.

Access control

Individual rights can be assigned within the application (what can which user do). The user (e.g. administrator in the company) is fully responsible for the internal access authorisation. He controls which access rights the other users (e.g. employees) have.

The provider, on the other hand, is responsible for access to the data from outside by protecting and encrypting the data accurately.

Pseudonymisation and encryption

All data transmitted between the user and the server is end-to-end encrypted. The connection is transmitted using TLS 4096bit (SSL).

Input control / Logging

The provider logs all connections between user and server. If an offence is committed, the provider allows administrators to view the log file of the company.

Availability control and resilience

Data storage and hosting are stored in the data centre of Metanet in Zurich (Switzerland). The data centre meets the highest security standards. The operation is certified according to ISO 9001. In addition, the data centres in Zurich are certified according to ISO standard 27001 for information security as well as PCI DSS accredited.

Backups: The provider performs backups of client data several times a day. To prevent data loss even in extreme cases (e.g. destruction of the data centre by an earthquake), the encrypted backups are stored in parallel in several data centres in Switzerland and abroad. Rotation: 30 days with 12-month archive.

Virus protection: The user bears sole responsibility and is obliged to check the data received and transmitted for viruses. The Provider shall also scan all transmitted files for viruses. The provider cannot be held liable for this, but helps to reduce the risk.

Energy supply / sustainability: The provider’s servers, the website and the office premises are powered by sustainable energy.