Data privacy & information security

Our customers entrust us with numerous sensitive data in the course of software use and projects. Protecting this data is vital for us – a loss of data can result in damage that would be life-threatening for our company.

It is our task and goal to treat sensitive and personal data confidentially and to protect it to a high degree as well as to secure the availability of the d.vinci software products in such a way that downtimes and data loss are limited to a minimum.


Team IT Administration
Externer Datenschutzbeauftragter
d.vinci Security Board
Team IT Administration
Team IT Administration
Team IT Administration

The DSGVO – the basis for data privacy

At d.vinci, personal data is processed in accordance with the applicable data protection regulations. Relevant legal provisions are the General Data Protection Regulation, the Federal Data Protection Act, ISO 27001 and, if applicable, area-specific legal provisions.

This applies not only to us as a company, but also in our cooperation with service providers, suppliers and partners. Every other business process that involves the processing of personal data is checked by us for compliance with the legal requirements.

The protection of individuals with regard to the processing of personal data is a fundamental right. According to Article 8(1) of the Charter of Fundamental Rights of the European Union and Article 16(1) of the Treaty on the Functioning of the European Union (TFEU), everyone has the right to the protection of personal data concerning him or her.

Principles of data protection at d.vinci

Our most valuable asset is the trust of our customers. It is therefore essential for us to consider data protection requirements and potential risks in all projects, processes and decisions.

Even though data privacy incidents and information security incidents can occur, our goal is to respond to identified risks in such a way that we can recognize the incidents quickly, initiate appropriate countermeasures, and avoid any damage to our customers and employees.

High professionalism and quality

ensure the quality of our services.

Maintain integrity and confidentiality

of personal and sensitive data.

Limit downtime and data loss

and reduce them to a tolerable minimum.

Protect trade secrets

Compliance with our technical-organizational measures (TOM).

Comply with legal framework conditions

Observe and take into account data protection laws and information security standards.

Design software solutions securely

Be innovative, but at the same time develop robust and data-protection-proof.

Rights & data worth protecting

Personal data, protect the privacy of data subjects and the right to informational self-determination.

Come in: Transparency & Dialogue

Hardly any other topic concerns our customers as much as the protection of their data – understandable, after all, they entrust us with sensitive data. This makes it all the more important for us to give everyone the opportunity to see for themselves how data protection is practiced, taken into account and checked at our company. We are happy to open our doors to customers and interested parties – on site in our Hamburg office or virtually!

Perform pentests

We are happy to give our customers the opportunity to perform penetration tests (pentests) themselves to check the security of all system components for unauthorized intrusion. Afterwards we will discuss the results with you.

Doing audits at d.vinci

In order to check whether processes, requirements and guidelines meet the required standards, we invite our customers to conduct their own audits at d.vinci. We will make an appointment with you and take the time to answer your questions – virtually or on site in our Hamburg office.

Share with the data security team

Our data security team is always there for you personally. Especially Ralf (to the interview) & Matthias (to the interview) maintain a great contact to our customers and answer, in addition to all questions about security at d.vinci, one or the other general question about data protection and information security.

Data protection in the d.vinci daily work routine

The data protection management system (DSMS) and the information security management system (ISMS) do not lead a shadowy existence at d.vinci, but are anchored in the daily work of all employees without being perceived as “ballast”.

To achieve this, we attach great importance to both legally compliant and pragmatic application of data protection laws and the ISO 27001 standard. Only in this way can we ensure that our employees are happy to take data protection into account in their decisions and regularly question it.

For this it is important that

  • documents are easy to understand and enjoy reading.
  • there is a practicable method for risk assessment that is oriented to everyday needs.
  • feedback from employees on the perception and effectiveness of the DSMS and ISMS is incorporated into improvements at all times.
  • we learn quickly from our customers’ experiences and feedback, and we have our systems audited regularly to identify and implement potential improvements.
  • we use internal ambassadors to make the benefits of information security and data protection transparent for all team members.
  • we are adaptive and regularly review and improve ourselves and our regulations.

Quality from the north

Data center, software development & service/support in Hamburg

Direct contact with us

Our data security team is always there for you personally

ISO 27001 certification

We set a strong example for the security of information, data and systems.

Zertifikate & Berichte zum Download

ISO 27001 certificate

Here you can download the current ISO 27001 certificate.

Anwendungsbereich der ISO 27001

This document defines the areas of the company where our ISO 27001 certification applies.

Guideline Information Security

Scope, objectives & requirements so that information security can be ensured.

Guideline Data Protection

Scope, objectives & requirements to comply with personal data processing legislation.

Annual Report of the Data Protection Officer 2023

Audit result of the data protection officer as well as statement on the technical & organizational measures according to Art.
Art. 32 DS-GVO.

Order processing contracts (AVV)

All framework agreements & individual agreements for the d.vinci products for download.

Data protection certificate

Our data protection certificate for download (June 2023)

Questions & Answers

FAQ about data protection & information security at d.vinci

What principles apply to the handling of personal data at d.vinci?

The topic of data protection should not lead a shadowy existence at d.vinci, but should be anchored in the daily work of all employees without being perceived as “ballast”.

We believe that the knowledge of our employees is the best basis for continuous improvement. We take measures to make the feedback and knowledge of our employees transparent and to incorporate it into the improvement of data protection. We also undergo regular audits to identify and implement potential for improvement. Our employees receive regular training on data privacy and information security. Part of the training is, for example, how to deal with data privacy violations. If special data protection rules are required for a department, the employees concerned receive separate training on this. In the training sessions for employees, we particularly address the principles for handling personal data at d.vinci:

  • Lawfulness of processing: There must be a legal basis for the processing.
  • Fair processing: The processing of data must be fair and honest (fair).
  • Transparency: we must inform data subjects about data processing and data subjects have information rights about what personal data we process.
  • Purpose limitation: The purposes of data processing must be defined, unambiguous and legitimate at the time personal data is collected.
  • Data minimization: Personal data must be adequate and relevant to the purpose and limited to what is necessary for the purposes of the processing.
  • Accuracy of data processing: Personal data must be factually accurate. Incorrect data must be deleted immediately.
  • Storage limitation: With the standardized storage limitation, personal data may only be stored in a form that permits identification of the individual for as long as is necessary for the purposes of the processing.
  • Integrity and confidentiality: Personal data must be processed in a manner that ensures appropriate security of the personal data.
What happens if there is a data protection incident at d.vinci

First, data protection incidents must be reported immediately by our trained employees at d.vinci to the management, the external data protection officer, the internal data protection advisor and the information security officer. Subsequently, the affected parties and the data protection authority must be informed without delay. The processes and procedure are regularly trained and tested at d.vinci.

Where is the data stored?

Our servers are located in the pop-interactive data center in Hamburg. It is a SAAS solution and only we (d.vinci) have access to and administer the servers, no one else. From the data center we only use the surrounding infrastructure (fire protection, etc.).

Does a Disaster Recovery Plan exist?

Yes. The data is backed up daily according to an established procedure and stored encrypted outside the data center in a cloud. This means that the systems with the backed-up data can be restored in the event of a “disaster”. The individual steps for this are documented and regularly tested.