Data protection and cloud security

The Carl Stahl Service Portal, the Carl Stahl Webshop and the mobile apps (Inventory App, Inspection App and Inspection+ App) are in-house developments. They are based on the latest cloud-based technology and thus offer the highest standards of data security.

You can find details on data protection and the processing of personal data directly in the operating resources portal in the footer or in the profile. Listed here directly for the sake of simplicity:

Terms of use for Carl Stahl's Equipment management: https://www.carlstahl-serviceportal.com/terms-of-use
Privacy policy: https://www.carlstahl.com/de/de/privacy-policy
Carl Stahl Data processing Agreement (DPA) can be downloaded at any time in the profile (https://www.carlstahl-serviceportal.com/profile) and directly here: https://cs-equipments-ph1.s3.eu-central-1.amazonaws.com/agreements/2024_Data+processing+Agreement_Equipmentportal.pdf

Technical infrastructure

The cloud-based systems of Carl Stahl Technologies are housed in the server rooms of a renowned Frankfurt data center of AWS (Amazon Web Services). It is one of the most modern and secure of its kind. Thanks to numerous certifications, many different security systems and constant monitoring, the data center is excellently protected against physical and digital access by third parties. With careful site selection, the server rooms are well shielded against environmental disasters.

The AWS data center has:

Certifications

ISO 27001
SOC 1
PCI DSS Level 1
HIPAA / HITECH
FedRAMP
GDPR
FIPS 140-2
NIST 800-171

Support Systems

CCTV cameras with recording function
Electronic intrusion detection systems
Emergency power supply
Air-conditioned server rooms
Fire detection systems
Water detection sensors

Security

Carefully selected sites
Redundancy (capacity distribution to other sites in case of functional failure)
Regular capacity planning
Storage of system-critical components
Physical encryption
24/7 monitoring
Geo-redundant availability
All data encrypted

Other features

Connection speeds up to 100 Gbit/s possible
Disaster recovery (business continuity plan, staff model)
Access to data centers only by authorized AWS personnel (multi-factor authentication mechanisms)
Preventive maintenance and regular risk management
Storage resource scaling to meet fluctuating demand with 99.999999999% (11x9) data resiliency
Object availability of 99% in a given year

System requirements

Technical requirements

Data protection measures in equipment portal and co.

In order to be able to react quickly to potential hacker attacks and to generally protect the personal data of individual users, Carl Stahl has embedded various measures in its systems to ensure that your data is secure.

Individual assignment of rights

An individual rights and role system allows individual authorizations, including viewing and editing rights in the service portal, to be restricted. Carl Stahl inspectors are only granted access on an order-related basis. Viewing of user data is protected and only within the user's own organization. Further information on Manage users, user settings and on authorization groups Authorization groups

Frequent virus scan

All uploaded data such as images and documents - whether via the app or on the desktop - are scanned for viruses once a week in order to sort out malware directly. The virus scan scans the entire directory and thus ensures greater security.

Two-factor authentication

Only authenticated users can access the administration of the service portal (Juicebox and Identity Provider). With two-factor authentication, access is even more secure and customer data is even better protected. More information about two-factor authentication: Two Factor Authentication

Compliance with retention periods with the Deep-Delete function

Especially in the case of audits, legal requirements for the retention period must be met. The period for deleting equipment and test data can therefore be set individually at Carl Stahl. In this way, occupational safety and data protection can be easily reconciled. Corresponding presettings are integrated in the system as standard. Please contact Support if you wish to define individual deletion periods.

Deep Delete can be set for equipment as well as checks per organization (SAP customer). For example, deleted equipment can be completely removed from the database once a month or all checks older than 10 years can be deleted without manual touching. The periods can be set individually for each customer and can be defined according to the customer's wishes, taking into account the legal requirements. The deletion routine then takes effect at the beginning of the month if a defined interval has been exceeded. When deleting checks, however, only after time has elapsed is the check actually deleted if there is a more recent check on the equipment. If it is the only check, nothing will be deleted despite the timeout.

As default intervals for the Deep Delete, 30 days have been defined for the equipment deletion after removal from the recycle bin and 10 years for the deletion of checks. This means that only customers who wish to deviate from these periods need to be adjusted.

In this way, all personal data included in the certificates is securely and easily deleted in a DSGVO-compliant manner. This function also provides additional security in the event of hacker attacks.

DSGVO-compliant deletion of users including deletion protocol

If an employee leaves the company, in addition to blocking his or her access, the personal data in the service portal and apps is replaced by "-" and a confirmation of the deletion is sent. Step-by-step documentation on user deletion/inactivation can be found here: Delete and inactivate users