1. Compliance

1.1. How do you guarantee your performance levels?

Our system scales dynamically based on network requests and workload.

1.2. Do we retain legal ownership of all our data, or does it belong to you?

All data in client-systems belongs to our client.

1.3. What internal audit reports do you perform, and which compliance standards and other recommended practices from organizations such as the Cloud Security Alliance are used for the assessments?

Our system is checked using our security check lists. Logs are checked daily for suspicious IPs. In addition to that we do penetration testing for the APIs as well as the backend & frontend. The wunder fleet team as a security expert on board which is doing a penetration test on a regular basis checking for SQL injections, cross site scripting attacks as well as load testing the system.

2. Service Operation

2.1. What redundancy and offsite backup mechanisms do you have in place to prevent corruption or loss of our data, and guarantee the integrity and availability of our data?

The data are synced between multiple Database instances in all three data centers.

2.2. How do you manage changes to software and to the environment? How are changes coordinated with customers? What impact is there on a customer (outages, degradation, etc.) and can a customer opt out?

There is no outage while upgrading your environment. All updates are without downtime, done with immutable deployment strategies.

2.3. What management tasks do you perform (installs, upgrades, etc.)? What tasks do you expect the customer to perform?

Install, setup, upgrade from the technical site. Customer needs to configure his system.

3. Data Protection

3.1. Where will our data be stored, backed-up and processed? Will our data transit any foreign countries? Where are the failover or redundant data centers located? How will we be notified if any of these changes?

All data are stored, backed-up and processed in Germany. Redundant data centers are located in Frankfurt. When we’re changing the location of datacenters there would be a downtime – so we would notify you via email and schedule an appointment for this.

https://docs.aws.amazon.com/de_de/AWSEC2/latest/UserGuide/using-regions-availability-zones.html

3.2. If we delete portions of our data, what processes are used to sanitize the storage media before it is made available to another customer?

All data are encrypted and saved on our server hard drives. Our file data is encrypted and saved on SSD’s with the AWS S3 service. The database data is also encrypted and saved on SSD’s. So, if you delete portions of your data the storage is cleaned up, but this storage is also not made available to other customers, because the drive is not shared with other customers.

3.3. How will data and information stored on your server be handled at the end of the contract (all data and information will be forwarded to YourOrg, however what will happen to the data on the server will it be destroyed? When? How?)

All data will be deleted from our servers after the end of the contract. This includes terminating the RDS instances with the encrypted data on it as well as deleting the data from the S3 service.

3.4. Which subcontracting relationships do you have?

● Amazon Web Services, Inc.; 410 Terry Ave North; Seattle, WA 98109-5210, USA, Server location:

Frankfurt (EU)

● Google Maps; Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland

● Apple Maps; Apple Inc., Infinite Loop, Cupertino, CA 95014, USA

● WunderCar Mobility Solutions GmbH, Hongkongstraße 7, 20457 Hamburg, Germany

● Flurry Oath inc., 22000 AOL Way, Dulles, VA 20166 USA

● Adjust; adjust GmbH, Saarbrücker Str. 37A, 10405 Berlin

● Jumio; 395 Page Mill Road, Suite 150 Palo Alto, CA 94306, USA

● Mitek; Motion Building, Radarweg 60, 1043 NT Amsterdam, The Netherlands

● PSP

o Stripe; 510 Townsend Street, San Francisco, CA 94103, USA

o PAYONE GmbH; Lyoner Straße 9, DE-60528 Frankfurt/Main, Germany

o CrefoPay; Schloßstraße 20, 12163 13

ensuring a proper approach for separation of customers according to threads of multi tenancy?

Each customer has its own VPC.

5.2. How do you protect data that is in transit and for data at rest?

We protect this data using HTTPS- 2048 Bit

5.3. How do you handle privilege access rights and prevent/detect their abuse? (in AWS and in the Wunder solution)?

AWS access rights are limited to our office IP. Also, two-factor-auth is used. In the Wunder solution,

every action a backend user is doing, is logged. We’re able to track every click a backend user does.

5.4. What is your approach to protect cryptographic keys?

All cryptographic keys for production systems are saved on an encrypted computer and are extra protected in an internal encrypted container.

5.5. What is your logging and monitoring strategy to reveal unusual actions?

Our firewall solution blocks unusual traffic from suspicious IP’s. Unusual traffic is detected by our Dashboard-Monitoring solution, where we save monitoring logs for 3 a maximum of 3 days. For logging: we use internal logs (for any manual or automatic (user or system) action done within the system) These logs are stored (unlimited).

5.6. What is your Backup methodology?

Our backup strategy is prepared for the worst case, the time we’re saving backups depends on the part of the system.

5.7. How do you handle deletion of data?

Customer data are first flagged as deleted. Then they’re fully deleted after a specific timespan, configured in the Wunder Fleet backend.

5.8. How are the data encrypted on the Server?

Data-at-Rest with AES-256

5.9. Are Backups encrypted?

AES-256