Data protection is a matter of trust. With seventhings, you manage your asset inventory in a fully legally compliant manner, as we exceed the statutory requirements of the GDPR. This allows you to focus fully on your work while we ensure the maximum security of your data.
Where is my data stored?
We store your data exclusively in Germany. For this purpose, we use the ISO 27001-certified twin-core data centers of the T-Cloud in Magdeburg and Biere. We completely rule out any data transmission or storage in third countries.
How is my data protected?
Technically:
Encryption at rest: AES-256 for all datasets, including backups.
Encryption in transit: TLS 1.2/1.3 for every data transmission.
Key management: Managed via the Key Management Service (KMS) of the T-Cloud.
Network security: Cloud firewall, security groups, DDoS protection, network-based IDS/IPS, as well as host-based IDS on critical servers.
Backups: GFS strategy (Grandfather-Father-Son: daily/weekly/monthly) adhering to the 3-2-1 rule and read-only replication in the second data center.
Security audits: Continuous external penetration tests by Rapid7 (automated weekly as well as before every live release) plus annual infrastructure penetration tests by T-Systems/OTC.
Organizationally:
Information Security Officer (ISO): Designated and appointed.
Mandatory training: At least annual mandatory training sessions for all employees on data protection, information security, and phishing.
Confidentiality obligations: Signed agreements with post-contractual effect for all employees and contractors.
Four-eyes principle: Applied during the review of security-relevant findings.
Who has access to my data?
You control access to your data in seventhings via our fine-grained authorization concept. You define specific roles or assign exact permissions to your team members for locations or specific data fields.
For secure login, you can simply link your existing SSO connection via Microsoft Azure AD, Google SSO, or OneLogin. In doing so, we additionally recommend multi-factor authentication (MFA).
Our logical tenant isolation protects your data from unauthorized views. Administrative access is granted exclusively to authorized seventhings employees via a secured MFA connection, which is logged and traceable.
How does seventhings handle data processing and sub-processors?
We enter into a transparent Data Processing Agreement (DPA) with you in accordance with Article 28 of the GDPR. We list your partners transparently in the annex of the contract. Hosting is handled by T-Systems on the T-Cloud in Germany. We use Microsoft Germany for internal processes. For our fast customer service, we integrate the tool Intercom. Sentry helps us with rapid error detection on the platform. Both US providers strictly commit themselves to the EU Standard Contractual Clauses.
Please note:
If you have any questions, please contact our external data protection officer, Ingo Krause of DataOrga GmbH, by email at office@DataOrga.de.
What happens in the event of a data breach?
In an emergency, our documented incident response plan takes effect immediately. As a customer, you will be informed promptly of any incident that affects you or your data.
0–2 h: Detection, initial assessment, and activation of the Incident Response Team.
2–6 h: Containment, damage analysis, and risk assessment for affected parties.
72 h at the latest: Notification to the competent supervisory authority in accordance with Article 33 GDPR.
In the event of high risk: Notification of the affected parties in accordance with Article 34 GDPR.
What rights do I have as a data subject?
As a seventhings user, you have all the rights granted by the GDPR—and we support you in exercising them:
Right of access (Art. 15)
Right to rectification (Art. 16)
Right to erasure (Art. 17)
Right to restriction of processing (Art. 18)
Right to data portability (Art. 20) — export in standard formats (CSV, Excel, PDF)
Right to object (Art. 21)
Right to lodge a complaint with a supervisory authority
You can send your inquiries to our Data Protection Officer (see blue box above) or to support@seventhings.com.
What happens to my data at the end of the contract?
You retain full control until the very end. Before the contract ends, you can fully export all your data via the user interface or our open API interface. We will then irretrievably delete all your personal data in compliance with data protection regulations. Our system automatically overwrites old backups once the retention period expires.
Where can I find more information?
You can find our full privacy policy at seventhings.com/datenschutz. You can find our cloud provider’s official ISO certificates at open-telekom-cloud.com/zertifikate. To request your own AVV template, simply send an email to support@seventhings.com.