Security Documentation
Comprehensive security measures for remote access services
GDPR Compliant
Full compliance with German data protection laws
End-to-End Encryption
AES-256 encryption for all remote sessions
Audit Logging
Comprehensive logging of all access events
Technical Security Measures
1. Encryption Standards
- Transport Encryption: TLS 1.3 for all network communications
- Session Encryption: AES-256-GCM for remote desktop data
- Key Exchange: ECDH with P-384 curve
- Authentication: RSA-4096 or Ed25519 signatures
2. Access Control
- User Authentication: Multi-factor authentication for all technicians
- Session Tokens: Unique, time-limited access codes for each session
- IP Restrictions: Connections only from approved IP ranges
- Role-Based Access: Minimal privileges based on service requirements
3. Monitoring and Logging
- Connection Logs: All remote access attempts logged with timestamps
- Activity Monitoring: Real-time monitoring of all remote actions
- Security Events: Automated alerts for suspicious activities
- Retention Policy: Logs retained for 30 days, then securely deleted
Compliance Framework
GDPR Compliance Measures
- Data Minimization: Only necessary data is processed during sessions
- Purpose Limitation: Data used only for agreed technical support
- Storage Limitation: Session data deleted after 30 days maximum
- Consent Management: Explicit consent required before each session
- Right to Deletion: Client data can be deleted upon request
German Federal Data Protection Act (BDSG) Compliance
- Professional Secrecy: Enhanced measures for clients under §203 StGB
- Technical Measures: State-of-the-art security implementations
- Organizational Measures: Staff training and access controls
- Data Processing Agreements: Formal agreements for business clients
Incident Response
Security Incident Procedures
Detection & Response
- 24/7 automated monitoring
- Immediate containment measures
- Forensic analysis and documentation
- Client notification within 24 hours
Legal Compliance
- Authority notification within 72 hours
- Risk assessment for affected individuals
- Remediation and prevention measures
- Post-incident review and improvements
Data Processing Details
Types of Data Processed
| Data Category | Examples | Retention | Legal Basis |
|---|---|---|---|
| Connection Data | IP addresses, timestamps, session duration | 30 days | Art. 6(1)(f) GDPR |
| System Information | OS version, hardware specs, installed software | 30 days | Art. 6(1)(b) GDPR |
| Screen Content | Application windows, desktop, user interface | Session only | Art. 6(1)(a) GDPR |
| Input Data | Keyboard, mouse inputs during session | Session only | Art. 6(1)(a) GDPR |
Third-Party Services
RustDesk Infrastructure
- Open Source: RustDesk is open-source software with transparent security
- Self-Hosted Option: Can be deployed on our own infrastructure
- Relay Servers: Used only for NAT traversal, not data storage
- Data Residency: EU servers preferred for GDPR compliance
Client Security Responsibilities
Best Practices for Clients
- Keep RustDesk software updated to latest version
- Use strong passwords for system accounts
- Enable Windows Defender or equivalent antivirus
- Monitor remote sessions and report suspicious activity
- Back up important data before remote sessions
- Close RustDesk immediately after sessions complete
Security Certifications
Current Certifications
- ✅ GDPR Compliance Audit (2025)
- ✅ ISO 27001 Security Training
- ✅ German IT Security Guidelines
- ✅ Professional Liability Insurance
Planned Certifications
- 🔄 ISO 27001 Full Certification (Q4 2025)
- 🔄 C5 Cloud Security Certification
- 🔄 BSI IT-Grundschutz Certification
- 🔄 Annual Security Audit
Contact Security Team
For security questions or to report incidents: info@backupexperts.de | Phone: +49 37298 909061