Security & Datenschutz (data protection)

Data stays in Germany.

Naturalisation is a highly sensitive administrative procedure. We handle the resulting data accordingly — with a clear GDPR architecture, hosting exclusively in Germany, and transparent sub-processors.

Hosting in GermanyTLS 1.3 · AES-256DSGVO (GDPR) Art. 28

01Hosting & architecture 02Encryption 03Subprozessoren (subprocessors)04Auftragsverarbeitung (data processing on behalf)05Data subject rights 06Incident response 07Compliance

Category 01

Hosting & architecture.

The entire civitas. platform runs on servers in Germany. No data traffic outside the EU, no sub-processors headquartered in third countries for core data — and an architecture designed to be multi-tenant (mandantenfähig) so that every authority and every institutional partner receives its own, isolated data space.

Server location

Exclusively Hetzner Online GmbH, Nuremberg. ISO/IEC 27001-certified data centre, redundant power supply, geo-redundant backup at a second German Hetzner location (Falkenstein).

Data location

Germany · European Union. All personal data is processed and stored exclusively in Germany. No transfer to third countries within the meaning of Art. 44 et seq. DSGVO (GDPR) takes place.

Tenant separation

Every institutional partner (Behörde [authority], Kanzlei [law firm], Beratungsstelle [advisory office]) receives a logically isolated data space with its own tenant key. Row-level database tenancy with mandatory tenant ID; multi-tenant capability at both application and database layers.

Backup strategy

Daily incremental backups, weekly full backup, 30 days retention. Backups are stored encrypted at a second German Hetzner location. Recovery procedures are tested regularly.

Production / demo separation

Strict separation between production and demo environments. Demo data contains no real Antragsteller (applicant) information — all demo Mandanten (clients) are explicitly marked as such.

Category 02

Encryption.

Encryption takes place both in transit and at rest. Sensitive application data is additionally encrypted at the application layer, so that even access to the database without the application key reveals no readable personal data.

In transit

TLS 1.3 exclusively, no fallback to TLS 1.2 or older. HSTS header with max-age=63072000, cipher suites per BSI (German Federal Office for Information Security) minimum standards.

Storage (at rest)

AES-256-GCM at the storage level via fully encrypted Hetzner volumes. Keys are provided through separately hosted key management.

Application layer

Critical fields (Geburtsname [birth name], Aufenthaltstitel [residence permit], Sozialleistungsdaten [social benefit data]) are additionally encrypted at the application layer. Even database administrators see only ciphertext without the application key.

Key management

Key rotation every 90 days for application keys, annual rotation for master keys. Rotation takes place without interruption via versioned keys.

Authentication

Passwordless login via Magic Link (HMAC-SHA256-signed tokens, valid 30 min.) or OAuth via Google/Apple. Optional: two-factor authentication via TOTP. For institutional partners: SAML 2.0 / OIDC.

Category 03

Subprozessoren (subprocessors).

civitas. uses selected service providers for clearly delimited tasks. All sub-processors are contractually bound by the DSGVO, with AVV under Art. 28 DSGVO. The location is transparently documented — where possible, providers with their headquarters and data processing in the EU are preferred.

Provider

Purpose

Location

Region

Hetzner Online GmbH

Hosting · Database · Backup

Purpose: Server infrastructure

Location: Nuremberg & Falkenstein

Germany

Stripe Payments Europe Ltd.

Payment processing

Purpose: Card · SEPA · Sofort

Location: Dublin (IE)

Postmark (ActiveCampaign LLC)

Transactional emails

Purpose: Magic-Link · Invoices

Location: EU data centre (Frankfurt)

Sentry (Functional Software Inc.)

Error telemetry

Purpose: Application error logs

Location: EU region (Frankfurt)

Plausible Insights OÜ

Analytics

Purpose: Anonymised web statistics

Location: Tallinn (EE)

Cloudflare (CDN)

DDoS protection · CDN

Purpose: Static assets · protection

Location: EU edge (Frankfurt)

EU edge / US HQ

The list is updated when changes occur. Authorities and institutional partners are informed of material changes to the sub-processor register. A complete sub-processor catalogue is part of the AVV (data processing agreement).

Category 04

Auftragsverarbeitung (data processing on behalf).

When civitas. processes data for institutional partners (Behörden, law firms, counselling centres), this happens exclusively on the basis of an Auftragsverarbeitungsvertrag (data processing agreement) under Art. 28 DSGVO. The AVV automatically becomes part of the licence agreement and is available in standardised form.

Standard AVV (data processing agreement)

We provide a standardised AVV under Art. 28 DSGVO covering the typical processing scenarios. It can be adapted to authority requirements in special discussions.

Control and audit rights

Clients may exercise control and audit rights at any time pursuant to Art. 28 Abs. 3 lit. h DSGVO (GDPR Art. 28(3)(h)) — either as a self-audit on the basis of this documentation or as an on-site visit after prior arrangement.

Weisungsbindung (binding to instructions)

Processing takes place exclusively according to the documented instructions of the controller. civitas.'s own processing only within the contractually agreed limits, e.g. for technical provision of the service.

Deletion & return

After contract end, personal data are fully deleted or returned — at the controller's choice. Standard deadline: 30 days after contract end, documented with a deletion log.

Subprocessor change

Planned changes of subprocessors are announced with four weeks' notice. Clients have a right to object; in case of a justified objection, an alternative solution is sought or the contractual relationship is terminated.

AVV (data processing agreement) for download

Standard Auftragsverarbeitungsvertrag (data processing agreement) (PDF).

Our standardized AVV (data processing agreement) per Art. 28 DSGVO is publicly available — for preliminary review by data protection officers and legal departments. It can be adapted to your specific requirements in dedicated discussions.

As of: April 2026Format: PDF · approx. 12 pagesScope: Standard Mandanten (clients)

Download AVV Individual customization

The AVV (data processing agreement) is designed for institutional clients (authorities, law firms, counselling centres). For private customers who use civitas. themselves, civitas. is the controller under Art. 4 No. 7 GDPR — here the Privacy Policy applies, not an AVV.

Category 05

Data subject rights.

Applicants and all other affected persons may exercise their rights under the DSGVO (German GDPR) towards civitas. at any time. We process requests within the statutory one-month deadline pursuant to Art. 12 Abs. 3 DSGVO (GDPR Article 12(3)).

Right of access

Art. 15 DSGVO (GDPR Art. 15)

Information about which personal data we process, for which purposes, and to which recipients they are passed on.

Right to rectification

Art. 16 DSGVO (GDPR Art. 16)

Correction of incorrect or incomplete data — can be done yourself in the account or, alternatively, by request to our Datenschutzbeauftragten (data protection officer).

Right to deletion

Art. 17 DSGVO (GDPR Art. 17)

Complete deletion of your data — provided no statutory retention periods stand against it (e.g. accounting). Can be triggered in the account under „Settings → Delete account".

Right to restriction

Art. 18 DSGVO (GDPR Art. 18)

Restrict processing of your data in certain cases — e.g. in case of dispute over data accuracy or during legal proceedings.

Data portability

Art. 20 DSGVO (GDPR Art. 20)

Export of your application and account data in a structured, common, machine-readable format. JSON or PDF by default.

Widerspruchsrecht (right to object)

Art. 21 DSGVO (GDPR Art. 21)

Widerspruch (objection) to the processing of your data — especially against profiling or direct marketing. Takes effect immediately.

Where to submit requests: By email to datenschutz@einbuergerungsservice.de. Processing usually takes five working days; the maximum statutory period under DSGVO (GDPR) is one month. For complaints, you may also approach the competent supervisory authority — for Civitas UG this is the State Commissioner for Data Protection and Freedom of Information of North Rhine-Westphalia.

Category 06

Incident response.

Security incidents are handled according to a clearly documented process — with defined Eskalationsstufen (escalation levels), notification deadlines, and subsequent Ursachenanalyse (root cause analysis). In the event of a Verletzung des Schutzes personenbezogener Daten (personal data breach), notification to the Aufsichtsbehörde (supervisory authority) under Art. 33 DSGVO (GDPR) is made within 72 hours.

Procedure for security incidents.

From detection of an incident to restoration of regular operation, we follow a standardized process. Clients and affected parties are informed as early as possible, transparently and traceably.

≤ 1 hr

Detection & initial classification. Determine severity, assign responsibilities.

≤ 4 hrs

Containment. Isolate the incident, prevent further spread, secure affected systems.

≤ 24 hrs

Notification of clients. Affected authorities, firms and counselling centres are informed — even when complete information is not yet available.

≤ 72 hrs

Notification to the supervisory authority for reportable incidents under Art. 33 DSGVO (GDPR).

≤ 7 days

Post-mortem & lessons learned. Full root-cause analysis, action plan, transparent documentation for clients.

Category 07

Compliance.

An honest status: which standards we meet today, which certifications are currently in progress, and which are planned for 2026/2027. We communicate this transparently rather than performing compliance theatre.

Met

DSGVO (GDPR) / BDSG (Federal Data Protection Act)

Full implementation of DSGVO and BDSG — as controller for own processing, as processor for institutional partners.

Met

TLS / BSI minimum standards

TLS configuration in accordance with BSI TR-02102-2. All cipher suites correspond to the federal recommendations for „high" protection requirement levels.

Met

RDG (Legal Services Act) compliance

Strict compliance with the limits of § 2 RDG. civitas. provides purely technical Verfahrenshilfe (procedural assistance), not Rechtsberatung (legal advice) in individual cases.

Q3 2026 planned

ISO/IEC 27001

Information security management. Certification preparation for Q3 2026 — relevant for selected government tenders.

Q4 2026 planned

BSI C5 attestation

Cloud Computing Compliance Criteria Catalogue by the BSI. Standard for public administration — preparation underway.

planned for 2027

EVB-IT cloud compliance (German public-sector IT contract framework)

Contract terms for public-sector IT procurement. Becomes relevant in larger Behörden (authority) tenders.

Responsible

Direct contact for security and Data protection.

For security reports, data protection enquiries, audit requests or specific questions about our architecture. In the event of suspected security vulnerabilities, we ask for confidential reporting — we confirm receipt within 24 hours.

Data protection & security

civitas. · Privacy & Security Team

Data protection

datenschutz@einbuergerungsservice.de

Security notifications

security@einbuergerungsservice.de

Response time

On business days within 24 hours

Supervisory authority

LDI Nordrhein-Westfalen