| Document ID | ISMS-SCOPE-001 |
| Version | 0.1 |
| Status | Draft |
| Classification | Internal |
| Owner | Information Security Officer |
| Approved by | Managing Director |
| Approval date | pending |
| Effective from | pending |
| Next review | pending — annually, or on material change |
| Supersedes | — (initial issue) |
This document defines the scope of the BackupExperts Information
Security Management System (ISMS) as required by ISO/IEC 27001:2022
clause 4.3. It states which services, locations, assets, personnel, and
information types are covered by the ISMS, and which are explicitly
excluded.
BackupExperts is a managed service provider that delivers backup,
restore, and adjacent infrastructure services to small and medium
business customers. BackupExperts operates as the data processor for
customer data under written Data Processing Agreements aligned to
GDPR Article 28.
| Field | Value |
|---|---|
| Trading name | BackupExperts |
| Legal form | Einzelunternehmen (sole proprietorship) |
| Owner / authorised representative | Ananda Bhatta |
| Registered address | Lugauer Str. 53, 09376 Oelsnitz/Erzgebirge, Germany |
| Telephone | +49 37298 909061 |
| info@backupexperts.de | |
| Web | https://backupexperts.de |
| USt-IdNr. (VAT ID) | to be recorded if applicable; not currently in the Impressum |
| Trade register entry (Handelsregister) | Not applicable (sole proprietorship) |
| Competent data-protection supervisory authority | Sächsischer Datenschutzbeauftragter (Saxony) |
The ISMS covers the following services delivered by BackupExperts:
| Service | Description |
|---|---|
| Managed backup | Configuration, operation, and monitoring of customer backup jobs against BackupExperts-operated or customer-owned backup targets |
| Restore on demand | Restore of customer data on customer request or in response to an incident, per the Restore Procedure |
| Tenant Wiki.js hosting | Per-customer hosted knowledge base, provisioned and updated via the wiki-cms toolchain |
| Network monitoring (UniFi) | Read-only monitoring and documentation of customer UniFi sites where customer has granted access |
Adjacent activities — sales, billing, customer support — are in scope to
the extent that they handle information assets covered by the ISMS.
| Location | Role |
|---|---|
| Oelsnitz/Erzgebirge, Germany (Lugauer Str. 53, 09376) — BackupExperts registered office and basement server room | Principal place of business and the in-house server room. The basement houses the MinIO S3 endpoint (NAS-backed) that receives customer Veeam offload jobs and holds the off-site copy of customer backups from the customer's perspective. Physical controls and known gaps are documented in Assets and Risk Register (planned). |
| Hetzner Online GmbH data centres (Falkenstein and/or Nürnberg, Germany) | Hosts BackupExperts-controlled application infrastructure: tenant Wiki.js instances, the wiki-cms toolchain, and monitoring tooling. Hetzner is contracted under a written Data Processing Agreement and is registered in the sub-processor register (planned). |
| Mobile devices used by BackupExperts personnel | Personal laptop used for BackupExperts work (BYOD), with full-disk encryption (BitLocker) and Microsoft Defender. Covered by the Acceptable Use Policy (planned) and the Access Control Policy (planned). |
Customer premises are not in scope as physical environments. Where
BackupExperts personnel attend customer premises they operate under the
customer's physical security regime; BackupExperts' personnel security
controls (training, NDAs, access provisioning) continue to apply to
those personnel at all times.
wiki-cms repository, sub-processor records, personnelThe full register is maintained at Assets → Inventory
(planned).
All BackupExperts personnel — employees, contractors, and interns —
regardless of contract type or location, are within scope of the ISMS
for activities undertaken on behalf of BackupExperts.
At the time of issue BackupExperts is a sole-proprietor undertaking
operated by Ananda Bhatta, who holds both the Managing Director and
the acting Information Security Officer roles. The compensating
controls that apply to this dual capacity are recorded in §5.1 of the
Information Security Policy and
re-evaluated at every management review.
The ISMS scope includes the interfaces between BackupExperts and:
Dependencies on parties outside the scope (e.g. upstream connectivity
providers) are addressed via the supplier security policy and through
the controls inside the scope.
The following are explicitly outside the scope of the ISMS:
Exclusions are valid only insofar as they have no bearing on the
information security of the in-scope services. Any change in this
relationship requires re-evaluation of the scope.
The scope above reflects the totality of services BackupExperts offers,
all locations from which the services are delivered, and all personnel
involved. It is justified on the basis that no service or activity that
materially affects the confidentiality, integrity, or availability of
customer data is excluded.
This scope statement is reviewed at minimum annually, and additionally
whenever: