|
|
| Document ID |
ISMS-REG-001 |
| Version |
0.1 |
| Status |
Draft |
| Classification |
Internal — disclosable to customers under DPA |
| Owner |
Information Security Officer |
| Approved by |
Managing Director |
| Approval date |
pending |
| Effective from |
pending |
| Next review |
Annually, and whenever a supplier is added, removed, or materially changed |
| Annex A controls |
A.5.19, A.5.20, A.5.21, A.5.22, A.5.23 |
This register lists every supplier that processes data on behalf of
BackupExperts or for which BackupExperts is the data controller, and
that is in scope of the ISMS. It is the source of truth for the
sub-processor list disclosed to customers under their Data Processing
Agreements (GDPR Article 28(2)).
Includes any supplier that:
- Processes personal data on behalf of BackupExperts or its customers; or
- Has access to systems where customer data resides; or
- Hosts BackupExperts-controlled infrastructure that is part of the
service delivery path; or
- Receives BackupExperts business records (financial, contractual,
HR-equivalent) in the course of providing its service.
Excludes commodity suppliers that do not touch customer data and do
not host BackupExperts services (utilities, postal service, office
supplies).
| Supplier |
Service |
Data accessed |
Location |
DPA in place |
Last review |
Notes |
| Hetzner Online GmbH |
Dedicated/cloud hosting for BackupExperts apps (tenant Wiki.js instances, wiki-cms, monitoring) |
BackupExperts internal data; customer metadata visible in tenant Wiki.js content; no customer backup contents |
Falkenstein / Nürnberg, Germany (EU) |
Yes — signed (date pending — confirm and record) |
pending |
Hetzner does not access content under the DPA. ISO 27001 certified. |
| Supplier |
Service |
Data accessed |
Location |
DPA in place |
Last review |
Notes |
| Microsoft Ireland Operations Ltd. |
Microsoft 365 (mail, OneDrive, Teams) for BackupExperts work account |
BackupExperts internal email, files; customer correspondence held in mailbox; calendar |
Ireland; sub-processors include Microsoft Corp. (US) under SCCs |
DPA via Microsoft Online Services Terms (Standard Contractual Clauses included) |
pending |
Customer personal data held only in transit through email; no bulk customer data stored. |
| Haufe-Lexware GmbH & Co. KG (Lexoffice) |
Buchhaltung — accounting, invoicing |
Customer billing data: legal name, address, contact, invoice line items |
Germany (EU) |
DPA available from supplier — to be signed and filed |
pending |
German vendor; processes financial data only. |
| Supplier |
Software |
Role |
Data accessed |
Notes |
| Veeam Software |
Veeam Backup & Replication |
Backup engine running on customer infrastructure |
None directly — software vendor; telemetry per Veeam's published data handling |
License records held; vendor is not a sub-processor for customer data unless Veeam cloud services are used (currently they are not). |
| MinIO, Inc. |
MinIO S3-compatible object storage (open-source) |
Self-hosted in BackupExperts basement; receives Veeam offload |
None — software runs on BackupExperts infrastructure; no telemetry to vendor. |
License: AGPL / commercial as applicable. |
| Bitwarden Inc. |
Vaultwarden (community-maintained Bitwarden-compatible server, self-hosted) |
Password manager for BackupExperts and for customer credential handover via "Send" |
None — runs on BackupExperts infrastructure; no telemetry to vendor by default. |
Vault contents never traverse the vendor. |
| Supplier |
Service |
Notes |
| to be filled — internet connectivity provider for the basement office and server room |
ISP |
Connectivity dependency, not a data processor unless deep-packet visibility is granted (which it is not). |
| Supplier |
Service |
Status |
Notes |
| to be procured |
Cyber liability insurance |
Not yet in place — known gap |
Recorded in Risk Register as a high-priority item. |
¶ 4. Maintenance
- Adding a supplier: capture the row above, sign or accept the
supplier's DPA (where applicable), record the date, update the
customer-facing sub-processor list disclosed under DPAs.
- Removing a supplier: leave the row in the register with a "removed
on" date. Do not delete history.
- Annual review: Information Security Officer confirms each row is
current, that the supplier's most recent security attestation is
on file, and that nothing has materially changed.
- Customer notification of new sub-processors: per the relevant
customer DPA (typically: written notice and a right to object within
a stated period).
The customer-facing list — published or shared on request under each
customer's DPA — is generated from this register. Entries marked
Internal only in §6 are excluded from the customer-facing list.
This register itself is classified Internal. The customer-facing
sub-processor list, which is a derivative of this document, is
disclosable to customers under their contracts.