Skip to main content
teamspace
Book a call

Security and compliance: Made in Germany, hosted in Frankfurt.

teamspace runs in an ISO-27001-certified data centre in Frankfurt am Main, GDPR compliant, with activatable GoBD mode. Data processing exclusively in the EU. The contracting party is 5 POINT AG, a German stock corporation headquartered in Darmstadt.

Book a call

The central compliance anchors

1

ISO 27001 data centre

Hosting in a data centre certified to ISO/IEC 27001 in Frankfurt am Main. Operator: Aixit. The data centre's certificate is available on request.

2

GDPR and DPA

GDPR-compliant operation with standard DPA per Art. 28 GDPR. Subject access workflow established.

3

Hosting in Frankfurt

Data processing exclusively in the EU, in geo-redundant data centres in Frankfurt am Main.

How we operate security in practice

  1. 1

    Awareness

    Awareness training for every staff member, documented.

  2. 2

    Encryption

    Data in transit via TLS in its current version. Storage volumes encrypted at the data centre (AES-256).

  3. 3

    Permissions and MFA

    Need-to-know permissions, role-based. Two-factor authentication (TOTP, FIDO2) optional and enforceable per client.

  4. 4

    Audit trail and GoBD

    Every entry and every correction is documented with editor, timestamp and reason. Retention 10 years, with activatable GoBD mode.

  5. 5

    Backups

    Daily backups, retention 7 days, 4 weeks, 3 months. Restore documented.

Technical and organisational measures (TOM)

Confidentiality

  • Pseudonymisation where possible
  • Storage volumes encrypted (AES-256) at the data centre
  • TLS in its current version in transit
  • Access control on need-to-know
  • Role-based permissions

Integrity

  • Audit trail for every data change
  • GoBD mode activatable, at least 10 years retention
  • Locking of released periods
  • Backups in two geo-redundant data centres in Frankfurt
  • Regular restore tests

Availability

  • Geo-redundant operation in two data centres in Frankfurt
  • DDoS protection at network and application layer
  • Daily backups, retention 7 days, 4 weeks, 3 months
  • Disaster recovery plan documented

Data processing

  • Standard DPA per Art. 28 GDPR
  • Subprocessor list on request
  • Subject access workflow within 30 days
  • Deletion duty on contract end
  • Data export in standard format

Why security matters

Service firms process personal data (staff, clients, contacts) and commercially sensitive data (hours, invoices, margins) in teamspace. Both together make cloud software a regulated application. We treat it not as a marketing topic but as an operational duty.

Three central anchors define our setup: the ISO-27001-certified data centre for information security, GDPR for the protection of personal data, GoBD for the retention of accounting-relevant data. Data processing exclusively in the EU.

Made in Germany, hosted in Frankfurt

teamspace is built and operated by 5 POINT AG, a German stock corporation headquartered in Darmstadt. The entire software stack is developed in Germany; hosting runs in an ISO-27001-certified data centre in Frankfurt am Main (operator: Aixit). Data processing takes place exclusively in the EU, with no subprocessors outside the EU in the mandatory data path.

ISO 27001: the data centre, not teamspace

The ISO/IEC 27001 certification applies to the data centre in Frankfurt am Main in which teamspace is operated. It refers to the information security management system (ISMS) of the hosting operator.

5 POINT AG itself and the teamspace operation are not certified to ISO 27001. The data centre’s current certificate is available on request.

GDPR, DPA and data processing

We process data as a data processor under Art. 28 GDPR. This means:

  • Standard DPA prepared, automatically attached at contract signing.
  • Subprocessor list transparent on request (hosting, backup, mail, monitoring).
  • Subject access workflow for data subject requests within 30 days.
  • Deletion duty at contract end, with documented confirmation.

Encryption

Data is encrypted in transit and at rest:

  • In transit: transmission via TLS in its current version between browser/app and servers. Older TLS versions are disabled.
  • At rest: storage volumes at the data centre are encrypted by the data centre operator Aixit (AES-256 / LUKS volume encryption). teamspace itself does not perform additional application or database encryption.

Audit trail and GoBD

Every entry and every correction in teamspace is documented with editor, timestamp and reason. Released periods can be locked against later edits. Retention period: 10 years, with activatable GoBD mode.

In a tax audit, a complete audit export can be delivered showing the historical state at the cutoff date. Regulators get read access on the client’s request, with clear permission logic.

Data export and contract end

At contract end we guarantee a complete data export in standard format (JSON, CSV, optionally SQL dump). A 90-day grace period for migration. Afterwards all data is irrevocably deleted, with documented deletion confirmation. This includes backups once the last backup generation has been overwritten (typically after another 30 to 90 days).

Does this fit your requirements?

You have specific compliance requirements (BaFin, KRITIS, B3S, ISO 9001 for your end client)? In a 15- to 30-minute call we walk through your requirements item by item and explain how teamspace covers them. Including DPA prep and certificate request.

Frequently asked questions on security and compliance

Where is data stored?
Exclusively in certified data centres in Frankfurt am Main, in the EU. There is no data transfer to third countries (e.g. USA), no subprocessors outside the EU. The contracting party is 5 POINT AG, headquartered in Darmstadt.
How is the DPA structured?
We provide a standard DPA per Art. 28 GDPR, prepared for clients in the EU. On request we send the template; individual adjustments are possible after review.
Which certifications are in place?
The data centre in Frankfurt am Main is certified to ISO/IEC 27001. The data centre's current certificate is available on request. 5 POINT AG itself is not certified.
Who has access to our data?
Inside 5 POINT AG: need-to-know basis. Customer success managers for their clients, tech support only with explicit approval and audit trail. No free developer access to production data.
How does data export work at contract end?
At contract end we export all client data in standard format (JSON, CSV, optionally SQL dump). A 90-day grace period for migration. Afterwards all data is irrevocably deleted, with deletion confirmation.
How does teamspace handle security incidents?
Incident response plan documented. On suspicion of a data leak, client notification within the legal deadline of 72 hours. Forensics team internal, external specialist contracts on call. Post-mortem reports are shared with affected clients.
Which data is used for AI training or analytics?
Client data is explicitly not used for AI training, ML models or cross-product analytics. Anonymised aggregated telemetry for performance optimisation can be disabled on request.
How long is data retained?
Accounting-relevant data (hours, invoices, receipts) 10 years per GoBD. Personal data per GDPR retention obligations or contractual agreement. Detail logs 12 months, then anonymised.

Need to verify before the audit?

In a 15- to 30-minute call we walk through your compliance requirements item by item. Including DPA prep and certificate request.

Book a call