Privacy Policy and Cookie Policy for the Use of idgard accessible at https://my.idgard.de and the idgard App

The protection of personal data is an important concern for uniscon GmbH (provider of idgard,
following uniscon). Uniscon processes your personal data exclusively in accordance with the applicable
legal requirements, in particular the EU General Data Protection Regulation (“GDPR”).
Uniscon provides its business customers with virtual and secure data room and data transfer solutions
during the term of a corresponding usage agreement.

Within the framework of the contractual agreements, the Ur-administrator determined by the
respective customer may designate natural persons as users who are granted access authorization to
the idgard service. The respective service is provided to the authorized users for use as a SaaS offering
via a defined web portal (“web portal”) and/or the mobile application (“app”) provided for this purpose
in each case.

This Privacy Policy and Cookie Policy apply exclusively to the use of the idgard Service.
The platform for the idgard Service is provided by uniscon and is technically supported by uniscon
(with regard to administration, development and operation, customer support, platform/application
management and service management).

The Service is provided to customers within the framework of order processing; this ensures in
particular that all personal customer data entered or transferred by users into the idgard Service in
accordance with the customer’s usage agreement are processed exclusively on behalf of and in
accordance with the instructions of the customer. The details result from the respective contracts for
commissioned processing concluded with the customers.

Independent of this, uniscon processes certain data of the users of the idgard Service in the context of
the technical provision of the Service.
In the following, we explain what personal data uniscon collects from you and processes when you use
idgard, for what purposes and on what legal basis we process your data, with whom we may share
your data, and what rights you have with regard to the processing of your data.
In addition, we inform you about which cookies are used when you use idgard and how you can adjust
the settings for the use of cookies according to your personal preferences.

A. Data protection organization
The responsible party for the data processing that takes place when using the idgard service is:
uniscon universal identity control GmbH
Ridlerstrasse 57
80339 Munich
Internet: www.idgard.com
Email: contact@uniscon.com
External data protection officer of Uniscon:
c/o TÜV SÜD Academy GmbH
Westendstrasse 160
80339 Munich
E-mail: datenschutz@uniscon.com

B. What data is processed? For what purposes and on what legal basis is the data
processed?

Registration and user account
To use the idgard service, you must be invited by an Ur-administrator. The Ur-administrator is an
account defined by the customer for administration purposes.
For the purpose of the registration of the Ur-Administrator and the provision of the user account and
service profile, uniscon processes certain account and profile data of the Ur-Administrator (name, e-
mail, telephone number), which he discloses in the course of the registration and administration of his
user account. The Ur-Administrator is a person appointed internally by the Controller who is
responsible for the administration of the idgard account. The Administrator is not related to the
Processor.

After the registration of the Ur-administrator, the administration of the account lies with the customer.
To access the content, you must have received an invitation from an administrator or another
authorized user and create a user account.

For the purpose of registration and provision of the user account, you must define a username,
password, and specify your e-mail address. User name and password are only stored pseudonymized
by uniscon. Uniscon cannot access and therefore provide the aforementioned information. The user is
required to keep his access data for full license users, including the “Password Unblocking Key” (PUK)
generated during registration, secure, secret and protected from access by unauthorized third parties,
so that misuse of the data by third parties is excluded as far as possible. Uniscon has no means of
resetting the account username or password.

If you give consent and use idgard via the apps provided by uniscon, user account data (username and
password) required for authentication and linking of the account will be stored locally on your end
device. The account data of the user is stored in the secure storage of your device (Encrypted Shared
Preferences on Android and Key Chain on iOS)

In addition, app users are given the option to access the app using his or her device’s biometric
authentication option. Uniscon does not have access to the biometric characteristics. Recognition and
processing is handled by the operating system running locally on your mobile device (iOS or Android).
The biometric feature is therefore not transmitted to our servers and is not stored by uniscon.
Uniscon bases the processing of the Ur-Administrator’s data on the necessity of the processing (i) for
the performance of the contract with you on the basis of the Terms of Use, or for the performance of
pre-contractual measures in this respect, (Art. 6 para. 1 sentence 1 lit. b) GDPR), insofar as the
contractual relationship with Uniscon exists, as well as (ii) to protect uniscon’s legitimate interests in
the effective and secure provision of the idgard service and the fulfillment of contractual obligations
towards customers and users (Art. 6 para. 1 sentence 1 lit. f) GDPR).

Use of idgard and idgard Support
In addition, uniscon processes user data collected in the context of the use of idgard services via the
respective web portal and/or the respective apps (“User Data”), including:
• Email address (notifications)
• Phone number (2 factor authentication)
• Diagnostic, maintenance and monitoring data (e.g. log files containing usage data and other
diagnostic data, such as IP address, technical faults).
• Anonymized usage data (e.g. user ID, security-related queries, user click events).
If you use idgard by means of the apps provided by uniscon, data is stored locally on your end device in
encrypted form to enable access to the idgard service via the respective app and, if necessary, the local
processing of documents and workflows.

Uniscon processes user account data only for purposes of technical and administrative account
management (esp. registration as well as creation, administration and provision of the user account
and service profile) as well as for purposes of operation and security of the idgard Service (esp.
ensuring authentication and login processes, provision of access).
To the extent users use the support provided by uniscon, uniscon also receives certain support data
provided by a user in the context of a support request (including any identification data of the ticket
requester, the requester’s ticket data (time/date and form of the request), problem description,
screenshots and service usage data, as well as diagnostic and maintenance data (to the extent relevant
for the processing of the support request) (“Support Data”). Support data may also include user data.
You can find further information in the Privacy policy idgard Support.
Uniscon bases the processing of your personal data on the necessity of the processing (i) to perform
the contract with you on the basis of the Terms of Use (Art. 6 para. 1 sentence 1 lit. b) GDPR), as well
as (ii) to protect the legitimate interests of Uniscon in fulfilling its contractual obligations to its
customers and users, ensuring the functionality and security of the idgard service, and optimizing and
improving idgard (Art. 6 para. 1 sentence 1 lit. f) GDPR).
Use of 2-factor authentication

Uniscon provides you the possibility of 2-factor authentication by means of a security code at login.
For this purpose, you can choose different authentication options (e.g. SMS, login card, TOTP). These
options allow you to link your user account with your terminal device. With 2-factor authentication, a
security code in the form of a time-based one-time password is generated and transmitted to you.
All service providers act exclusively on our behalf and are obligated to take all the to take all necessary
technical and organizational measures to protect your personal data in accordance with the
requirements of data protection law.

Our service providers are not permitted to pass on your data to third parties or use it for other
purposes.

Disclosure of data
Uniscon does not pass on your data to third parties. In some cases, however, Uniscon uses external
service providers to help operate the idgard service and/or provide the services offered to you.
In particular, for storage and administration purposes, as well as to operate the offered functionalities
in technical terms, the idgard service is installed in dedicated racks in a co-location data center hosted
in an external data center.

In addition, we use external SMS providers to enable you to use 2-factor authentication and idgard account notifications. The SMS providers receive limited access to your data (mobile phone number, One Time PIN), as far as this is necessary in the respective individual case to technically enable and process the sending of the text messages requested by you (within the scope of the 2-factor authentication or idgard account notification). The phone number entered here will be used for sending idgard account notifications or 2FA codes only. Message and data rates may apply. Reply HELP for help or STOP to not receive any more notifications. (2-Factor-Authentication using SMS is not possible in this case!)

To use the email notification function, Uniscon uses an e-mail provider. The provider only has access to your email address.

All service providers act exclusively on behalf of uniscon and are obliged to take all necessary technical and organizational measures to protect your personal data in accordance with the requirements of data protection law. Our service providers are not permitted to pass on your data to third parties or to use it for other purposes.

The respective service providers, as well as Uniscon, do not have access to your data that you use in the course of your work in idgard, only to the required information (email , telephone number, information in tickets).

Location of data processing
As a matter of principle, your personal data will be stored and processed by uniscon exclusively within
the EU.

Storage period
Unless otherwise provided in this Privacy Policy, your data will be stored by uniscon only for as long as
is necessary for the particular purpose for which we collect and process your data.
The following categories of data are retained as follows:
• User account data Ur-administrator: Uniscon stores user account data of the Ur-administrator.
This is done for as long as necessary to provide the account and your use of the idgard service.
The data will be deleted as soon as the contractual relationship is terminated and any
retention periods have been fulfilled. After termination of the contractual relationship,
Uniscon makes its content available to the customer for download for a period of four weeks.
• User Account Data: Uniscon stores user account data. This is done for as long as it is necessary
for the provision of the account and your use of the idgard service.
• Support data: Any support data processed by Uniscon as the responsible party will be stored
for a maximum period of three years and then deleted.
• Monitoring Data: We store the IP addresses in the log files of the web server for up to 30 days
since their collection on the basis of Art. 6 (1) lit. f GDPR. We have a legitimate interest in
being able to counter abusive uses of the Idgard application – e.g. attacks on the Idgard
platform such as DDoS attacks – by storing the IP addresses, e.g. by blocking lists and thus
ensuring the availability and integrity of Idgard. We do not connect monitoring data with User
account data.
After expiry of the respective storage period, your data will be deleted in accordance with our general
deletion routines, unless legal storage obligations (in particular due to commercial and tax law
requirements, insofar as necessary for the processing of our contract with customers) conflict with this
or a longer storage is necessary in the specific individual case to protect the legitimate interests of
uniscon (interest in fulfilling our legal obligations as well as the necessity of processing for the
assertion, exercise or defense of legal claims).

Cookies

What are “cookies” and what are they used for?
In the course of using the idgard service via the idgard platform, Uniscon uses so-called “cookies”.
Cookies are small text files that are stored in the memory of your terminal device via your browser.
Cookies store certain information (e.g., your page settings) that is sent back to us by your browser
when you access the idgard Platform (depending on how long the cookie is stored).
The cookies we use are stored on your terminal device either temporarily for the duration of a session
(“session cookies”) or for a longer period beyond the duration of your session (“persistant cookies”).
Session cookies are automatically deleted at the end of your visit (i.e. when you end your session and
close your browser/app).
Persistant cookies remain stored on your end device until the storage time of the cookies expires or
you delete them yourself. The functional duration of the cookies we use is listed in the overview below.
Cookies have various functions. The cookies we use are all technically necessary for the operation of
the idgard Platform and its functionalities (“necessary cookies”) (e.g. page navigation, storage of page
and language settings, storage of your cookie settings) (pursuant to Section 25 (2) no. 2 TDDDG).

Cookie settings
You can set your browser so that you are informed about the setting of cookies and allow cookies only
in individual cases, exclude the acceptance of cookies for certain cases or in general and activate the
automatic deletion of cookies when closing the browser. When disabling cookies, the functionality of
access to the Idgard Service may be limited.

C. Your rights as a data subject
Your right to information, rectification, restriction of processing, objection, data portability
In accordance with Articles 15 et seq. GDPR you have the right
• that we provide you with information about your data categories stored by us, processing
purposes and, if possible, storage period
• that we correct or delete your data, whereby data deletion is only possible if no legal retention
periods apply
• to object to the processing of your data and/or to restrict the processing of your data under
the conditions of Articles 18 or 21 of the GDPR
• that we provide you with your data in a structured, common, machine-readable format
(usually as a .doc or .xls file).
• that you can revoke your consent at any time and without incurring any costs.
To do so, please send an e-mail to datenschutz@uniscon.com or to our data protection officer.
Right to complain to a supervisory authority
You have the right to complain to the supervisory authority. The authority responsible for us is:
Bavarian State Office for Data Protection Supervision (BayLDA).
Promenade 27, 91522 Ansbach, Germany
Tel. (0981) 53 1300, e-mail poststelle@lda.bayern.de
For your complaint, you can use the complaint form provided by the BayLDA:
https://www.lda.bayern.de/de/beschwerde.html

Contact
uniscon GmbH
Ridlerstrasse 57
80339 Munich
Internet: www.idgard.com
Email: contact@uniscon.com