TEMA-Q_Company_Facts_&_Figures

Our History

TEMA-Q Technology and Management for Quality was founded in 1990 by a former quality manager in the automotive industry with only a handful of employees.

In the following years, TEMA-Q gained many new customers, grew steadily and moved into the spacious building of the historic Okermühle on the outskirts of Meinersen (NI). In the meantime, approx. 80 employees are working here. Besides the management and the project managers, these are primarily the interviewers of our own CATI studio, the data collectors, the coders, IT specialists and the accounting department.  Trainees, e.g. as specialist for market and social research or specialist for office communication, are also part of our regular staff for the duration of their training and are usually gladly taken on after graduation.

Since 2008, our data acquisition department has also been offering its services externally as TEMA-TEXT.

While originally the focus was still strongly on quality assurance in the automotive industry, we have been offering a wide range of innovative customer experience and market research solutions for numerous industries for a long time and have become specialists in customer experience management (CEM or CX for short).

In doing so, our aim remains to consistently align our processes to deliver descriptive and tangible actionable results.

At TEMA-Q, market research is not limited to the collection of mere facts and figures. With our experience reports in the original wording (Voice of Customer), we also uncover causes that are not apparent at first glance. Important KPIs can thus be worked out and your company can act in a customer- and success-oriented way.

TEMA-Q GmbH - Company -

Our Mission – our Vision

Knowing what customers want and what they think has never been more important. It is the basis for companies of all sizes and industries to make the right decisions for their business strategy.

Our Mission

We support companies worldwide in setting up, designing and operating innovative customer feedback systems. The basis is formed by experience reports that offer unique transparency, detail and authenticity. Coupled with our analysis methods, we provide our clients with a holistic picture. This enables each division of the company to react precisely and efficiently to the wishes and problems of its customers.

Our Vision

Our vision is to be the leading provider of intelligent customer feedback systems and to offer our clients worldwide the opportunity to become more successful and thus improve customer satisfaction, making their employees happier and thus the world a little bit better.

Our Quality Promise

The quality of our projects depends on the quality of our employees. The intensive telephone conversations with customers, in which we capture the Voice of Customer (VoC) in as much detail as possible, require sensitivity, excellent manners and a basic knowledge of the industries in which we work.

That’s why, from the very beginning, we at TEMA-Q have placed special emphasis on carefully training our new employees. They are intensively prepared for their tasks, and project support is always available to answer individual questions.  Long-standing employees are also continuously trained and have extensive industry knowledge in the field of our studies, from which our customers benefit, especially in the area of study design.

It is important to us that this is not only done in project management and control, but also for all employees. In this way, our services always remain at the cutting edge of technology and methodology.

Our project management consists of a team with technical, business management, social science, natural science and marketing backgrounds. Our clients benefit from this interdisciplinary know-how, which we put together to suit each project.

After all, good market research also requires high-quality data collection. This can only be achieved with well-trained and reliable interviewers. Therefore, TEMA-Q works exclusively with well-trained and long-term employed interviewers.

Certified according to DIN EN ISO/IEC 27001

DIN EN ISO/IEC 27001 is a security standard that specifies security management procedures and comprehensive security controls. This certification is based on the development and implementation of a rigorous security program. This includes the development and implementation of an Information Security Management System (ISMS) that specifies how TEMA-Q continuously manages security in a holistic and comprehensive manner. This international security standard specifies that TEMA-Q complies with the following:

  • We systematically assess our security risks, considering the impact of threats and vulnerabilities.
  • We design and implement a comprehensive set of IT security controls and other forms of risk management to address enterprise and architectural security risks.
  • We implement an all-encompassing management process to ensure that IT security controls consistently meet our IT security requirements.

Certification is performed by independent external auditors. Compliance with these internationally recognized standards and guidelines is a testament to our commitment to information security at all levels of TEMA-Q.

Link Certificate

Information security and compliance

We consider information security to be an indispensable prerequisite for the quality of our solutions. A lot depends on the information security of our solutions. We express this through the following voluntary commitment:

We commit to comply with the specified information security regulations of stakeholders and legislators and to use the information provided by authorities and other organizations to continuously improve information security.
We support all relevant managers in enforcing information security in their areas of responsibility.
We train all employees who carry out activities in the area of application of information security so that they can act safely and consciously in the sense of information security.
We create the necessary technical and organizational conditions that enable us to live information security.
We want to ensure that information security is not seen by all of us as “annoying extra work”, but as important and essential for our customers. And that at all times – despite all the rules in this area – we must turn on our heads and not rely on the fact that following the established rules will suffice in every situation. If we are faced with the choice of making something really secure or following a rule, we prefer to make it really secure – and then adjust the rule if necessary.
We want to get better and better in our information security.

Our Compliance Business Principles support us in acting responsibly, appropriately and in compliance with the law in our daily work and especially in critical situations.

You can find out more about information security and compliance at TEMA-Q via the following links:

1 Summary and purpose of the document

This document is the information security guideline of Technik und Management für Qualität GmbH, Hauptstraße 3, 38536 Meinersen – in short TEMA-Q GmbH.

It is binding for us, the employees of TEMA-Q GmbH,

  • the context in which we operate with our company and how information security plays a role in this context
  • which information security policy we pursue together
  • Which interested parties have which requirements for the information security we provide
  • which information security objectives we therefore set as binding for us
  • What scope our information security management system (ISMS) covers – i.e., where and in which activities we comply with all information security regulations in a binding manner
  • What roles and responsibilities we have for information security
  • Which regulations we have established to achieve our information security goals and meet the requirements of ISO 27001.

2 Context of the organization

The mission statement of TEMA-Q GmbH is:

We support companies worldwide in setting up, designing and operating innovative feedback systems. The basis is formed by experience reports that offer unique transparency, detail and authenticity. Coupled with our analysis processes, we provide our clients with a holistic picture.

The vision statement of TEMA-Q GmbH reads:

Our vision is to be the leading provider of intelligent feedback systems and to offer our customers worldwide the opportunity to become more successful and thus make their customers happier, their employees happier and thus the world a little bit better.

From our mission statement, we have the following external and internal context to consider:

  • External topics: We offer feedback systems that are used by our customers to manage processes internally. Therefore it is fundamental that the feedback is collected reliably and in a high quality standard, also for international projects. The feedback is provided by TEMA-Q through various IT systems (internal / external), which must have a high security standard and availability due to the confidentiality and importance of the data. Special importance is also attached to the processing of personal data.
  • Internal issues: The quality of our projects depends on the quality of our employees. We therefore attach particular importance to the careful induction and further training of our employees. They are intensively prepared for their tasks, and project support is always available to answer individual questions. Even long-term employees are continuously trained in all relevant topics in order to build up extensive technical and industry knowledge from which our customers benefit. The company language at TEMA-Q is German as a matter of principle; for non-German speaking employees, corresponding documents and training courses are offered in English on a role-based basis.

3 Information security policy

We regard information security as an indispensable prerequisite for the quality of our solutions. Much depends on the information security (confidentiality, integrity and availability) of our solutions. We express this through the following voluntary commitment:

  1. We are committed to complying with the specified information security regulations of stakeholders and legislators and to using the information provided by authorities and other organizations to continuously improve information security.
  2. We support all relevant executives in enforcing information security in their area of responsibility.
  3. We train all employees who perform activities in the area of information security in such a way that they can act safely and consciously in terms of information security.
  4. We create the necessary technical and organizational conditions that enable us to live information security.
  5. We want to achieve that information security is not understood by all of us as “annoying extra work”, but as important and essential for our customers. And that at all times – despite all the rules in this area – we must turn on our heads and not rely on the fact that following the established rules is sufficient in every situation. If we are faced with the choice of making something really safe or following a rule, we prefer to make it really safe – and then adjust the rule if necessary.
  6. We want to get better and better in our information security!

We provide resources and an information security management system for the above.

3.1 How we improve our information security

We improve our information security with the following approach:

  1. We plan for improvement by identifying and managing risks, corrective and preventive actions, and investigating incidents and events as planned.
  2. We improve by implementing what we planned in step 1.
  3. We verify that our improvements are doing what they are intended to do by reviewing the effectiveness of the measures we put in place, conducting internal audits, and measuring our information security targets.
  4. We respond to the results of the checks and proceed to step 1 on this basis.

4 Interested parties

Based on our context, we have the following parties interested in information security:

Interested
Party		 Expectations regarding…
Confidentiality Integrity Availability
Companies / organizations that are our customers (external) It is imperative that the results of our investigations and other data remain confidential. For all areas, it is absolutely essential that all data is processed according to a defined procedure and that the processing steps are always 100% traceable. The applications provided by us are used permanently. Downtime should be minimized.
Customers of the companies / organizations

(external)

 The data contains sensitive personal data that must remain confidential. The data may be processed only in accordance with the law. Availability is important, but not system critical, as long as availability can be restored in a timely manner.
Legislators / Associations

(external)

 Compliance with all laws and regulations, in particular the observance of the confidentiality of personal data. The relevant laws should be available in an up-to-date version. The relevant laws must be available.
Criminals / Cybercriminals Criminals or cybercriminals may attempt to access our information in order to harm TEMA-Q GmbH. To prevent this, internal information must be protected from unauthorized access. Criminals or cybercriminals may attempt to access our information in order to harm TEMA-Q GmbH by manipulating data. To prevent information from being falsified or deleted, the information must be protected from unauthorized access and changes must be traceable. Criminals or cybercriminals may attempt to disrupt the availability of our systems and thus harm TEMA-Q GmbH. To prevent this, the systems must be protected against unauthorized access and the availability of the systems must be ensured via appropriate solutions.
Employees

(internal)

 Job security depends on keeping sensitive information confidential. Job security depends on ensuring that sensitive information cannot be tampered with, as this can lead to reputational damage. Job security depends on having the relevant systems and information available to a high degree.
Management and shareholders The continued existence of the company depends on keeping sensitive information confidential. The continued existence of the company depends on ensuring that information worthy of protection is not falsified, as this can lead to significant reputational damage. The continued existence of the company depends on all relevant systems and information being available to a high degree.

5 Information security objectives

Derived from stakeholder interests, we derive the following information security objectives:

  1. Confidentiality: We strive to ensure that information processed in connection with our feedback systems is confidential and not disclosed to any unauthorized person.
    We will measure this by the number of incidents we receive reports of information in unauthorized non-confidentiality.
    We aim for: 0 per year.
  2. Integrity: We strive to ensure that information processed in connection with our feedback systems is secure against unauthorized and unintentional modification/falsification.
    We will measure this by the number of incidents we receive reports of, or detect in internal testing, where information has been or could be altered in an unauthorized manner.
    We will aim for: 0 per year.
  3. Availability: For availability, we distinguish between internal and external availability.Internal: We aim to ensure that information systems relevant to the feedback systems have very high availability and that downtime is kept to a minimum.
    We will measure this by whether we manage to ensure a very high availability of at least 99.7% per year of the data and systems relevant for the customer feedback systems. Each individual outage should be shorter than 120 min.
    We aim for: 99.7% or 24 hours per year.External: We strive to ensure that the evaluated and analyzed survey data in our web tool is accessible to our customers at all times, if possible.
    We will measure this by whether we manage to achieve an availability of our web feedback system for our customers that is 99.7% calculated over the year (365 days) and where every single outage is shorter than 120 min.
    We are aiming for: 99.7% or 24 hours per year.

6 Scope of application

The scope of our information security management system includes the planning, implementation, and provision of our feedback systems and market research projects with the associated data, tools, and services. These are described in more detail in our process landscape under “Core processes”.

To this end, we use both on-premises software and cloud solutions, in each case taking into account the best possible security and availability of the data.

The following types of information are considered “data”:

  • Personal data of respondents
  • Results / data from surveys and studies
  • Confidential data from clients
  • Concepts, methods of products and studies
  • Company secrets
  • Source code

6.1 Exclusions

Explicitly not within the scope of our information security management system:

  1. information processing at our customers: We cannot guarantee this, as we cannot influence or monitor the technical and organizational measures there, which in turn are crucial for information security.
  2. Network availability at the customer’s site: We ensure high availability of the network connection “to the outside world” and safeguard this via technical and organizational measures. However, we cannot ensure the availability of networks at the customer’s site.
  3. Products and services that are not directly related to our feedback systems or market research projects.

7 Roles and responsibilities

Essential roles in the scope of our information security management system are:

Roll Name(s) Responsibilities
Management

Top Leadership

 Martin Plötz

Jürgen Mohr

 Overall responsibility for information security

Responsible for and owner of all information security risks
Information Security Officer Olaf Steinkirchinger Responsible for the information security management system, for competence building in the field of information security, support and first point of contact for all questions regarding information security
External communication on all information security issuesReported to the management
Project/Team Leader Assigned on a project-by-project basis Responsible for information secure processing of all project relevant data

All other roles and responsibilities result from the individual processes.

Summary and purpose of the document

This document represents,

  • which technical and organizational measures from ISO 27001 Annex A TEMA-Q implements (and why);
  • which technical and organizational measures from ISO 27001 Annex A TEMA-Q does not implement (and why not).

The document is public and can be handed out to all interested parties (customers, auditors, interested parties) if required. The information security officer will be happy to answer any questions.

Technical and organizational measures applied and not applied

In principle, TEMA-Q implements all measures from Annex A of ISO 27001, as they reduce information security risks. In the event that certain measures are also implemented for other reasons (e.g., for contractual reasons vis-à-vis customers or for legal reasons that apply in our industry or for intrinsic reasons), this is noted in the explanatory text and can be found there.

Measure from ISO 27001 Annex A Application* Reason for application or exclusion*
A.5.1.1 Yes Role-specific guidelines enable effective interaction between all employees and external parties involved in ensuring information security.
A.5.1.2 Yes Regular updates to the guides ensure that the latest developments and tasks are included and that the guides remain effective and appropriate.
A.6.1.1 Yes Role assignments help us determine who has what responsibilities regarding information security measures in which situations.
A.6.1.2 Yes We implement segregation of duties as far as possible to ensure that a system of mutual assurance is created for safety-critical tasks. However, it ends where it leads to inflexibility and cannot be achieved with the existing staffing levels.
A.6.1.3 Yes Contacts with relevant authorities provide us with early information on vulnerabilities, threats and legislative developments that could be relevant to information security.
A.6.1.4 Yes Contacts with relevant interest groups provide us with early information on vulnerabilities, threats, and other developments that could be relevant to information security.
A.6.1.5 Yes By looking at planned information security requirements in our projects, we are able to control and implement them in a targeted manner and at an early stage.
A.6.2.1 Yes Mobile devices are an easy gateway for attacks and security vulnerabilities. That’s why we regulate how they can and cannot be used.
A.6.2.2 Yes Similar to mobile devices, teleworkplaces are not fully “controllable” and can be a gateway for attacks and security breaches. Therefore, we regulate how to work in telework in order to create security.
A.7.1.1 Yes We rely on only hiring people who are capable of meeting our safety requirements. Therefore, we carefully review who we hire (or have work for us as freelancers).
A.7.1.2 Yes Agreements on information security that employees must adhere to can only be reliably adhered to if all parties have insight into what has been agreed at all times. That’s why we rely on contractual arrangements here.
A.7.2.1 Yes Information security is only taken seriously if the management stands behind it and demands compliance on a sustained basis. That’s why we hold management accountable.
A.7.2.2 Yes To ensure that our employees are able to implement information security, we provide training in this area and develop each employee so that he or she can safely perform the tasks assigned to him or her with regard to information security.
A.7.2.3 Yes If employees do not fulfill their information security duties, we care. We talk about it and point it out. This ensures that the importance of the issue is recognized.
A.7.3.1 Yes Since we know that information security does not simply stop at the end of an employee’s employment, we ensure that we also regulate the obligations that exist beyond the end of working hours.
A.8.1.1 Yes Devices (and other assets) can only be operated safely if they are covered.
A.8.1.2 Yes Securing devices (and other assets) is only possible if someone feels responsible for each asset. Therefore, we ensure this.
A.8.1.3 Yes Securing devices (and other assets) is only possible if it is clear for each device which use is permissible – i.e. “safe”. Therefore, we ensure that assets are only used safely.
A.8.1.4 Yes To ensure that equipment is not left unattended when the employee responsible for it leaves the company, there is a duty to return it in a regulated manner.
A.8.2.1 Yes Different types of information are critical in different ways. Therefore, we have classified the types of information that require protection in our company.
A.8.2.2 Yes So that it is quickly clear to everyone which information is classified and how, these are marked.
A.8.2.3 Yes To ensure that devices (and other assets) are handled as intended (and improper use does not inadvertently compromise information security), there are rules for how all major devices may be used.
A.8.3.1 Yes Removable data carriers can be lost quickly. Therefore, we have regulated how and under what conditions they may be used.
A.8.3.2 Yes When data media are disposed of, critical information may still be stored on them. We have therefore regulated how to dispose of them safely.
A.8.3.3 Yes When critical information is stored on transportable data carriers, the risk of it being compromised is higher than on non-transportable data carriers. That is why we have strictly regulated transport.
A.9.1.1 Yes We have an access control policy that regulates who can access which devices and information and for what reason. This ensures that access to devices and information is not arbitrary.
A.9.1.2 Yes We secure access to our networks so that information flowing in them is not compromised or the networks themselves cannot meet our availability requirements due to excessive load.
A.9.2.1 Yes To ensure that users are created and deleted correctly and cleanly, we have a process by which we register or deregister users.
A.9.2.2 Yes To ensure that registered users are granted rights correctly and cleanly, we have a process by which we grant and revoke rights to users.
A.9.2.3 Yes To ensure that privileged access (admin accounts) does not intentionally or unintentionally compromise information security, we restrict such access to only those individuals who need it.
A.9.2.4 Yes We allocate secret authentication information (passwords, etc.) via a regulated process to ensure that it remains secret during allocation.
A.9.2.5 Yes All employees who are responsible for devices (and other assets) at our company regularly check whether the access rights granted are still necessary. This is how we ensure that unauthorized persons no longer have access.
A.9.2.6 Yes When employees (or freelancers who work for us) change their job responsibilities or leave us, we adjust or delete their access rights so that they do not have unauthorized access to sensitive information.
A.9.3.1 Yes We oblige all users to keep their access data secret so that unauthorized persons cannot use them and thus gain access to information worthy of protection.
A.9.4.1 Yes In accordance with the need-to-know principle, we restrict access to information to those employees who need to have access to this information in order to perform their duties – all others are not granted access. In this way, we ensure as far as possible that no one who does not actually need access to information worthy of protection inadvertently or deliberately handles it in an insecure manner.
A.9.4.2 Yes To ensure that secret authentication information is not compromised after it is entered into information systems, we use only secure login procedures in which authentication information is transported securely.
A.9.4.3 Yes To prevent passwords from being guessed or spied out via brute force, we ensure that they are secure (long enough, complex enough) via system-side and organizational guidelines.
A.9.4.4 Yes We restrict the use of privileged utilities (“Run as…”) as much as possible, because these programs can be a gateway for attacks if malware can suddenly work with admin privileges.
A.9.4.5 Yes Our source code repository is also a system to which we only grant access in accordance with our access control policy, so that no unauthorized persons can misuse or modify source code.
A.10.1.1 Yes We have a policy to encrypt information – both when it is stored and when it is sent. This ensures that we protect critical information appropriately against spying.
A.10.1.2 Yes We have a policy on the use of cryptographic keys, because encrypted and authenticated information is only as secure as the storage and use of its keys.
A.11.1.1 Yes We have defined physical security zones at our company in which certain information security regulations apply. In this way, we ensure that security-critical information cannot be compromised on our premises.
A.11.1.2 Yes We ensure that our security zones are protected in such a way that it is not possible to simply enter them without authorization. In this way, we improve the security of the information and devices in the zones.
A.11.1.3 Yes We protect our offices, rooms and facilities so that no information worth protecting can be compromised here.
A.11.1.4 Yes We take care of adequate protection against natural disasters, malicious attacks and robberies so that we do not lose any information worth protecting due to these incidents.
A.11.1.5 Yes We have established procedures that apply to work in secure areas so that we do not unintentionally compromise the security of sensitive information here.
A.11.1.6 Yes We have defined access points to our premises and monitor them to ensure that no unauthorized persons can enter at these points and compromise information security.
A.11.2.1 Yes To ensure that important equipment and other operating resources do not fail, we make sure that they are set up safely.
A.11.2.2 Yes We design and protect utility lines (power, water, etc.) so that failures and leaks do not happen if at all possible, or if they do, that they do not then compromise the security of the information requiring protection.
A.11.2.3 Yes We protect data transmission lines to ensure that they are not interrupted or tapped, and thus that sensitive information is not compromised.
A.11.2.4 Yes To ensure that equipment that is important for information security does not fail, we ensure that it is professionally maintained in accordance with the scheduled intervals.
A.11.2.5 Yes Anyone who wants to remove devices or other assets from their intended locations must arrange this in advance. This ensures that we always know where important devices are and detect their loss early so that we can react.
A.11.2.6 Yes When devices are removed (and operated away from their actual location), we have rules that specify how they must be secured so that sensitive information processed with them is not compromised.
A.11.2.7 Yes We erase devices that contain storage media before we dispose of or recycle them. In this way, we ensure that no information requiring protection (including copyright protection) is stored on them.
A.11.2.8 Yes To prevent unauthorized persons from gaining access to unattended devices that are important for information security, we protect such devices in an appropriate manner when they are not being observed by employees: By locking them away, by locking them up, and by other appropriate measures.
A.11.2.9 Yes To ensure that sensitive information cannot be compromised among employees, we have a “clean desk policy”.
A.12.1.1 Yes If information security depends on operating procedures on devices or systems being followed precisely, then we document these operating procedures.
A.12.1.2 Yes We ensure that important processes, information systems or the like are not changed “just like that” because this can jeopardize information security.
A.12.1.3 Yes If the utilization of certain resources (systems, employees) are important for information security, we monitor them in order to identify trends towards overload at an early stage and to be able to counteract them.
A.12.1.4 Yes We deliberately separate development, staging and production systems so that changes to one cannot have unexpected consequences on the information security of the other.
A.12.2.1 Yes We implement anti-malware measures on all systems where reasonably possible to ensure that systems are hardened against malicious attacks and maintain information security.
A.12.3.1 Yes To ensure that important information is not lost, we have a backup policy for all information whose availability requires protection.
A.12.4.1 Yes In order to be able to evaluate, either in advance or forensically, which events affect our systems, we log all important events.
A.12.4.2 Yes The log information is in turn secured so that it cannot be falsified, deleted or disclosed, either consciously or unconsciously.
A.12.4.3 Yes The same applies to log information resulting from admin activities.
A.12.4.4 Yes In order to correctly use log information for analysis, we synchronize the clocks of all systems that generate log information.
A.12.5.1 Yes To ensure that critical information systems do not abruptly fail or fail to work as required, we make sure that new or modified software is not installed on them just like that.
A.12.6.1 Yes We obtain information about technical vulnerabilities in the systems we use so that we can remedy them quickly and prevent sensitive information from being compromised.
A.12.6.2 Yes An installation policy implemented on the software side and in the organization ensures that the risk of unknowingly installing malware is reduced.
A.12.7.1 Yes If our production systems are to be audited, we will ensure that this does not happen during peak business hours so that we can also ensure the availability of our systems for our customers during the audit.
A.13.1.1 Yes We design and manage the networks used by our systems so that they do not fail abruptly or cannot handle the expected traffic.
A.13.1.2 Yes We consider what network performance we need (both internally and externally) and ensure that it is available so as not to be surprised.
A.13.1.3 Yes We separate, where necessary, those networks in which our employees work and those networks in which our productive systems operate so that they cannot interfere with each other.
A.13.2.1 Yes To ensure that employees know how to protect which information when they transfer it, we have established transfer guidelines that can be referred to at any time.
A.13.2.2 Yes We enter into agreements with our partners on how critical business information is transferred so that it is adequately protected during transfer.
A.13.2.3 Yes We also secure sensitive information when we send it in electronic messages. We do this because the rapid exchange of information via messages/chats is important to us and is widely used – which is precisely why it needs to be secure.
A.13.2.4 Yes Our non-disclosure agreements are always up to date to ensure that we always keep what is important to us secret and up to date.
A.14.1.1 Yes We analyze what information security requirements we have for the systems we develop (or buy in) so that we can implement them.
A.14.1.2 Yes We protect our online systems so that they are safe from fraudulent attacks that cause us to be unable to honor our contracts with our customers.
A.14.1.3 Yes We protect all transactions that our customers make with our applications so that they remain complete, unaltered, authentic, and confidential.
A.14.2.1 Yes We have a software development policy and require everyone who develops software for us to apply it so that software is developed safely.
A.14.2.2 Yes We don’t change the systems we use to develop software or the software products we develop “just like that”, but only after thoroughly testing what we change – because we know that changes can also mean information security leaks. And we want to avoid that.
A.14.2.3 Yes When we update the operating systems used in development, we check that our development systems still function error-free afterwards – because we know that not being error-free can lead to information security leaks.
A.14.2.4 Yes We update software packages not “because we can”, but because we see the need. We test the new packages in advance.
A.14.2.5 Yes We have principles for the development of safe systems. We apply these to ensure that the systems we develop are also safe.
A.14.2.6 Yes Since security risks can also be introduced into developed systems via development environments, we ensure that we secure the development environments we use as well as possible.
A.14.2.7 Yes We outsource development activities to partners. We monitor these because we want to ensure that the systems developed there are as secure as we need them to be.
A.14.2.8 Yes We test all the safety functions of the systems we develop so that we are sure they work as intended.
A.14.2.9 Yes We also conduct acceptance tests for all systems we purchase or develop so that we can ensure that their security functions work not only in individual cases, but also in the overall context.
A.14.3.1 Yes Since we know that test data sometimes comes from production databases, we make sure that our test data is carefully protected.
A.15.1.1 Yes If our service providers need to access our organization’s assets, we regulate this in advance to ensure that no security gaps occur.
A.15.1.2 Yes We conclude contracts with all service providers relevant for information security that contain the obligations of the service providers with regard to information security.
A.15.1.3 Yes In the contracts, we include provisions relating to information security risks that occur or may occur at service providers because we want to avoid information security risks even if they occur at our service providers.
A.15.2.1 Yes We continuously check whether our service providers adhere to the information security regulations agreed with them so that we can be sure about this.
A.15.2.2 Yes Services provided by our suppliers may change: we keep this in mind so that we can adjust the information security arrangements in the case with our service providers.
A.16.1.1 Yes We have established a procedure that enables us to respond quickly and reliably to information security incidents. This is important to us in order to be able to clarify information security incidents quickly.
A.16.1.2 Yes We ensure that information security events and incidents are reported and handled as quickly as possible through the above procedures, as this ensures that we restore security as quickly as possible if it does become compromised.
A.16.1.3 Yes We encourage our employees and service providers to report information security incidents and events promptly so that we can address them quickly and effectively.
A.16.1.4 Yes We evaluate each information security event (i.e., any suspicion that the targeted information security has been compromised) to determine whether it is an incident (i.e., security has been demonstrably compromised) in order to respond adequately.
A.16.1.5 Yes We ensure that we respond adequately to identified information security incidents so that they are remediated as quickly as possible.
A.16.1.6 Yes We ensure that we specifically learn from previous information security incidents so that they do not occur again in the future, if possible.
A.16.1.7 Yes In the event of acute information security incidents, all employees and also service providers are required to collect evidence to facilitate the assessment of the incident or to be able to reconstruct it later.
A.17.1.1 Yes We have determined in which exceptional situations we want to maintain which level of information security so that we can communicate this to our interested parties and especially contractors and focus on maintaining the defined information security.
A.17.1.2 Yes We establish procedures to ensure information security in the defined exceptional situations so that we can respond when necessary.
A.17.1.3 Yes We test the above procedures to make sure they work when we need them to.
A.17.2.1 Yes We plan the infrastructure we need in such a redundant way that the risks arising from failure can be reduced to an acceptable level.
A.18.1.1 Yes We collect all legal, contractual and regulatory regulations applicable to us that relate to information security so that we know which requirements we need to meet from this perspective.
A.18.1.2 Yes We have procedures in place to ensure that we use copyrighted works as intended or in accordance with the contract.
A.18.1.3 Yes We store documents as required by applicable laws, contracts and other regulatory requirements, so that information security in this area is taken into account.
A.18.1.4 Yes We comply with the DSGVO with regard to personal data.
A.18.1.5 Yes We adhere to all legal cryptography regulations that apply to us – both minimum and maximum allowed cryptography, in order to be able to consistently ensure the legally compliant operation of our software products.
A.18.2.1 Yes We have our information security arrangements reviewed by independent external bodies (e.g., certification organizations) to ensure that we do not overlook anything important.
A.18.2.2 Yes We check internally whether all our employees also adhere to the specified regulations on information security so that they do not just pay lip service to them.
A.18.2.3 Yes We also review the information systems we use to ensure that they comply with all security policies so that information security leaks do not inadvertently occur here.

* Application: Yes, if the Annex A measure is applied. No, if not.
Reason for application or exclusion: The reason for which the measure is applied or not excluded.

Competition and antitrust law

We act in the market as an honest and conscientious competitor and affirm that we are committed to compliance with applicable competition and antitrust laws without restriction. We reject any collusion or agreement with other companies that is contrary to competition or antitrust law and has the purpose or effect of restricting or preventing competition.

Corruption and bribery

We do not accept corruption or bribery. Our business relationships are based exclusively on objective criteria. In addition to quality, reliability and fair prices, these include consideration of ecological and social standards as well as the principles of good corporate governance. We are also committed to complying with all major country-specific anti-bribery and anti-corruption laws and regulations.

Conflicts of interest

Within the scope of their employment, we expect all employees to be blameless and reliable. They act exclusively in the interest of our company. To avoid conflicts of interest, private or own economic interests are always separated from the economic interests of TEMA-Q GmbH. Even in personnel decisions or business relations with third parties, only objective criteria apply.

Handling company property and the property of business partners

All TEMA-Q employees must protect our company’s business assets, including all tangible and intangible assets. In addition to intellectual property, this includes all processes, products and designs developed by our employees and used at TEMA-Q. The business assets are to be used entirely for company purposes. Furthermore, we recognize the granted intellectual property rights of third parties.

Money laundering and trade controls

We do not tolerate in any way activities related to money laundering. We carefully verify the identity of customers, service providers, consultants and other third parties with whom we maintain or prepare business relationships.

Protection of information

We protect all company information as well as the information of our business partners and treat it confidentially. Confidential information is one of our most valuable assets. Company and business secrets must not be disclosed to third parties and certainly not made public. We regard information security as an indispensable prerequisite for the quality of our solutions. Information security and ensuring the protection goals of confidentiality, integrity and availability are very important for our solutions. We express this through our information security guideline.

Data protection

The preservation of informational self-determination and the protection of privacy as well as the security of data processing are indispensable concerns for us. We therefore take all necessary measures to ensure that the collection, processing and use of the personal data entrusted to our company is transparent, purposeful, traceable, careful and in compliance with the applicable statutory provisions of data protection law. We are committed to ensuring an appropriate standard of information processing security so that the confidentiality, integrity and verifiability of information worthy of protection are guaranteed and unauthorized use is prevented.

Financial reporting

TEMA-Q’s accounting and financial reporting is carried out in a proper, correct, timely, complete and transparent manner in accordance with the respective legal regulations and standards.

Communication

We apply the greatest possible care in our external presentation. We attach importance to clear and open communication. Inquiries about our company or products are answered by the employees responsible for them. In our external presentation, we maintain a business-oriented and polite tone.

Dealing with authorities and partners

We strive for and want to maintain an open and cooperative relationship with all responsible authorities. Information is provided in a complete, truthful, timely and understandable manner.

Health and occupational safety

The highest priority in the workplace for us is safety. We take care to ensure safe and hygienic working conditions that comply with the applicable legal requirements in the area of occupational health and safety. All employees should be aware of the applicable laws, regulations and internal company guidelines on occupational safety and health.

Working conditions and social standards

We comply with applicable labor laws. Compensation paid to employees must comply with all applicable laws on wages and salaries, including provisions on minimum wages, overtime, benefits established by law, working hours and paid vacation.

TEMA-Q’s employees contribute to the company’s success through their professional competence, experience, social skills and commitment. Therefore, the further development of our employees is very important to us. TEMA-Q implements various measures to ensure that employees support our company’s strategy and are enabled to work successfully for our company under changing conditions.

Diversity and the principle of equal treatment

TEMA-Q is committed to diversity and tolerance. Our goal is to achieve the highest level of productivity, innovation and efficiency. Discriminatory and harassing actions are not permitted in our company under any circumstances, for example on the basis of social or national origin, gender, ethnic origin, religion, age, illness or disability, sexual orientation, political conviction or other personal characteristics. Every individual is entitled to fair and respectful treatment.

Reconciliation of work and family

We strive to find an appropriate balance between the economic interests of our company and the private interests of our employees; after all, the resulting satisfaction and motivation of our employees contributes greatly to the success of the company. In this context, a basis of trust is indispensable for constructive and successful cooperation between employees and the company.

Human rights

Recognition of the applicable regulations for the protection of human rights is an indispensable component of our corporate responsibility. Every employee respects the dignity and personal rights of every other employee and colleague, as well as third parties with whom the company has a business relationship.

Commitment and contact person

The Code of Conduct we have drawn up is binding. All employees of TEMA-Q must comply with its requirements and principles. The obligation to comply with the Code of Conduct arises directly from the applicable laws, company regulations, company guidelines and obligations arising from the employment relationship.

Violations of the Code of Conduct may result in consequences under labor law. We also expect our suppliers and contractual partners to conduct themselves in accordance with the requirements set out in this Code.

Acknowledging our Code of Conduct as well as legal requirements and internal company guidelines is a fundamental part of TEMA-Q’s appearance as a credible and reliable partner.

You may become aware of matters that are inconsistent with our Code of Conduct. Raise your questions or concerns openly with your supervisor or management. You will receive the necessary support and you will not suffer any disadvantages! Any employee who in good faith asks for advice or points out misconduct complies with the rules of this Code of Conduct.