Our History
TEMA-Q Technology and Management for Quality was founded in 1990 by a former quality manager in the automotive industry with only a handful of employees.
In the following years, TEMA-Q gained many new customers, grew steadily and moved into the spacious building of the historic Okermühle on the outskirts of Meinersen (NI). In the meantime, approx. 80 employees are working here. Besides the management and the project managers, these are primarily the interviewers of our own CATI studio, the data collectors, the coders, IT specialists and the accounting department. Trainees, e.g. as specialist for market and social research or specialist for office communication, are also part of our regular staff for the duration of their training and are usually gladly taken on after graduation.
Since 2008, our data acquisition department has also been offering its services externally as TEMA-TEXT.
While originally the focus was still strongly on quality assurance in the automotive industry, we have been offering a wide range of innovative customer experience and market research solutions for numerous industries for a long time and have become specialists in customer experience management (CEM or CX for short).
In doing so, our aim remains to consistently align our processes to deliver descriptive and tangible actionable results.
At TEMA-Q, market research is not limited to the collection of mere facts and figures. With our experience reports in the original wording (Voice of Customer), we also uncover causes that are not apparent at first glance. Important KPIs can thus be worked out and your company can act in a customer- and success-oriented way.
Our Mission – our Vision
Knowing what customers want and what they think has never been more important. It is the basis for companies of all sizes and industries to make the right decisions for their business strategy.
Our Mission
We support companies worldwide in setting up, designing and operating innovative customer feedback systems. The basis is formed by experience reports that offer unique transparency, detail and authenticity. Coupled with our analysis methods, we provide our clients with a holistic picture. This enables each division of the company to react precisely and efficiently to the wishes and problems of its customers.
Our Vision
Our vision is to be the leading provider of intelligent customer feedback systems and to offer our clients worldwide the opportunity to become more successful and thus improve customer satisfaction, making their employees happier and thus the world a little bit better.
Our Quality Promise
The quality of our projects depends on the quality of our employees. The intensive telephone conversations with customers, in which we capture the Voice of Customer (VoC) in as much detail as possible, require sensitivity, excellent manners and a basic knowledge of the industries in which we work.
That’s why, from the very beginning, we at TEMA-Q have placed special emphasis on carefully training our new employees. They are intensively prepared for their tasks, and project support is always available to answer individual questions. Long-standing employees are also continuously trained and have extensive industry knowledge in the field of our studies, from which our customers benefit, especially in the area of study design.
It is important to us that this is not only done in project management and control, but also for all employees. In this way, our services always remain at the cutting edge of technology and methodology.
Our project management consists of a team with technical, business management, social science, natural science and marketing backgrounds. Our clients benefit from this interdisciplinary know-how, which we put together to suit each project.
After all, good market research also requires high-quality data collection. This can only be achieved with well-trained and reliable interviewers. Therefore, TEMA-Q works exclusively with well-trained and long-term employed interviewers.
Information Security and Compliance
We consider information security to be an indispensable prerequisite for the quality of our solutions. Much depends on the information security of our solutions. We express this through the following voluntary commitment:
- We are committed to complying with the specified information security regulations of stakeholders and legislators and to using the information provided by authorities and other organizations to continuously improve information security.
- We support all relevant executives in enforcing information security in their area of responsibility.
- We train all employees who perform activities in the area of information security in such a way that they can act safely and consciously in terms of information security.
- We create the necessary technical and organizational conditions that enable us to live information security.
- We want to achieve that information security is not understood by all of us as “annoying extra work”, but as important and essential for our customers. And that at all times – despite all the rules in this area – we must turn on our heads and not rely on the fact that following the established rules is sufficient in every situation. If we are faced with the choice of making something really safe or following a rule, we prefer to make it really safe – and then adjust the rule if necessary.
- We want to get better and better in our information security.
Our Compliance Business Principles support us in acting responsibly, appropriately and in compliance with the law in our daily work and especially in critical situations.
For more information on information security and compliance at TEMA-Q, please see the links below:
1 Summary and purpose of the document
This document is the information security guideline of Technik und Management für Qualität GmbH, Hauptstraße 3, 38536 Meinersen – in short TEMA-Q GmbH.
It is binding for us, the employees of TEMA-Q GmbH,
- the context in which we operate with our company and how information security plays a role in this context
- which information security policy we pursue together
- Which interested parties have which requirements for the information security we provide
- which information security objectives we therefore set as binding for us
- What scope our information security management system (ISMS) covers – i.e., where and in which activities we comply with all information security regulations in a binding manner
- What roles and responsibilities we have for information security
- Which regulations we have established to achieve our information security goals and meet the requirements of ISO 27001.
2 Context of the organization
The mission statement of TEMA-Q GmbH is:
We support companies worldwide in setting up, designing and operating innovative feedback systems. The basis is formed by experience reports that offer unique transparency, detail and authenticity. Coupled with our analysis processes, we provide our clients with a holistic picture.
The vision statement of TEMA-Q GmbH reads:
Our vision is to be the leading provider of intelligent feedback systems and to offer our customers worldwide the opportunity to become more successful and thus make their customers happier, their employees happier and thus the world a little bit better.
From our mission statement, we have the following external and internal context to consider:
- External topics: We offer feedback systems that are used by our customers to manage processes internally. Therefore it is fundamental that the feedback is collected reliably and in a high quality standard, also for international projects. The feedback is provided by TEMA-Q through various IT systems (internal / external), which must have a high security standard and availability due to the confidentiality and importance of the data. Special importance is also attached to the processing of personal data.
- Internal issues: The quality of our projects depends on the quality of our employees. We therefore attach particular importance to the careful induction and further training of our employees. They are intensively prepared for their tasks, and project support is always available to answer individual questions. Even long-term employees are continuously trained in all relevant topics in order to build up extensive technical and industry knowledge from which our customers benefit. The company language at TEMA-Q is German as a matter of principle; for non-German speaking employees, corresponding documents and training courses are offered in English on a role-based basis.
3 Information security policy
We regard information security as an indispensable prerequisite for the quality of our solutions. Much depends on the information security (confidentiality, integrity and availability) of our solutions. We express this through the following voluntary commitment:
- We are committed to complying with the specified information security regulations of stakeholders and legislators and to using the information provided by authorities and other organizations to continuously improve information security.
- We support all relevant executives in enforcing information security in their area of responsibility.
- We train all employees who perform activities in the area of information security in such a way that they can act safely and consciously in terms of information security.
- We create the necessary technical and organizational conditions that enable us to live information security.
- We want to achieve that information security is not understood by all of us as “annoying extra work”, but as important and essential for our customers. And that at all times – despite all the rules in this area – we must turn on our heads and not rely on the fact that following the established rules is sufficient in every situation. If we are faced with the choice of making something really safe or following a rule, we prefer to make it really safe – and then adjust the rule if necessary.
- We want to get better and better in our information security!
We provide resources and an information security management system for the above.
3.1 How we improve our information security
We improve our information security with the following approach:
- We plan for improvement by identifying and managing risks, corrective and preventive actions, and investigating incidents and events as planned.
- We improve by implementing what we planned in step 1.
- We verify that our improvements are doing what they are intended to do by reviewing the effectiveness of the measures we put in place, conducting internal audits, and measuring our information security targets.
- We respond to the results of the checks and proceed to step 1 on this basis.
4 Interested parties
Based on our context, we have the following parties interested in information security:
| Interested Party |
Expectations regarding… | ||
| Confidentiality | Integrity | Availability | |
| Companies / organizations that are our customers (external) | It is imperative that the results of our investigations and other data remain confidential. | For all areas, it is absolutely essential that all data is processed according to a defined procedure and that the processing steps are always 100% traceable. | The applications provided by us are used permanently. Downtime should be minimized. |
| Customers of the companies / organizations
(external) |
The data contains sensitive personal data that must remain confidential. | The data may be processed only in accordance with the law. | Availability is important, but not system critical, as long as availability can be restored in a timely manner. |
| Legislators / Associations
(external) |
Compliance with all laws and regulations, in particular the observance of the confidentiality of personal data. | The relevant laws should be available in an up-to-date version. | The relevant laws must be available. |
| Criminals / Cybercriminals | Criminals or cybercriminals may attempt to access our information in order to harm TEMA-Q GmbH. To prevent this, internal information must be protected from unauthorized access. | Criminals or cybercriminals may attempt to access our information in order to harm TEMA-Q GmbH by manipulating data. To prevent information from being falsified or deleted, the information must be protected from unauthorized access and changes must be traceable. | Criminals or cybercriminals may attempt to disrupt the availability of our systems and thus harm TEMA-Q GmbH. To prevent this, the systems must be protected against unauthorized access and the availability of the systems must be ensured via appropriate solutions. |
| Employees
(internal) |
Job security depends on keeping sensitive information confidential. | Job security depends on ensuring that sensitive information cannot be tampered with, as this can lead to reputational damage. | Job security depends on having the relevant systems and information available to a high degree. |
| Management and shareholders | The continued existence of the company depends on keeping sensitive information confidential. | The continued existence of the company depends on ensuring that information worthy of protection is not falsified, as this can lead to significant reputational damage. | The continued existence of the company depends on all relevant systems and information being available to a high degree. |
5 Information security objectives
Derived from stakeholder interests, we derive the following information security objectives:
- Confidentiality: We strive to ensure that information processed in connection with our feedback systems is confidential and not disclosed to any unauthorized person.
We will measure this by the number of incidents we receive reports of information in unauthorized non-confidentiality.
We aim for: 0 per year. - Integrity: We strive to ensure that information processed in connection with our feedback systems is secure against unauthorized and unintentional modification/falsification.
We will measure this by the number of incidents we receive reports of, or detect in internal testing, where information has been or could be altered in an unauthorized manner.
We will aim for: 0 per year. - Availability: For availability, we distinguish between internal and external availability.Internal: We aim to ensure that information systems relevant to the feedback systems have very high availability and that downtime is kept to a minimum.
We will measure this by whether we manage to ensure a very high availability of at least 99.7% per year of the data and systems relevant for the customer feedback systems. Each individual outage should be shorter than 120 min.
We aim for: 99.7% or 24 hours per year.External: We strive to ensure that the evaluated and analyzed survey data in our web tool is accessible to our customers at all times, if possible.
We will measure this by whether we manage to achieve an availability of our web feedback system for our customers that is 99.7% calculated over the year (365 days) and where every single outage is shorter than 120 min.
We are aiming for: 99.7% or 24 hours per year.
6 Scope of application
The scope of our information security management system includes the planning, implementation, and provision of our feedback systems and market research projects with the associated data, tools, and services. These are described in more detail in our process landscape under “Core processes”.
To this end, we use both on-premises software and cloud solutions, in each case taking into account the best possible security and availability of the data.
The following types of information are considered “data”:
- Personal data of respondents
- Results / data from surveys and studies
- Confidential data from clients
- Concepts, methods of products and studies
- Company secrets
- Source code
6.1 Exclusions
Explicitly not within the scope of our information security management system:
- information processing at our customers: We cannot guarantee this, as we cannot influence or monitor the technical and organizational measures there, which in turn are crucial for information security.
- Network availability at the customer’s site: We ensure high availability of the network connection “to the outside world” and safeguard this via technical and organizational measures. However, we cannot ensure the availability of networks at the customer’s site.
- Products and services that are not directly related to our feedback systems or market research projects.
7 Roles and responsibilities
Essential roles in the scope of our information security management system are:
| Roll | Name(s) | Responsibilities |
| Management
Top Leadership |
Martin Plötz
Jürgen Mohr |
Overall responsibility for information security
Responsible for and owner of all information security risks |
| Information Security Officer | Olaf Steinkirchinger | Responsible for the information security management system, for competence building in the field of information security, support and first point of contact for all questions regarding information security External communication on all information security issuesReported to the management |
| Project/Team Leader | Assigned on a project-by-project basis | Responsible for information secure processing of all project relevant data |
All other roles and responsibilities result from the individual processes.
Summary and purpose of the document
This document represents,
- which technical and organizational measures from ISO 27001 Annex A TEMA-Q implements (and why);
- which technical and organizational measures from ISO 27001 Annex A TEMA-Q does not implement (and why not).
The document is public and can be handed out to all interested parties (customers, auditors, interested parties) if required. The information security officer will be happy to answer any questions.
Technical and organizational measures applied and not applied
In principle, TEMA-Q implements all measures from Annex A of ISO 27001, as they reduce information security risks. In the event that certain measures are also implemented for other reasons (e.g., for contractual reasons vis-à-vis customers or for legal reasons that apply in our industry or for intrinsic reasons), this is noted in the explanatory text and can be found there.
| Measure from ISO 27001 Annex A | Application* | Reason for application or exclusion* |
| A.5.1.1 | Yes | Role-specific guidelines enable effective interaction between all employees and external parties involved in ensuring information security. |
| A.5.1.2 | Yes | Regular updates to the guides ensure that the latest developments and tasks are included and that the guides remain effective and appropriate. |
| A.6.1.1 | Yes | Role assignments help us determine who has what responsibilities regarding information security measures in which situations. |
| A.6.1.2 | Yes | We implement segregation of duties as far as possible to ensure that a system of mutual assurance is created for safety-critical tasks. However, it ends where it leads to inflexibility and cannot be achieved with the existing staffing levels. |
| A.6.1.3 | Yes | Contacts with relevant authorities provide us with early information on vulnerabilities, threats and legislative developments that could be relevant to information security. |
| A.6.1.4 | Yes | Contacts with relevant interest groups provide us with early information on vulnerabilities, threats, and other developments that could be relevant to information security. |
| A.6.1.5 | Yes | By looking at planned information security requirements in our projects, we are able to control and implement them in a targeted manner and at an early stage. |
| A.6.2.1 | Yes | Mobile devices are an easy gateway for attacks and security vulnerabilities. That’s why we regulate how they can and cannot be used. |
| A.6.2.2 | Yes | Similar to mobile devices, teleworkplaces are not fully “controllable” and can be a gateway for attacks and security breaches. Therefore, we regulate how to work in telework in order to create security. |
| A.7.1.1 | Yes | We rely on only hiring people who are capable of meeting our safety requirements. Therefore, we carefully review who we hire (or have work for us as freelancers). |
| A.7.1.2 | Yes | Agreements on information security that employees must adhere to can only be reliably adhered to if all parties have insight into what has been agreed at all times. That’s why we rely on contractual arrangements here. |
| A.7.2.1 | Yes | Information security is only taken seriously if the management stands behind it and demands compliance on a sustained basis. That’s why we hold management accountable. |
| A.7.2.2 | Yes | To ensure that our employees are able to implement information security, we provide training in this area and develop each employee so that he or she can safely perform the tasks assigned to him or her with regard to information security. |
| A.7.2.3 | Yes | If employees do not fulfill their information security duties, we care. We talk about it and point it out. This ensures that the importance of the issue is recognized. |
| A.7.3.1 | Yes | Since we know that information security does not simply stop at the end of an employee’s employment, we ensure that we also regulate the obligations that exist beyond the end of working hours. |
| A.8.1.1 | Yes | Devices (and other assets) can only be operated safely if they are covered. |
| A.8.1.2 | Yes | Securing devices (and other assets) is only possible if someone feels responsible for each asset. Therefore, we ensure this. |
| A.8.1.3 | Yes | Securing devices (and other assets) is only possible if it is clear for each device which use is permissible – i.e. “safe”. Therefore, we ensure that assets are only used safely. |
| A.8.1.4 | Yes | To ensure that equipment is not left unattended when the employee responsible for it leaves the company, there is a duty to return it in a regulated manner. |
| A.8.2.1 | Yes | Different types of information are critical in different ways. Therefore, we have classified the types of information that require protection in our company. |
| A.8.2.2 | Yes | So that it is quickly clear to everyone which information is classified and how, these are marked. |
| A.8.2.3 | Yes | To ensure that devices (and other assets) are handled as intended (and improper use does not inadvertently compromise information security), there are rules for how all major devices may be used. |
| A.8.3.1 | Yes | Removable data carriers can be lost quickly. Therefore, we have regulated how and under what conditions they may be used. |
| A.8.3.2 | Yes | When data media are disposed of, critical information may still be stored on them. We have therefore regulated how to dispose of them safely. |
| A.8.3.3 | Yes | When critical information is stored on transportable data carriers, the risk of it being compromised is higher than on non-transportable data carriers. That is why we have strictly regulated transport. |
| A.9.1.1 | Yes | We have an access control policy that regulates who can access which devices and information and for what reason. This ensures that access to devices and information is not arbitrary. |
| A.9.1.2 | Yes | We secure access to our networks so that information flowing in them is not compromised or the networks themselves cannot meet our availability requirements due to excessive load. |
| A.9.2.1 | Yes | To ensure that users are created and deleted correctly and cleanly, we have a process by which we register or deregister users. |
| A.9.2.2 | Yes | To ensure that registered users are granted rights correctly and cleanly, we have a process by which we grant and revoke rights to users. |
| A.9.2.3 | Yes | To ensure that privileged access (admin accounts) does not intentionally or unintentionally compromise information security, we restrict such access to only those individuals who need it. |
| A.9.2.4 | Yes | We allocate secret authentication information (passwords, etc.) via a regulated process to ensure that it remains secret during allocation. |
| A.9.2.5 | Yes | All employees who are responsible for devices (and other assets) at our company regularly check whether the access rights granted are still necessary. This is how we ensure that unauthorized persons no longer have access. |
| A.9.2.6 | Yes | When employees (or freelancers who work for us) change their job responsibilities or leave us, we adjust or delete their access rights so that they do not have unauthorized access to sensitive information. |
| A.9.3.1 | Yes | We oblige all users to keep their access data secret so that unauthorized persons cannot use them and thus gain access to information worthy of protection. |
| A.9.4.1 | Yes | In accordance with the need-to-know principle, we restrict access to information to those employees who need to have access to this information in order to perform their duties – all others are not granted access. In this way, we ensure as far as possible that no one who does not actually need access to information worthy of protection inadvertently or deliberately handles it in an insecure manner. |
| A.9.4.2 | Yes | To ensure that secret authentication information is not compromised after it is entered into information systems, we use only secure login procedures in which authentication information is transported securely. |
| A.9.4.3 | Yes | To prevent passwords from being guessed or spied out via brute force, we ensure that they are secure (long enough, complex enough) via system-side and organizational guidelines. |
| A.9.4.4 | Yes | We restrict the use of privileged utilities (“Run as…”) as much as possible, because these programs can be a gateway for attacks if malware can suddenly work with admin privileges. |
| A.9.4.5 | Yes | Our source code repository is also a system to which we only grant access in accordance with our access control policy, so that no unauthorized persons can misuse or modify source code. |
| A.10.1.1 | Yes | We have a policy to encrypt information – both when it is stored and when it is sent. This ensures that we protect critical information appropriately against spying. |
| A.10.1.2 | Yes | We have a policy on the use of cryptographic keys, because encrypted and authenticated information is only as secure as the storage and use of its keys. |
| A.11.1.1 | Yes | We have defined physical security zones at our company in which certain information security regulations apply. In this way, we ensure that security-critical information cannot be compromised on our premises. |
| A.11.1.2 | Yes | We ensure that our security zones are protected in such a way that it is not possible to simply enter them without authorization. In this way, we improve the security of the information and devices in the zones. |
| A.11.1.3 | Yes | We protect our offices, rooms and facilities so that no information worth protecting can be compromised here. |
| A.11.1.4 | Yes | We take care of adequate protection against natural disasters, malicious attacks and robberies so that we do not lose any information worth protecting due to these incidents. |
| A.11.1.5 | Yes | We have established procedures that apply to work in secure areas so that we do not unintentionally compromise the security of sensitive information here. |
| A.11.1.6 | Yes | We have defined access points to our premises and monitor them to ensure that no unauthorized persons can enter at these points and compromise information security. |
| A.11.2.1 | Yes | To ensure that important equipment and other operating resources do not fail, we make sure that they are set up safely. |
| A.11.2.2 | Yes | We design and protect utility lines (power, water, etc.) so that failures and leaks do not happen if at all possible, or if they do, that they do not then compromise the security of the information requiring protection. |
| A.11.2.3 | Yes | We protect data transmission lines to ensure that they are not interrupted or tapped, and thus that sensitive information is not compromised. |
| A.11.2.4 | Yes | To ensure that equipment that is important for information security does not fail, we ensure that it is professionally maintained in accordance with the scheduled intervals. |
| A.11.2.5 | Yes | Anyone who wants to remove devices or other assets from their intended locations must arrange this in advance. This ensures that we always know where important devices are and detect their loss early so that we can react. |
| A.11.2.6 | Yes | When devices are removed (and operated away from their actual location), we have rules that specify how they must be secured so that sensitive information processed with them is not compromised. |
| A.11.2.7 | Yes | We erase devices that contain storage media before we dispose of or recycle them. In this way, we ensure that no information requiring protection (including copyright protection) is stored on them. |
| A.11.2.8 | Yes | To prevent unauthorized persons from gaining access to unattended devices that are important for information security, we protect such devices in an appropriate manner when they are not being observed by employees: By locking them away, by locking them up, and by other appropriate measures. |
| A.11.2.9 | Yes | To ensure that sensitive information cannot be compromised among employees, we have a “clean desk policy”. |
| A.12.1.1 | Yes | If information security depends on operating procedures on devices or systems being followed precisely, then we document these operating procedures. |
| A.12.1.2 | Yes | We ensure that important processes, information systems or the like are not changed “just like that” because this can jeopardize information security. |
| A.12.1.3 | Yes | If the utilization of certain resources (systems, employees) are important for information security, we monitor them in order to identify trends towards overload at an early stage and to be able to counteract them. |
| A.12.1.4 | Yes | We deliberately separate development, staging and production systems so that changes to one cannot have unexpected consequences on the information security of the other. |
| A.12.2.1 | Yes | We implement anti-malware measures on all systems where reasonably possible to ensure that systems are hardened against malicious attacks and maintain information security. |
| A.12.3.1 | Yes | To ensure that important information is not lost, we have a backup policy for all information whose availability requires protection. |
| A.12.4.1 | Yes | In order to be able to evaluate, either in advance or forensically, which events affect our systems, we log all important events. |
| A.12.4.2 | Yes | The log information is in turn secured so that it cannot be falsified, deleted or disclosed, either consciously or unconsciously. |
| A.12.4.3 | Yes | The same applies to log information resulting from admin activities. |
| A.12.4.4 | Yes | In order to correctly use log information for analysis, we synchronize the clocks of all systems that generate log information. |
| A.12.5.1 | Yes | To ensure that critical information systems do not abruptly fail or fail to work as required, we make sure that new or modified software is not installed on them just like that. |
| A.12.6.1 | Yes | We obtain information about technical vulnerabilities in the systems we use so that we can remedy them quickly and prevent sensitive information from being compromised. |
| A.12.6.2 | Yes | An installation policy implemented on the software side and in the organization ensures that the risk of unknowingly installing malware is reduced. |
| A.12.7.1 | Yes | If our production systems are to be audited, we will ensure that this does not happen during peak business hours so that we can also ensure the availability of our systems for our customers during the audit. |
| A.13.1.1 | Yes | We design and manage the networks used by our systems so that they do not fail abruptly or cannot handle the expected traffic. |
| A.13.1.2 | Yes | We consider what network performance we need (both internally and externally) and ensure that it is available so as not to be surprised. |
| A.13.1.3 | Yes | We separate, where necessary, those networks in which our employees work and those networks in which our productive systems operate so that they cannot interfere with each other. |
| A.13.2.1 | Yes | To ensure that employees know how to protect which information when they transfer it, we have established transfer guidelines that can be referred to at any time. |
| A.13.2.2 | Yes | We enter into agreements with our partners on how critical business information is transferred so that it is adequately protected during transfer. |
| A.13.2.3 | Yes | We also secure sensitive information when we send it in electronic messages. We do this because the rapid exchange of information via messages/chats is important to us and is widely used – which is precisely why it needs to be secure. |
| A.13.2.4 | Yes | Our non-disclosure agreements are always up to date to ensure that we always keep what is important to us secret and up to date. |
| A.14.1.1 | Yes | We analyze what information security requirements we have for the systems we develop (or buy in) so that we can implement them. |
| A.14.1.2 | Yes | We protect our online systems so that they are safe from fraudulent attacks that cause us to be unable to honor our contracts with our customers. |
| A.14.1.3 | Yes | We protect all transactions that our customers make with our applications so that they remain complete, unaltered, authentic, and confidential. |
| A.14.2.1 | Yes | We have a software development policy and require everyone who develops software for us to apply it so that software is developed safely. |
| A.14.2.2 | Yes | We don’t change the systems we use to develop software or the software products we develop “just like that”, but only after thoroughly testing what we change – because we know that changes can also mean information security leaks. And we want to avoid that. |
| A.14.2.3 | Yes | When we update the operating systems used in development, we check that our development systems still function error-free afterwards – because we know that not being error-free can lead to information security leaks. |
| A.14.2.4 | Yes | We update software packages not “because we can”, but because we see the need. We test the new packages in advance. |
| A.14.2.5 | Yes | We have principles for the development of safe systems. We apply these to ensure that the systems we develop are also safe. |
| A.14.2.6 | Yes | Since security risks can also be introduced into developed systems via development environments, we ensure that we secure the development environments we use as well as possible. |
| A.14.2.7 | Yes | We outsource development activities to partners. We monitor these because we want to ensure that the systems developed there are as secure as we need them to be. |
| A.14.2.8 | Yes | We test all the safety functions of the systems we develop so that we are sure they work as intended. |
| A.14.2.9 | Yes | We also conduct acceptance tests for all systems we purchase or develop so that we can ensure that their security functions work not only in individual cases, but also in the overall context. |
| A.14.3.1 | Yes | Since we know that test data sometimes comes from production databases, we make sure that our test data is carefully protected. |
| A.15.1.1 | Yes | If our service providers need to access our organization’s assets, we regulate this in advance to ensure that no security gaps occur. |
| A.15.1.2 | Yes | We conclude contracts with all service providers relevant for information security that contain the obligations of the service providers with regard to information security. |
| A.15.1.3 | Yes | In the contracts, we include provisions relating to information security risks that occur or may occur at service providers because we want to avoid information security risks even if they occur at our service providers. |
| A.15.2.1 | Yes | We continuously check whether our service providers adhere to the information security regulations agreed with them so that we can be sure about this. |
| A.15.2.2 | Yes | Services provided by our suppliers may change: we keep this in mind so that we can adjust the information security arrangements in the case with our service providers. |
| A.16.1.1 | Yes | We have established a procedure that enables us to respond quickly and reliably to information security incidents. This is important to us in order to be able to clarify information security incidents quickly. |
| A.16.1.2 | Yes | We ensure that information security events and incidents are reported and handled as quickly as possible through the above procedures, as this ensures that we restore security as quickly as possible if it does become compromised. |
| A.16.1.3 | Yes | We encourage our employees and service providers to report information security incidents and events promptly so that we can address them quickly and effectively. |
| A.16.1.4 | Yes | We evaluate each information security event (i.e., any suspicion that the targeted information security has been compromised) to determine whether it is an incident (i.e., security has been demonstrably compromised) in order to respond adequately. |
| A.16.1.5 | Yes | We ensure that we respond adequately to identified information security incidents so that they are remediated as quickly as possible. |
| A.16.1.6 | Yes | We ensure that we specifically learn from previous information security incidents so that they do not occur again in the future, if possible. |
| A.16.1.7 | Yes | In the event of acute information security incidents, all employees and also service providers are required to collect evidence to facilitate the assessment of the incident or to be able to reconstruct it later. |
| A.17.1.1 | Yes | We have determined in which exceptional situations we want to maintain which level of information security so that we can communicate this to our interested parties and especially contractors and focus on maintaining the defined information security. |
| A.17.1.2 | Yes | We establish procedures to ensure information security in the defined exceptional situations so that we can respond when necessary. |
| A.17.1.3 | Yes | We test the above procedures to make sure they work when we need them to. |
| A.17.2.1 | Yes | We plan the infrastructure we need in such a redundant way that the risks arising from failure can be reduced to an acceptable level. |
| A.18.1.1 | Yes | We collect all legal, contractual and regulatory regulations applicable to us that relate to information security so that we know which requirements we need to meet from this perspective. |
| A.18.1.2 | Yes | We have procedures in place to ensure that we use copyrighted works as intended or in accordance with the contract. |
| A.18.1.3 | Yes | We store documents as required by applicable laws, contracts and other regulatory requirements, so that information security in this area is taken into account. |
| A.18.1.4 | Yes | We comply with the DSGVO with regard to personal data. |
| A.18.1.5 | Yes | We adhere to all legal cryptography regulations that apply to us – both minimum and maximum allowed cryptography, in order to be able to consistently ensure the legally compliant operation of our software products. |
| A.18.2.1 | Yes | We have our information security arrangements reviewed by independent external bodies (e.g., certification organizations) to ensure that we do not overlook anything important. |
| A.18.2.2 | Yes | We check internally whether all our employees also adhere to the specified regulations on information security so that they do not just pay lip service to them. |
| A.18.2.3 | Yes | We also review the information systems we use to ensure that they comply with all security policies so that information security leaks do not inadvertently occur here. |
* Application: Yes, if the Annex A measure is applied. No, if not.
Reason for application or exclusion: The reason for which the measure is applied or not excluded.
Competition and antitrust law
We act in the market as an honest and conscientious competitor and affirm that we are committed to compliance with applicable competition and antitrust laws without restriction. We reject any collusion or agreement with other companies that is contrary to competition or antitrust law and has the purpose or effect of restricting or preventing competition.
Corruption and bribery
We do not accept corruption or bribery. Our business relationships are based exclusively on objective criteria. In addition to quality, reliability and fair prices, these include consideration of ecological and social standards as well as the principles of good corporate governance. We are also committed to complying with all major country-specific anti-bribery and anti-corruption laws and regulations.
Conflicts of interest
Within the scope of their employment, we expect all employees to be blameless and reliable. They act exclusively in the interest of our company. To avoid conflicts of interest, private or own economic interests are always separated from the economic interests of TEMA-Q GmbH. Even in personnel decisions or business relations with third parties, only objective criteria apply.
Handling company property and the property of business partners
All TEMA-Q employees must protect our company’s business assets, including all tangible and intangible assets. In addition to intellectual property, this includes all processes, products and designs developed by our employees and used at TEMA-Q. The business assets are to be used entirely for company purposes. Furthermore, we recognize the granted intellectual property rights of third parties.
Money laundering and trade controls
We do not tolerate in any way activities related to money laundering. We carefully verify the identity of customers, service providers, consultants and other third parties with whom we maintain or prepare business relationships.
Protection of information
We protect all company information as well as the information of our business partners and treat it confidentially. Confidential information is one of our most valuable assets. Company and business secrets must not be disclosed to third parties and certainly not made public. We regard information security as an indispensable prerequisite for the quality of our solutions. Information security and ensuring the protection goals of confidentiality, integrity and availability are very important for our solutions. We express this through our information security guideline.
Data protection
The preservation of informational self-determination and the protection of privacy as well as the security of data processing are indispensable concerns for us. We therefore take all necessary measures to ensure that the collection, processing and use of the personal data entrusted to our company is transparent, purposeful, traceable, careful and in compliance with the applicable statutory provisions of data protection law. We are committed to ensuring an appropriate standard of information processing security so that the confidentiality, integrity and verifiability of information worthy of protection are guaranteed and unauthorized use is prevented.
Financial reporting
TEMA-Q’s accounting and financial reporting is carried out in a proper, correct, timely, complete and transparent manner in accordance with the respective legal regulations and standards.
Communication
We apply the greatest possible care in our external presentation. We attach importance to clear and open communication. Inquiries about our company or products are answered by the employees responsible for them. In our external presentation, we maintain a business-oriented and polite tone.
Dealing with authorities and partners
We strive for and want to maintain an open and cooperative relationship with all responsible authorities. Information is provided in a complete, truthful, timely and understandable manner.
Health and occupational safety
The highest priority in the workplace for us is safety. We take care to ensure safe and hygienic working conditions that comply with the applicable legal requirements in the area of occupational health and safety. All employees should be aware of the applicable laws, regulations and internal company guidelines on occupational safety and health.
Working conditions and social standards
We comply with applicable labor laws. Compensation paid to employees must comply with all applicable laws on wages and salaries, including provisions on minimum wages, overtime, benefits established by law, working hours and paid vacation.
TEMA-Q’s employees contribute to the company’s success through their professional competence, experience, social skills and commitment. Therefore, the further development of our employees is very important to us. TEMA-Q implements various measures to ensure that employees support our company’s strategy and are enabled to work successfully for our company under changing conditions.
Diversity and the principle of equal treatment
TEMA-Q is committed to diversity and tolerance. Our goal is to achieve the highest level of productivity, innovation and efficiency. Discriminatory and harassing actions are not permitted in our company under any circumstances, for example on the basis of social or national origin, gender, ethnic origin, religion, age, illness or disability, sexual orientation, political conviction or other personal characteristics. Every individual is entitled to fair and respectful treatment.
Reconciliation of work and family
We strive to find an appropriate balance between the economic interests of our company and the private interests of our employees; after all, the resulting satisfaction and motivation of our employees contributes greatly to the success of the company. In this context, a basis of trust is indispensable for constructive and successful cooperation between employees and the company.
Human rights
Recognition of the applicable regulations for the protection of human rights is an indispensable component of our corporate responsibility. Every employee respects the dignity and personal rights of every other employee and colleague, as well as third parties with whom the company has a business relationship.
Commitment and contact person
The Code of Conduct we have drawn up is binding. All employees of TEMA-Q must comply with its requirements and principles. The obligation to comply with the Code of Conduct arises directly from the applicable laws, company regulations, company guidelines and obligations arising from the employment relationship.
Violations of the Code of Conduct may result in consequences under labor law. We also expect our suppliers and contractual partners to conduct themselves in accordance with the requirements set out in this Code.
Acknowledging our Code of Conduct as well as legal requirements and internal company guidelines is a fundamental part of TEMA-Q’s appearance as a credible and reliable partner.
You may become aware of matters that are inconsistent with our Code of Conduct. Raise your questions or concerns openly with your supervisor or management. You will receive the necessary support and you will not suffer any disadvantages! Any employee who in good faith asks for advice or points out misconduct complies with the rules of this Code of Conduct.