Yes. 5F is designed and operated to be GDPR-compliant. We process personal data exclusively for specific purposes and, by default, apply a level of protection based on the requirements for persons subject to professional secrecy.

Yes. 5F was designed for professionals bound by confidentiality. Our employees and subprocessors are committed to confidentiality—particularly in accordance with § 203 StGB and professional regulations (including §§ 50a WPO, 62a StBerG, 43e BRAO).

For data protection matters, you can reach us at datenschutz@5fsoftware.de.

In addition, we have appointed an external data protection officer in accordance with Art. 37 GDPR:

Niklas Hanitsch
secjur GmbH
Falkensteiner Ufer 40
22587 Hamburg
Tel.: +49 40/80 90 81 146
E-mail: dsb@secjur.de

You can also contact the data protection officer directly if required.

Your data is processed and stored in ISO-certified data centers in Germany. Our operations are consistently geared towards data sovereignty, ensuring that your data does not leave Germany.

Yes. 5F is developed and maintained in-house in Germany. Development and support are based in Regensburg. Hosting and operations are provided by operators and data centers in Germany.

Data transmission between your web browser and 5F is encrypted via TLS. For compatibility reasons, TLS 1.2 is set as the minimum level, with AES-128 and SHA-256. If your browser supports it, TLS 1.3 with stronger methods such as AES-256 and SHA-384 is used. Stored data is encrypted (AES-256). If the security assessment of methods changes, we adjust the configuration immediately.

We rely on a multi-level approach consisting of technical and organizational measures to reduce the attack surface and minimize risks. These include:

• Frequent security updates and regular cloud releases
• Protection in the hosting environment, for example through firewalls and DoS detection
• Physical separation of application and data servers
• Backups to secure data
• Measures to protect user accounts and passwords
• Maintenance and care by internal employees, without external service providers

We would be happy to provide you with more information about our technical and organizational measures (TOMs) upon request.

No. 5F does not perform automatic virus scanning of files during upload. When downloading, the antivirus programs deployed in your environment can scan the files as usual. Additionally, certain file formats that could potentially contain malicious code are blocked during upload in 5F (e.g., .exe).

Yes. Administrators can enable mandatory 2FA for the entire organization. Once this setting is enabled, all users with access to the organization must set up 2FA and then use it each time they log in.

Depending on the configuration, SMS tokens and/or an authenticator app are available for selection.

Only people you add as users or participants in 5F and authorize accordingly can access content. Access control is managed through roles and permissions that you assign in the organization and project settings and can adjust at any time as needed.

5F features an integrated audit trail. It automatically logs activities within the platform in chronological order. The audit trail is accessible to authorized users, can be exported for archiving purposes, and cannot be modified retroactively. Full-text search and filter functions are available for evaluation.

Yes. In combination with the integrated DMS of our partner d.velop AG, audit-proof archiving of documents according to GoBD is possible (according to IDW PS 880).

For exporting your data, 5F provides standardized export functions. This allows authorized business users to download and save documents and content locally, either individually or collectively per workflow, as needed.

We would be happy to provide you with the usual documents for your review. These include in particular the DPA (including an overview of sub-processors) and information on the technical and organizational measures (TOMs). We provide a white paper on IT security in two versions: A general version is available to all users on the platform and can be shared or requested from us if required. A detailed, confidential version is available to licensees on request after signing a non-disclosure agreement.

On request, we can also provide you with evidence of certifications of our hosting and partner services, such as ISO certifications for Telekom/Open Telekom Cloud and d.velop.

If you discover a potential security vulnerability in 5F, please report it confidentially via email to sicherheit@5fsoftware.de. As IT enthusiasts, we appreciate constructive feedback from the security and developer community. We are aware that security research (white-hat hacking) can also lead to legal uncertainties. If you act fairly, do not access or alter third-party data, and do not impair our systems, you will not have to fear legal action from us. Please allow us a reasonable amount of time to fix the issue before publishing any details.

More information can be found at 5fsoftware.de/responsible-disclosure.