Yes. 5F is designed and operated to be GDPR-compliant. We process personal data exclusively for specific purposes and, as a standard, base the level of protection on the requirements of those subject to professional secrecy.

Yes. 5F was designed for persons obligated to professional secrecy. Our employees and subcontractors commit themselves to secrecy—in particular according to § 203 StGB as well as the professional regulations (including §§ 50a WPO, 62a StBerG, 43e BRAO).

For data protection matters, you can reach us at datenschutz@5fsoftware.de.

In addition, we have appointed an external data protection officer in accordance with Art. 37 GDPR:

Niklas Hanitsch
secjur GmbH
Falkensteiner Ufer 40
22587 Hamburg
Tel.: +49 40/80 90 81 146
E-mail: dsb@secjur.de

You can also contact the data protection officer directly if required.

Your data is processed and stored in ISO-certified data centers in Germany. Our operations are consistently geared towards data sovereignty, ensuring that your data does not leave Germany.

Yes. 5F is developed and maintained in-house in Germany. Development and support are located in Regensburg. Hosting and operation are carried out via operators and data centers in Germany.

Data transmission between your web browser and 5F is encrypted via TLS. For compatibility reasons, TLS 1.2 is provided as the minimum level, with AES-128 and SHA-256. If your browser supports it, TLS 1.3 with stronger methods such as AES-256 and SHA-384 is used. Stored data is stored encrypted (AES-256). If the security assessment of procedures changes, we will adjust the configuration immediately.

We rely on a multi-level approach consisting of technical and organizational measures to reduce the attack surface and minimize risks. These include:

• Frequent security updates and regular cloud releases
• Protection in the hosting environment, for example through firewalls and DoS detection
• Physical separation of application and data servers
• Backups to secure data
• Measures to protect user accounts and passwords
• Maintenance and care by internal employees, without external service providers

We would be happy to provide you with more information about our technical and organizational measures (TOMs) upon request.

No. 5F does not perform automatic virus scans of files upon upload. When downloading, the virus protection programs used in your environment can check the files as usual. In addition, certain file formats that may potentially contain malicious code are blocked in 5F during upload (e.g. .exe).

Yes. Administrators can enable mandatory 2FA for the entire organization. Once this setting is enabled, all users with access to the organization must set up 2FA and then use it each time they log in.

Depending on the configuration, SMS tokens and/or an authenticator app are available for selection.

Only individuals you add as users or participants in 5F and authorize accordingly can access content. Access control is managed through roles and permissions, which you assign in the organization and project settings and can adjust at any time as needed.

5F has an integrated audit trail. It automatically logs activities within the platform in chronological order. The audit trail is visible to authorized users, can be exported for archiving, and cannot be subsequently altered. A full-text search and filter functions are available for evaluation.

Yes. In combination with the integrated DMS of our partner d.velop AG, audit-proof archiving of documents according to GoBD is possible (according to IDW PS 880).

5F provides standardized export functions for exporting your data. This allows authorized business users to download and locally save documents and content individually or collectively per workflow, as required.

We would be happy to provide you with the usual documents for your review. These include in particular the DPA (including an overview of sub-processors) and information on the technical and organizational measures (TOMs). We provide a white paper on IT security in two versions: A general version is available to all users on the platform and can be shared or requested from us if required. A detailed, confidential version is available to licensees on request after signing a non-disclosure agreement.

On request, we can also provide you with evidence of certifications of our hosting and partner services, such as ISO certifications for Telekom/Open Telekom Cloud and d.velop.

If you discover a potential security vulnerability in 5F, please report it confidentially by email to sicherheit@5fsoftware.de. As IT enthusiasts, we appreciate constructive feedback from the security and developer community. We are aware that security research (white-hat hacking) can also trigger legal uncertainties. If you act fairly, do not view or modify third-party data, and do not impair our systems, you do not have to fear legal action by us. Please give us reasonable time to fix the vulnerability before publishing any details.

More information can be found at 5fsoftware.de/responsible-disclosure.