ISO 27001 data centre
Hosting in a data centre certified to ISO/IEC 27001 in Frankfurt am Main, operated by Aixit. You can request the written confirmation on demand.
teamspace holds personal data and commercially sensitive figures: hours, fees, margins. We treat their protection as part of how we operate, not as a sales argument.
The key anchors
Hosting in a data centre certified to ISO/IEC 27001 in Frankfurt am Main, operated by Aixit. You can request the written confirmation on demand.
Processing under the GDPR, with a standard DPA per Art. 28. A set subject access workflow handles data subject requests.
Your data stays in two geo-redundant data centres in Frankfurt am Main. No subprocessors outside the EU are involved.
Origin
teamspace is built by 5 POINT AG, a stock corporation based in Darmstadt. We have developed the software ourselves since 1999 and we also operate it ourselves, with no outsourced teams and no corporate group behind us.
Hosting runs in an ISO-27001-certified data centre in Frankfurt am Main, operated by Aixit, across two geo-redundant sites. Your data is processed exclusively in the EU. Subprocessors outside the EU have no access.
Scope
The ISO/IEC 27001 certification applies to the data centre in Frankfurt am Main in which teamspace runs. It covers the information security management of the hosting operator.
5 POINT AG itself and the operation of teamspace are not certified to ISO 27001. That way you know exactly what you can rely on in an audit and what you cannot. We will send you a written confirmation of the ISO-27001 hosting on request.
In operation
All staff complete documented awareness training on information security.
In transit, teamspace encrypts via TLS in its current version. At the data centre, the storage volumes are encrypted with AES-256.
Access follows the need-to-know principle, role-based. Two-factor sign-in via TOTP or FIDO2 can be enforced per client.
Every entry and correction is recorded with editor, timestamp and reason. In GoBD mode it stays audit-proof for ten years.
teamspace backs up daily, with retention over 7 days, 4 weeks and 3 months. Restores are documented and rehearsed.
Data processing
Towards you, 5 POINT AG is the data processor within the meaning of Art. 28 GDPR. We attach the standard DPA to the contract, prepared for clients in the EU.
You can request the list of subprocessors for hosting, backup, mail and monitoring. When a data subject requests their data, a set subject access workflow runs within 30 days. When the contract ends, the deletion duty applies, with documented confirmation.
In a first call we go through your requirements point by point, from DPA preparation to the right evidence.
Encryption
On the way between browser and server, teamspace encrypts the transmission via TLS in its current version. Older methods are switched off.
At the data centre, the storage volumes are encrypted by the operator Aixit (AES-256). teamspace itself adds no further encryption at the application or database layer. This is expressly not end-to-end encryption where no one but you can read the data.
Traceability
Behind every entry and every correction in teamspace stand the editor, timestamp and reason. Who changed what and when stays traceable, without anyone having to keep a second log.
In GoBD mode, released invoices, cancellations and receipts can no longer be deleted. This mode is activated solely by 5 POINT AG, and the client cannot bypass it. So the ten-year audit-proof retention is enforced technically and is not a question of discipline. For a tax audit, you supply an audit export that shows the state at the cutoff date.
TOM per GDPR
The measures per Art. 32 GDPR, arranged by the four protection goals.
Data sovereignty
When the partnership ends, you get all client data back in a standard format, as JSON, CSV or, if needed, as an SQL dump. A grace period of 90 days remains for the migration.
After that we delete all data irrevocably and confirm it in writing. The backups are included once the last generation has been overwritten, usually after a further 30 to 90 days. There is no lock-in over your own data.
At a glance
Four numbers that come up again and again in the first call and in the audit.
Data centres
geo-redundant in Frankfurt am Main
Processing
exclusively, with no third-country transfer
GoBD retention
audit-proof in GoBD mode
Backups
days, weeks, months
AI and data protection
What you record in teamspace serves your business, not the training of AI. Client data does not flow into AI models, into ML methods or into cross-product analyses.
The same goes for the AI features we are working on: they support you within your own environment, without feeding your data into any model training. An anonymised, aggregated telemetry for performance measurement can be switched off on request.
For regulated requirements
Many of our customers have to meet requirements that their own clients set. An IT consultancy working for a bank, an engineering firm with public-sector contracts, an agency with an ISO-9001 obligation towards its end client: in all of these cases the questions are where the data sits, who has access and how long it is retained.
teamspace gives provable answers to these questions: hosting in Frankfurt, processing in the EU, a standard DPA, a complete audit trail and GoBD mode for audit-proof retention. If you have particular requirements from a BaFin, KRITIS or B3S context, we look together in the call at what teamspace covers and where you need additional measures. You will find the right evidence, from the DPA template to the ISO confirmation, in the download area or get it on request.
In a 15- to 30-minute call we clarify your compliance questions point by point, from DPA preparation to the right evidence.