Skip to main content
teamspace

Security and compliance: Made in Germany, hosted in Frankfurt.

teamspace holds personal data and commercially sensitive figures: hours, fees, margins. We treat their protection as part of how we operate, not as a sales argument.

The key anchors

Three anchors for security and compliance.

ISO 27001 data centre

Hosting in a data centre certified to ISO/IEC 27001 in Frankfurt am Main, operated by Aixit. You can request the written confirmation on demand.

GDPR and standard DPA

Processing under the GDPR, with a standard DPA per Art. 28. A set subject access workflow handles data subject requests.

Processing in the EU

Your data stays in two geo-redundant data centres in Frankfurt am Main. No subprocessors outside the EU are involved.

Origin

Developed in Darmstadt, operated in Frankfurt.

teamspace is built by 5 POINT AG, a stock corporation based in Darmstadt. We have developed the software ourselves since 1999 and we also operate it ourselves, with no outsourced teams and no corporate group behind us.

Hosting runs in an ISO-27001-certified data centre in Frankfurt am Main, operated by Aixit, across two geo-redundant sites. Your data is processed exclusively in the EU. Subprocessors outside the EU have no access.

Scope

ISO 27001 covers the data centre, not teamspace.

The ISO/IEC 27001 certification applies to the data centre in Frankfurt am Main in which teamspace runs. It covers the information security management of the hosting operator.

5 POINT AG itself and the operation of teamspace are not certified to ISO 27001. That way you know exactly what you can rely on in an audit and what you cannot. We will send you a written confirmation of the ISO-27001 hosting on request.

Request evidence

In operation

Security comes from day-to-day operation.

  1. 1

    Trained staff

    All staff complete documented awareness training on information security.

  2. 2

    Encryption

    In transit, teamspace encrypts via TLS in its current version. At the data centre, the storage volumes are encrypted with AES-256.

  3. 3

    Permissions and two-factor

    Access follows the need-to-know principle, role-based. Two-factor sign-in via TOTP or FIDO2 can be enforced per client.

  4. 4

    Audit trail and GoBD

    Every entry and correction is recorded with editor, timestamp and reason. In GoBD mode it stays audit-proof for ten years.

  5. 5

    Backups

    teamspace backs up daily, with retention over 7 days, 4 weeks and 3 months. Restores are documented and rehearsed.

Data processing

We attach the DPA to the contract.

Towards you, 5 POINT AG is the data processor within the meaning of Art. 28 GDPR. We attach the standard DPA to the contract, prepared for clients in the EU.

You can request the list of subprocessors for hosting, backup, mail and monitoring. When a data subject requests their data, a set subject access workflow runs within 30 days. When the contract ends, the deletion duty applies, with documented confirmation.

Bring your compliance requirements along.

In a first call we go through your requirements point by point, from DPA preparation to the right evidence.

Encryption

Encrypted in transit, encrypted at rest.

On the way between browser and server, teamspace encrypts the transmission via TLS in its current version. Older methods are switched off.

At the data centre, the storage volumes are encrypted by the operator Aixit (AES-256). teamspace itself adds no further encryption at the application or database layer. This is expressly not end-to-end encryption where no one but you can read the data.

Traceability

Every entry carries its history.

Behind every entry and every correction in teamspace stand the editor, timestamp and reason. Who changed what and when stays traceable, without anyone having to keep a second log.

In GoBD mode, released invoices, cancellations and receipts can no longer be deleted. This mode is activated solely by 5 POINT AG, and the client cannot bypass it. So the ten-year audit-proof retention is enforced technically and is not a question of discipline. For a tax audit, you supply an audit export that shows the state at the cutoff date.

TOM per GDPR

Technical and organisational measures

The measures per Art. 32 GDPR, arranged by the four protection goals.

Confidentiality

  • Pseudonymisation where possible
  • Storage volumes encrypted (AES-256) at the data centre
  • TLS in its current version in transit
  • Access control on need-to-know
  • Role-based permissions

Integrity

  • Audit trail for every data change
  • GoBD mode activatable, at least 10 years retention
  • Locking of released periods
  • Backups in two geo-redundant data centres in Frankfurt
  • Regular restore tests

Availability

  • Geo-redundant operation in two data centres in Frankfurt
  • DDoS protection at network and application layer
  • Daily backups, retention 7 days, 4 weeks, 3 months
  • Disaster recovery plan documented

Data processing

  • Standard DPA per Art. 28 GDPR
  • Subprocessor list on request
  • Subject access workflow within 30 days
  • Deletion duty on contract end
  • Data export in standard format

Data sovereignty

Your data belongs to you, even at the end.

When the partnership ends, you get all client data back in a standard format, as JSON, CSV or, if needed, as an SQL dump. A grace period of 90 days remains for the migration.

After that we delete all data irrevocably and confirm it in writing. The backups are included once the last generation has been overwritten, usually after a further 30 to 90 days. There is no lock-in over your own data.

At a glance

The key figures that make security measurable.

Four numbers that come up again and again in the first call and in the audit.

2

Data centres

geo-redundant in Frankfurt am Main

EU

Processing

exclusively, with no third-country transfer

10 yrs

GoBD retention

audit-proof in GoBD mode

7/4/3

Backups

days, weeks, months

AI and data protection

Your data does not train anyone else's models.

What you record in teamspace serves your business, not the training of AI. Client data does not flow into AI models, into ML methods or into cross-product analyses.

The same goes for the AI features we are working on: they support you within your own environment, without feeding your data into any model training. An anonymised, aggregated telemetry for performance measurement can be switched off on request.

More on integrations and AI

For regulated requirements

Security that holds up to the tax audit and the client audit.

Many of our customers have to meet requirements that their own clients set. An IT consultancy working for a bank, an engineering firm with public-sector contracts, an agency with an ISO-9001 obligation towards its end client: in all of these cases the questions are where the data sits, who has access and how long it is retained.

teamspace gives provable answers to these questions: hosting in Frankfurt, processing in the EU, a standard DPA, a complete audit trail and GoBD mode for audit-proof retention. If you have particular requirements from a BaFin, KRITIS or B3S context, we look together in the call at what teamspace covers and where you need additional measures. You will find the right evidence, from the DPA template to the ISO confirmation, in the download area or get it on request.

Frequently asked questions on security and compliance

Where is data stored?
Exclusively in certified data centres in Frankfurt am Main, in the EU. There is no data transfer to third countries (e.g. the USA) and no subprocessors outside the EU. The contracting party is 5 POINT AG, headquartered in Darmstadt.
How is the DPA structured?
We provide a standard DPA per Art. 28 GDPR, prepared for clients in the EU. On request we send the template; individual adjustments are possible after review.
Which certifications are in place?
The data centre in Frankfurt am Main is certified to ISO/IEC 27001. You can request a written confirmation from 5 POINT AG about this ISO-27001 hosting. 5 POINT AG itself is not certified.
What availability do you commit to?
teamspace runs geo-redundantly in two data centres in Frankfurt, and we strive for constant availability. We deliberately do not give a fixed percentage commitment, because we only commit to what also holds contractually. Premium customers have defined SLA response times.
Who has access to our data?
Inside 5 POINT AG the need-to-know principle applies. Customer success managers look after their clients, and tech support accesses data only with explicit approval and with an audit trail. Developers have no free access to production data.
How does data export work at contract end?
At contract end we export all client data in a standard format (JSON, CSV, optionally SQL dump). There is a 90-day grace period for migration. Afterwards all data is irrevocably deleted, with a deletion confirmation.
How does teamspace handle security incidents?
The incident response plan is documented. On suspicion of a data leak, we notify clients within the legal deadline of 72 hours. An internal forensics team and external specialist contracts are on call. Post-mortem reports are shared with the affected clients.
Which data is used for AI training or analytics?
Client data is expressly not used for AI training, ML models or cross-product analytics. The same goes for the AI features we are working on: they support you within your own environment, without your data feeding into the training of models. An anonymised, aggregated telemetry for performance measurement can be disabled on request.
How long is data retained?
Accounting-relevant data (hours, invoices, receipts) is kept for 10 years per GoBD. Personal data follows the GDPR retention obligations or the contractual agreement. Detail logs are held for 12 months and then anonymised.

Let us go through your requirements together.

In a 15- to 30-minute call we clarify your compliance questions point by point, from DPA preparation to the right evidence.