Data Processing information for TherapyDesigner and InteractionDesigner

Contact for questions regarding data protection

Please use this contact for all data protection issues. Individual instructions have to be sent in written form to this contact.

movisens GmbH
Augartenstraße 1
76137 Karlsruhe
Germany
+49 721 381344-0
privacy@movisens.com

Data protection officer

Michael Salbeck - IT Management
Jollystraße 29
76137 Karlsruhe
Germany

Technical and organizational measures (TOMs)

These technical and organizational measures are taken to adequately protect the client's data:

Pseudonymization and Encryption of Personal Data (Art. 32(1)(a) GDPR; Art. 25(1) GDPR)

Pseudonymization

Objective: Pseudonymization shall ensure that the identification of the data subject is excluded or significantly impeded.

Implementation by Client:

  • Separate storage of allocation data: movisens works exclusively with pseudonymized or anonymized data. Clients must take the necessary measures to ensure that study participants cannot be identified by movisens or third parties. In particular, personal data must be pseudonymized or anonymized before being transferred to the web portal. The allocation data that establishes a connection between the pseudonymized data and the actual identities remains exclusively with the client. (see Terms of Service TherapyDesigner § 5.6)

Ensuring the Confidentiality, Integrity, Availability and Resilience of Systems and Services in Connection with Processing (Art. 32(1)(b) GDPR)

Physical Access Control

Objective: The purpose of entry control is to prevent unauthorized persons from gaining physical access to data processing systems used to process, use or store personal data.

Implementation by IONOS (see IONOS Cloud TOMs):

  • Alarm system: Use of an alarm system to monitor data centers and report unauthorized entry.

  • Control systems: Control systems monitor and ensure access to the respective data center only for authorized persons.

Logical Access Control

Objective: Preventing unauthorized access to processing facilities used to carry out processing.

Implementation by movisens:

  • User authentication: Access to the system is exclusively via individual user accounts with username and password.

  • Automatic locking of inactive sessions: Inactive sessions are automatically logged out of the web interface after a defined period of time.

  • Management of subcontractor access credentials: All access credentials to subcontractors are stored exclusively in encrypted form.

Implementation by Client:

  • Client-side access management: The implementation of measures to control access permissions is the responsibility of the client.

Data Media Control

Objective: Prevention of unauthorized reading, copying, modification or deletion of data media.

Implementation by IONOS (see IONOS Cloud TOMs):

  • Secure destruction of data media: Physical data media (end of life or defective) are handled by a certified data destruction company and the complete lifecycle of a data medium is audited.

Data Access Control

Objective: Ensuring that persons authorized to use an automated processing system have access exclusively to the personal data covered by their access authorization.

Implementation by movisens:

  • Access restrictions at application level: At the application level, database queries are restricted to data with the corresponding access authorization.

  • Protection of personal data on mobile devices: Data on smartphones is encrypted using cryptography, ensuring that collected data remains inaccessible to unauthorized persons even if the device is lost. Furthermore, the transmission path from the smartphone to the server is additionally secured.

Implementation by Client:

  • Client-side disclosure management: The implementation of measures to control disclosure permissions is the responsibility of the client.

Input Control

Objective: Ensuring that it can be retrospectively verified and established which personal data have been entered into or modified in automated processing systems, at what time and by whom.

Implementation by movisens:

  • Traceable data collection: Data can be entered by dashboard users with appropriate access rights and app users. All changes to therapy variables are stored in a traceable manner together with the user ID of the respective editor.

Implementation by Client:

  • Client-side input control: The implementation of additional input control measures is the responsibility of the client.

Transport Control

Objective: Ensuring that the confidentiality and integrity of data are protected when personal data are transmitted and when data media are transported.

Implementation by movisens:

  • Encrypted data connection: Both the communication between the smartphone and the server and the communication between the server and the researcher's browser are encrypted using TLS.

  • Security control of certificates and encryption: The certificates and technologies used for encryption are regularly renewed.

Reliability

Objective: Ensuring that all functions of the system are available and that any malfunctions are reported.

Implementation by IONOS (see IONOS Cloud TOMs) and movisens:

  • Monitoring of relevant IT infrastructure: The relevant IT infrastructure (servers, networks) is continuously monitored to ensure that the systems are functioning properly.

  • Monitoring and management of system availability: Continuous monitoring of system availability, identification and handling of malfunctions.

Data Integrity

Objective: Ensuring that stored personal data cannot be damaged by system malfunctions.

Implementation by IONOS (see IONOS Cloud TOMs):

  • Resilient data storage: Storage of data on a resilient storage architecture.

Order Control

Objective: Ensuring that personal data processed on behalf of a controller can only be processed in accordance with the controller's instructions.

Implementation by movisens:

  • Review of security measures of processors: Before commissioning processors, it is evaluated whether the security measures implemented by the processor are sufficient for the client's requirements.

  • Conclusion of data processing agreements: Required data processing agreements (DPA) or EU standard contractual clauses are concluded with all processors.

  • Purpose-bound and instruction-based processing: Data processed on behalf of a controller is processed exclusively in accordance with the data processing agreement and the controller's instructions. Any further processing is solely the responsibility of the controller.

Availability Control

Objective: Ensuring that personal data are protected against destruction or loss.

Implementation by IONOS (see IONOS Cloud TOMs):

  • Physical protection of IT infrastructure: The protection of IT infrastructure is ensured through appropriate technical measures by the sub-service provider.

Separation

Objective: Ensuring that personal data collected for different purposes can be processed separately.

Implementation by movisens:

  • Separation of production and test systems: Production and test systems are separated to prevent test data or systems from accessing production data or systems.

  • Multi-tenancy capability: Data and configurations from different tenants can be separated to ensure that each tenant can only access their own data.

Rapid Restoration of Availability and Access to Personal Data in the Event of Physical or Technical Incidents (Art. 32(1)(c) GDPR)

Recoverability

Objective: The purpose of recoverability is to ensure that systems in use can be restored promptly in the event of a malfunction.

Implementation by movisens and Client:

  • Backup and recovery concept: Daily data backups are created. These are archived for 30 days. Additional data backups are the responsibility of the client.

Incident Management

Objective: The purpose of incident management is to systematically detect, evaluate, document and resolve security incidents.

Implementation by movisens and Client:

  • Information of data subjects in case of data protection incidents: Informing affected data subjects is the responsibility of the client. movisens ensures that the client is supported to the best of its ability in order to ensure compliance with data protection obligations.

Sub-processors

To provide the services based on TherapyDesigner, movisens engages sub-processors.

All sub-processors are certified in accordance with ISO 27001.

List of sub-processors engaged by movisens for the processing of personal data

Sub-processor Service Website Component Data subjects Purpose Categories of data

IONOS SE
Elgendorfer Str. 57
56410 Montabaur

Cloud services

cloud.ionos.de/compute

TherapyDesigner Backend/Dashboard

Clinicians, researchers

Operation of the TherapyDesigner platform

Email address, last name, first name, organization, configured studies, permissions

IONOS SE
Elgendorfer Str. 57
56410 Montabaur

Cloud services

cloud.ionos.de/compute

TherapyDesigner Backend/Dashboard

Patients/participants

Operation of the TherapyDesigner platform

Data collected on the smartphone and information entered via the TherapyDesigner Dashboard: data relating to (physical and/or mental) health, diagnoses and symptoms, health data, further data entered by patients.

IONOS SE
Elgendorfer Str. 57
56410 Montabaur

S3 storage

cloud.ionos.de/compute

TherapyDesigner Backend/Dashboard

Clinicians, researchers, patients/participants

Backup

Encrypted backups

List of additional sub-processors (not used for personal data)

Sub-processor Service Website Component Data subjects Purpose Categories of data

Functional Software, Inc. dba Sentry
45 Fremont Street, 8th Floor
San Francisco, CA 94105
USA

Sentry

https://sentry.io

TherapyDesigner Backend/Dashboard

Clinicians, researchers, patients/participants

Storage and analysis of crash logs of the TherapyDesigner Backend/Dashboard

Stack traces and console logs; these may contain a participant ID (an internally generated UUID is used for this purpose)

Functional Software, Inc. dba Sentry
45 Fremont Street, 8th Floor
San Francisco, CA 94105
USA

Sentry

https://sentry.io

TherapyDesigner App

Patients/participants

Storage and analysis of crash logs of the TherapyDesigner App

Stack traces and context logs, instance URL, study ID, participant ID (an internally generated UUID is used for this purpose), debug version yes/no, generally no further patient or study data

Handling of Push Notifications

Push notifications do not contain any personal data that directly identifies an individual. As part of the technical delivery process, a pseudonymized identifier is processed, which does not allow us to determine the identity of a person. Push notifications serve solely to activate the smartphone and the TherapyDesigner app. Communication regarding content takes place only subsequently, directly between the TherapyDesigner app and the TherapyDesigner backend.

Sub-processor Service Website Component Data subjects Purpose Categories of data

Google LLC
1600 Amphitheatre Parkway, Mountain View
California 94043
USA

Firebase Cloud Messaging

firebase.google.com

TherapyDesigner Platform

Patients/participants

Push notifications to patients/participants

Command, participantId (internal UUID), deviceToken

Apple Inc
One Apple Park Way, Cupertino
CA 95014
USA

Apple Push Notification Service

developer.apple.com/notifications/

TherapyDesigner Platform

Patients/participants

Push notifications to patients/participants

Command, participantId (internal UUID), deviceToken

Change Log:

  • May 6, 2026:
    • Revision of technical and organizational measures
    • Update of technical and organizational measures of subprocessor IONOS SE
    • Information on backup archive retention updated to 30 days
  • September 29, 2022: Initial version