Your Company
Fischer & Kerrn
Overview Our compliance Documents FAQ

Page title

Section title

Documentation (Records, policies, Procedures etc.)

  • Record of Processing Activities

  • IT Security Policy

  • Data Protection Policy

  • Risk Assessment

  • Data Subject Rights

  • Personal Data Breaches

  • Privacy Policy

Read more

Data Processors

  • Data Processing Agreements

  • Register of Data Processors

  • Monitoring

  • Third Country Transfers

Read more

Security Measures

  • Security Organization

  • Physical Security

  • Access Control

  • Logging

  • Remote Access

  • Dedicated Databases

  • Network Segmentation

  • Vulnerability Management

  • Internal Network Monitoring

  • Antivirus and antimalware

  • Firewall

  • Encryption

  • Passwords

  • Multi-factor authentication (MFA)

  • Training and awareness

  • Confidentiality and criminal records

  • Backup

  • Business Continuity

Read more

Documentation (Records, policies, Procedures etc.)

Record of Processing Activities
We maintain a record of processing activities containing all the information required under GDPR Article 30. The record is reviewed and updated as necessary at least once per year.
IT Security Policy
We have established and implemented an IT security policy that defines guidelines on physical security, risk assessments, access control, passwords, backups, etc. The policy is approved by management.
Data Protection Policy
We have established and implemented a data protection policy that defines principles for processing personal data, data subjects' rights, security measures, the use of data processors, handling of data breaches, etc. The policy is approved by management.
Risk Assessment
We have prepared a GDPR risk assessment that lists risk scenarios related to the processing of personal data. The risk score for each scenario is based on a likelihood and impact assessment, and mitigating measures have been implemented where the original score was too high.
Data Subject Rights
We have established and implemented a procedure that clearly outlines what to do in the event of a request for access, deletion, etc., including the deadlines that must be observed.

If we receive a request as a data processor, our procedure is to forward it to the appropriate data controller, who must then handle the request according to the law and their internal procedure.
Personal Data Breaches
We have established and implemented a procedure that clearly outlines what to do in the event of a personal data breach. It includes how the breach is handled depending on the risk level, including potential notification to the Data Protection Authority and affected individuals.

The procedure also covers incidents where we are acting as a data processor. In such cases, we ensure the relevant data controllers are notified in accordance with the data processing agreement.
Privacy Policy
We have developed and published a privacy policy that complies with GDPR Article 13. It includes information on processing activities, legal basis, purposes, types of data, retention periods, and data subject rights. The privacy policy is available on our website.

Data Processors

Data Processing Agreements
Whenever we engage a new data processor, we ensure a data processing agreement is in place that meets all GDPR requirements listed in Article 28 of the Regulation.
Register of Data Processors
We maintain a register in our GDPR system listing the data processors we use. This includes the relevant data processing agreements, information about the types of personal data processed, and the schedule for the next audit.
Monitoring
We continuously monitor the security and compliance levels of our data processors. We follow the Danish Data Protection Authority’s guidelines, using methods such as obtaining audit reports or verifying continued compliance with the processing agreement. The audit frequency is determined based on risk levels.
Third Country Transfers
We are committed to ensuring that personal data is only processed within the EU, especially customer data.

For our use of Microsoft, we have configured data storage to remain within the Western Europe region. This region is part of Microsoft’s EU Data Boundary, which means Microsoft commits to storing and processing all customer data, diagnostic data, and support data from European customers strictly within the EU.

This also applies to internal Microsoft support teams unless we explicitly approve access from other countries—which we never do without prior customer consent. We have implemented Microsoft’s Customer Lockbox functionality, which blocks any unsolicited access by Microsoft support personnel (e.g., from the US). Your data therefore remains within the EU/EEA.

For good order’s sake, we want to mention that if you are a US-based customer, your data will be processed within the Microsoft datacenters that we are using in the United States. This only applies if your company is from the United States. If you are an EU-based customer, your data will be stored and processed within the EU/EEA.

Security Measures

Security Organization
Information security is anchored in management and supported by policies and procedures that assign responsibilities and describe behavioral requirements. Our overall security policy is approved by management and supported by sub-policies. Employees are informed of security requirements through educational materials.
Physical Security
Our office is part of a serviced office facility with strong security mechanisms. Access to the building requires interaction with a receptionist, and security gates with access cards control entry to our office. Employees are trained to lock their PCs and remain alert to suspicious behavior.

PCs and MACs are never left at the office unattended, and physical documents containing personal data are securely locked away in the extremely rare cases they exist in paper form.
Access Control
We have implemented access control ensuring that only individuals with a work-related need have access to personal data. Access permissions are regularly reviewed to ensure they are correct and necessary.

We have procedures in place to comply with Section C.2.1 "Access Management and Authorization" in our data processing agreement.
Logging
We have implemented logging mechanisms to ensure that all access attempts to systems containing personal data are recorded. This includes administrator access, successful logins, and configuration changes. Log files are stored separately and protected against tampering. Logs are continuously reviewed to identify unauthorized access or abnormal behavior.
Remote Access
Remote access to the production environment, i.e., machines where the software is hosted in the Azure Data Center, is only available to a very limited number of employees and only from our internal network (via IP restriction). Access requires a system administrator to understand the need and explicitly grant such access.
Dedicated Databases
Our customers' data is stored in separate databases, and each customer's software instance runs in isolation from others. No software processes or databases process or store data from multiple customers simultaneously.

This architectural setup provides increased resilience against system failures and attacks, allows for more targeted access control, and eliminates the risk of data intermixing.
Network Segmentation
We maintain complete logical separation between development, test, and production environments. Only necessary users have access, and there is no direct traffic between environments. Access logs are regularly reviewed to ensure segmentation compliance.
Vulnerability Management
We regularly conduct vulnerability scans on both our applications and infrastructure. Vulnerabilities are handled according to a defined procedure, where remediation timelines depend on the criticality of the identified issue.
Internal Network Monitoring
Our monitoring tools detect abnormal activity such as brute-force attacks, scans, and unusual login patterns. Alerts are triggered in case of anomalies, and incidents are handled according to our incident response procedure. Monitoring data is logged and stored securely.
Antivirus and antimalware
We use up-to-date antivirus and antimalware solutions on all relevant devices to protect against threats such as viruses and ransomware. These systems update automatically and are continuously monitored.
Firewall
We use modern firewalls configured with a default-deny rule, meaning only explicitly allowed traffic is permitted. Rules are regularly reviewed to ensure they remain relevant and effective. Both network and application-level firewalls are in use.
Encryption
All outgoing communication involving personal data is encrypted. When transmitting confidential or sensitive personal data, we use at least TLS 1.2. In addition, all PCs and MACs are encrypted at the disk level to protect against theft, etc.
Passwords
We have a password policy requiring strong and unique passwords for all systems. The policy includes guidelines on minimum length (12+ characters), complexity, etc. These guidelines are regularly distributed to employees via awareness materials.
Multi-factor authentication (MFA)
We use MFA on all systems that are either business-critical or contain confidential information (e.g., related to our customers), as well as all systems containing confidential or sensitive personal data.
Training and awareness
Through our GDPR system, we regularly distribute materials to all employees to remind them of our guidelines on system updates, passwords, physical security, phishing awareness, etc.
Confidentiality and criminal records
All employees are bound by confidentiality during and after their employment with us.

We also collect criminal records for all individuals being hired for positions that may involve access to the production environment or joining senior management.
Backup
All our data is backed up once per day. Backups are stored with a secure provider and managed by an external IT expert hired for this purpose.

We test our ability to restore backups within appropriate timeframes.

Data and configurations are continuously (in real-time) replicated to multiple servers, ensuring that at least three copies always exist.
Business Continuity
We have implemented a contingency plan to ensure continued operations during major incidents such as power outages or cyberattacks. The plan identifies critical systems and outlines procedures for recovery. Redundant infrastructure components are in place to support high availability, and the plan is regularly tested.
In which case is Fischer & Kerrn considered a data processor?
We provide both software that runs in your own environment (on-premise) and software hosted as a cloud-based solution in our environment.

When you use our software as a cloud-based solution, we set up a dedicated operational environment and a separate database for you. From that point, we act as a data processor on your behalf, as defined in Article 4(8) of the General Data Protection Regulation (GDPR).

For your reference, our solutions named ACTIVESIGNATURE and BUSINESSMAIL are only available as on-premise installations, while CONCIERGE BOOKING SOFTWARE can be delivered either as a cloud or on-premise solution.
Where can we find Fischer & Kerrn’s Data Processing Agreement (DPA)?
Our Data Processing Agreement is available in both Danish and English through our Legal Hub: https://fischerkerrn.com/resources/legal-hub/
Can we make changes to the Data Processing Agreement?
We fully understand the desire to adapt the contractual framework. However, we serve approximately 500 customers, and it is absolutely essential that we maintain a clear and manageable set of obligations.

If Customer A wants data breach notifications within 24 hours, Customer B wants specific security measures, and Customer C wants 60 days to assess sub-processors, it quickly becomes impossible for us to manage our responsibilities effectively. Clarity is central to maintaining a responsible security and compliance program.

Therefore, we have created a DPA that strikes the best possible balance between your and our interests. Our DPA is based on the Danish Data Protection Authority’s (Datatilsynet’s) standard template and does not include hidden fees for assistance, unreasonable deadlines, or other unfair terms.

Naturally, we allow changes to company and contact details in the agreement, but beyond that, we do not alter the substantive provisions, as both legal requirements and mutual interests are sufficiently addressed in the contract already.
Why is Fischer & Kerrn not a data processor when delivering on-premise solutions?
When our solution is installed and operated within your own IT environment (on-premise), we have no access to personal data, no control over processing, and no authority over how the data is handled. You, as the data controller, are fully responsible for managing and controlling the processing through our software.

Our role is limited to delivering and, where applicable, supporting the software — without access to the data processed in the system. We are, however, aware that our support role may require confidentiality, and therefore we have made our Confidentiality Agreement available here: LINK.

You are very welcome to sign the agreement and send it to us for countersignature if you are using our on-premise solutions.
Where is your cloud-based solution — and therefore our data — physically hosted?
Our cloud-based solution is hosted in Microsoft Azure’s data centers in the Western Europe region, specifically meaning that all customer data is physically stored in data centers located in the Netherlands and Ireland.
What have you done to ensure that data hosted with Microsoft does not leave the EU/EEA?
As mentioned above, we have configured our data storage to remain within the Western Europe region. This region is part of Microsoft’s EU Data Boundary, which means Microsoft commits to storing and processing all customer data, diagnostic data, and support data from European customers strictly within the EU.

This also applies to internal Microsoft support teams, unless we explicitly approve access from other countries — which we never do without your prior consent. We have implemented Microsoft’s Customer Lockbox functionality, which blocks any unsolicited access by Microsoft support personnel (e.g., from the US). Your data therefore remain within the EU/EEA.
How do you address potential data disclosure under the US Cloud Act?
We are fully aware that the US Cloud Act could, in rare cases, be used to require data disclosures from companies like Microsoft to US authorities.

However, there are two key aspects that reassure us:
  1. Microsoft has historically demonstrated the strongest track record among major cloud providers in legally challenging data disclosure requests.
  2. The European Commission, as part of the ratification of the EU-U.S. Data Privacy Framework, has deemed the level of data protection in the US adequate.


While we consider such disclosures extremely unlikely, any such event would, in principle, involve authorities in a country assessed by the EU as providing adequate data protection.
What steps have you considered if the EU-U.S. Data Privacy Framework is invalidated due to changing US policies?
We are closely monitoring the geopolitical landscape and have already outlined potential initiatives that could be deployed if the EU were to invalidate the Data Privacy Framework.

Currently, all data stored in Microsoft’s environment is encrypted using robust encryption mechanisms. One of the potential steps we are considering is to store the encryption keys outside the Azure environment, such as in a Hardware Security Module (HSM) or with another provider. This would effectively block Microsoft’s access to data in clear text.

Another potential measure could be migrating to an alternative cloud provider based within the EU and not owned by a US parent company. We have identified a strong alternative provider, but Microsoft’s security capabilities remain among the very best. They are certified under a wide range of standards, including ISO/IEC 27001, 27018, SOC 1–3, and the EU Cloud Code of Conduct, and offer a comprehensive and mature security infrastructure. Our goal is to maintain the highest possible operational security for our customers, which is why we are cautious about switching to smaller providers without strong justification.
Does Fischer & Kerrn provide ISAE 3000 or 3402 audit reports annually?
No, we do not obtain ISAE 3000 or 3402 audit reports.

The reason is that our solution — meeting and room booking software — involves relatively limited volumes of personal data, and the sensitivity of that data is typically quite low (basic contact details etc.). Based on the risk level, it is thus not necessary for you, as a data controller, to conduct monitoring of our compliance-level through audit reports – you can conduct monitoring through other means.

As such, we provide transparency regarding our security and compliance measures via our Compliance Board. Under the “Our Compliance” section, you will find descriptions of the technical, organizational, and legal measures we have implemented — including how we fulfill the requirements in our Data Processing Agreement.
How should we, as data controllers, conduct monitoring of Fischer & Kerrn as a data processor?
This process is outlined in Section C.7 of our Data Processing Agreement. We commit to providing an annual written status report on matters covered by the agreement.

Specifically, we publish all our relevant compliance efforts under the “Our Compliance” section of our Compliance Board.

By reviewing this information, you can verify that we are meeting our obligations under the Data Processing Agreement. As also stated in the agreement, you are welcome to submit follow-up questions based on the Compliance Board content.

You are also welcome to email us and request written confirmation that the listed measures are implemented as of today. We will confirm this in writing, thereby providing you with formal documentation of compliance. In other words, you will have carried out appropriate oversight of us as a data processor in accordance with “Concept 3” in the Danish Data Protection Authority’s guidance on data processor oversight.
Can we send a data processor oversight questionnaire to Fischer & Kerrn?
We have a clear policy of not responding to oversight questionnaires, for two main reasons:

Firstly, we have approximately 500 customers, and responding to individual questionnaires will consume significant resources that would otherwise be used for product development, operations, and critical security and compliance work.

Secondly, you, as data controllers, can conduct sufficient oversight without sending questionnaires. As mentioned above, our Compliance Board provides full transparency into our security practices, and we offer written confirmations of our compliance with the DPA. Given the low-risk nature of our processing, this approach fully aligns with the Danish Data Protection Authority’s guidance and avoids unnecessary complexity for both parties.
Who are Fischer & Kerrn’s sub-processors?
Our sub-processors consist of merely a small number of Microsoft-affiliated vendors who deliver highly technical solutions and tools, which handle data that is close to not being personally identifiable. These include CDN providers and similar services.

You can find Microsoft’s list of sub-processors here: https://www.microsoft.com/en-us/trust-center/privacy/data-access
Does Fischer & Kerrn monitor its own data processors?
Yes, we continuously monitor all of our data processors — including Microsoft.

The frequency and method of monitoring is based on the risk level each sub-processor represents. In Microsoft’s case, we collect their audit reports (typically SOC 2), which we review to determine whether any follow-up or adjustments are necessary.
How do you handle requests from individuals to access or delete their data?
We have a clear procedure for handling data subject rights.

If we receive a request while acting as a data processor, the request is promptly forwarded to the relevant data controller without undue delay.

If the request relates to data for which we are the data controller, we handle it in accordance with GDPR and our internal procedures.
What does Fischer & Kerrn do in the event of a personal data breach?
We have an established incident response procedure.

If a breach is identified, it is documented and assessed for scope and potential impact on affected individuals.

If the breach concerns processing where we act as a data processor on your behalf, we will notify you directly, regardless of the risk level. If we are the data controller, we will follow the GDPR rules regarding notifications to the supervisory authority and affected individuals, if required.
Does Fischer & Kerrn process our personal data for their own purposes?
No, Fischer & Kerrn does not process your personal data for its own purposes. We do not use any customer data – neither yours nor anyone else’s – for development, testing, marketing or any other internal objective. We strictly limit all data processing to what is necessary for providing our services in accordance with our agreement and applicable data protection laws.
In our data processing agreement, you may find a clause stating that “Personal data used for development, testing or the like is always in anonymized form.” This clause exists purely to make it clear that if – in exceptional and hypothetical scenarios – data is ever used in testing contexts, it would only be anonymized data, not personal data.
Anonymized data, by definition, cannot be used to identify individuals and is therefore not considered personal data under the GDPR. As such, we could in principle conduct testing based on such data, but as a matter of practice, we do not use it for development, testing or similar purposes.

Contact information

Company name

Fischer & Kerrn A/S

Company VAT number

DK24237087

GDPR inquiries contact person

info@fischerkerrn.com