Help

Security and threat protection

How is my data protected against loss?
Our databases are backed up daily digitally in encrypted form on both internal servers and external analogue tapes. The data can be restored retroactively for up to six months.
How does the Gira S1 access my network?

The Gira S1 uses the Internet access of the network in which it is a participant and the DNS server to connect to the portal server.

When using the "Search links automatically" function in the Gira device portal, a search for devices in the Gira S1 network is triggered through SSDP.

Are operating systems and applications regularly updated?
Regular updates are carried out, including on individual packages in the event of security vulnerabilities. A standard package manager (APT) for operating system and software updates is used for this.
How are threats identified and eliminated?
Our monitoring system immediately triggers an alarm if our services fail. Special services notify us if security vulnerabilities are detected in third-party components we use. We also carry out regular checks for weaknesses using suitable tools.
How are the security and stability of portal services ensured?

In addition to our own tests, we subject the server system and the Gira S1 to a penetration test once a year by external, specialised testers. The results are evaluated and, if necessary, corresponding measures are derived and implemented.

Certification is also carried out regularly. This is currently done by the VDE.

This test is documented by the “Smart Home Safety Tested” special certificate.

How is login secured?

You need your user name and password to log in to both the Gira device portal and the S1 Windows client for connection between Gira S1 and the portal server.

The password must meet special complexity requirements, which are regularly updated. You can find the current requirements when assigning your password in the Gira device portal.

Two-factor authentication is not yet available at this time.

Data privacy

How is my data protected against misuse?

All data collection and storage is subject to the GDPR, the implementation of which is ensured by internal processes and responsible roles in the company.

Communication via our server is encrypted using the current versions of various protocols:

  1. TLS is used to call the Gira device portal in the browser. HTTPS is enforced here; no unsecured connections are possible.
  2. OpenSSL is used for connection between Gira S1 and the portal server.

Sensitive data such as access data is never saved as plain text and is also masked in log files. This means it cannot be traced by anyone, not even our employees.

Only selected employees can access our servers, databases and logs. Physical access to our server rooms and offices is secured and restricted to certain employees (depending on sensitivity).

What happens in the event of information security incidents?

In the event of an incident such as customer data theft as a result of security vulnerabilities in the components we use, we immediately notify our customers, the responsible authorities and other affected groups.

The security vulnerability will be closed or its impact minimised within 72 hours of the release of a patch or other action by the manufacturer.

Is there a programme for raising awareness of information security?
Yes, Gira raises awareness of data protection among its employees.
Are external analysis tools like Google Analytics used?
No external analysis tools are used in the Gira S1 or Gira TKS IP gateway areas.
Where are the portal servers located and are the data centre operators certified?
All of our servers are located in Germany. Our service providers are certified at least in accordance with ISO/IEC 27001 and ISO 9001.

Availability and failure safeguarding

How high is the availability of the portal services?
On average, our service availability is 99.9%. This does not include announced outages due to maintenance work. If there are unexpected, server-related outages, the server can be changed at any time within 15 minutes.
What happens in the event of an portal service outage?

If our servers unexpectedly fail (average availability is 99.9%), our standby service is automatically notified. This service will carry out a root cause analysis, troubleshooting, restoration of regular operation and customer support.

For prolonged outages, we will always notify our customers and, if necessary, other affected groups.

General information

How does the portal work? Which systems are involved and what do the data flows look like?
Information on this can be found in the Gira S1 manual and the data privacy statement.
Can the connection be made via a proxy server or is a direct Internet connection required?

To use our services, the Gira S1 must have a direct Internet connection.

Connection via a proxy server is not supported.

Gira device portal

Top

Cookie consent

By clicking “Accept all”, you consent to Gira using cookies and similar technologies and processing your website usage data to improve this website and to create your user profile in order to show personalised advertising. Please note that Gira also shares information about your use of the website with our social media, advertising and analytics partners.

You also consent to Gira and third parties processing your website usage data in third countries deemed not to be secure outside the EEA for these purposes, even if a level of data protection comparable to EU law is not guaranteed. Among other things, there is a risk that authorities there can access the processed data and that the rights of data subjects are compromised or excluded.

You can change your settings at any time by clicking the “Cookie settings” link at the bottom of any page. You can withdraw your consent there at any time with future effect.

All cookies that we require in order to display the site to you.

Data processing purposes:

  • Private customer site: Use of all the site's session-based features
  • Business customer site: Authentication, preferences and caching of user inputs

Categories of personal data:

  • Private customer site: IP address, duration of session, user browser, end device
  • Business customer site: Settings and preferences. Including name, address and e-mail if a contact form is filled out. (For reuse on another form within the same session), IP address (anonymised)

Legal basis and legitimate interests pursued, if applicable:

  • Article 6(1)(f) GDPR
  • Legitimate interests pursued: See data processing purposes

Recipients:Internal departments, in so far as access is necessary for task fulfilment

Third country transfer:None

Validity period of the cookie:

  • Storage of data for the duration of the session, until the browser is closed
  • Time of storage: When loading the page

Data processing purposes:Serves to maintain the status of the Home Assistant configuration when using the Gira Home Assistant

Categories of personal data:IP address, configuration ID – a personal reference is only available when configuration is completed (tradesperson selected and data entered)

Legal basis and legitimate interests pursued, if applicable:

  • Article 6(1)(f) GDPR
  • Legitimate interests pursued: See data processing purposes

Recipients:Internal departments, in so far as access is necessary for task fulfilment

Third country transfer:None

Validity period of the cookie:Duration of the session

Data processing purposes:Authentication in the Gira device portal (SDA portal)

Categories of personal data:IP address (anonymised)

Legal basis and legitimate interests pursued, if applicable:Article 6(1)(b) GDPR

Recipients:

  • Internal departments, in so far as access is necessary for task fulfilment
  • ISE Individuelle Software und Elektronik GmbH

Third country transfer:None

Validity period of the cookie:Duration of the session

Data processing purposes:Optimisation of the site for different browser types

Categories of personal data:IP address, duration of session, user browser, end device

Legal basis and legitimate interests pursued, if applicable:Article 6(1)(f) GDPR

Recipients:Internal departments, in so far as access is necessary for task fulfilment

Third country transfer:None

Validity period of the cookie:Duration of the session

Data processing purposes:Protection against cross-site scripts

Categories of personal data:IP address, duration of session, user browser, end device

Legal basis and legitimate interests pursued, if applicable:Article 6(1)(f) GDPR

Recipients:Internal departments, in so far as access is necessary for task fulfilment

Third country transfer:None

Validity period of the cookie:2 hours

Data processing purposes:Transmission of registration role for displaying relevant information and services

Categories of personal data:IP address (anonymised), target group classification (building owner/end user, specialised tradesperson, planner, wholesaler, architect)

Legal basis and legitimate interests pursued, if applicable:

  • Use of the service: Section 25(1)(1) TTDSG
  • Article 6(1)(f) GDPR
  • Legitimate interests pursued: See data processing purposes

Recipients:Internal departments, in so far as access is necessary for task fulfilment

Third country transfer:None

Validity period of the cookie:6 months

Use of cookies and similar technologies to improve our website and offers.

Data processing purposes:Statistical analysis of website usage

Categories of personal data:IP address (anonymised/abbreviated), approximate region of the visitor, browser and plug-ins used, browser language setting, time of page view, load time, operating system, screen size, referrer, time of previous visits, number of visits

Legal basis and legitimate interests pursued, if applicable:

  • Use of the service: Section 25(1)(1) TTDSG
  • Subsequent processing of personal data: Article 6(1)(a) GDPR

Recipients:Internal departments, in so far as access is necessary for task fulfilment

Third country transfer:None

Validity period of the cookie:

  • 12 months
  • Time of storage: Following consent

Data processing purposes:Verification of whether data entry on websites is done by a human or by an automated program

Categories of personal data:

  • Private customer site: IP address (anonymised), time spent by the visitor on the website, mouse movements made by the user
  • Business customer site: IP address (anonymised), time spent by the visitor on the website, mouse movements made by the user, date and time of the visit to the website in question, internet address or URL of the website accessed

Legal basis and legitimate interests pursued, if applicable:

  • Use of the service: Section 25(1)(1) TTDSG
  • Subsequent processing of personal data: Article 6(1)(a) GDPR

Recipients:

  • Internal departments, in so far as access is necessary for task fulfilment
  • Google Ireland Ltd, Google LLC (USA)

Third country transfer:

  • Third country: USA
  • Adequacy decision/safeguards/exemption: Standard contractual clauses, copy to be requested via the contact details under Point 1, consent pursuant to Article 49(1)(a) GDPR

Validity period of the cookie:12 months

Data processing purposes:Analysis of website usage. Google Analytics examines, among other things, the location of visitors and the length of time spent on individual pages, thus enabling better page and feature optimisation.

Categories of personal data:Location, time or frequency of visits to our website, IP address (anonymised)

Legal basis and legitimate interests pursued, if applicable:

  • Use of the service: Section 25(1)(1) TTDSG
  • Subsequent processing of personal data: Article 6(1)(a) GDPR

Recipients:

  • Internal departments, in so far as access is necessary for task fulfilment
  • Google Ireland Ltd, Google LLC (USA)

Third country transfer:

  • Third country: USA
  • Adequacy decision/safeguards/exemption: Standard contractual clauses, copy to be requested via the contact details under Point 1, consent pursuant to Article 49(1)(a) GDPR

Validity period of the cookie:14 months

Data processing purposes:Management of website tags via an interface

Categories of personal data:IP address (anonymised)

Legal basis and legitimate interests pursued, if applicable:

  • Use of the service: Section 25(1)(1) TTDSG
  • Subsequent processing of personal data: Article 6(1)(a) GDPR

Recipients:

  • Internal departments, in so far as access is necessary for task fulfilment
  • Google Ireland Ltd, Google LLC (USA)

Third country transfer:

  • Third country: USA
  • Adequacy decision/safeguards/exemption: Standard contractual clauses, copy to be requested via the contact details under Point 1, consent pursuant to Article 49(1)(a) GDPR

Validity period of the cookie:14 months

Data processing purposes:Showing of videos

Categories of personal data:

  • Private customer site: IP address (anonymised), time spent by the visitor on the website, mouse movements made by the user
  • Business customer site: IP address (anonymised), time spent by the visitor on the website, mouse movements made by the user, date and time of the visit to the website in question, internet address or URL of the website accessed

Legal basis and legitimate interests pursued, if applicable:

  • Use of the service: Section 25(1)(1) TTDSG
  • Subsequent processing of personal data: Article 6(1)(a) GDPR

Recipients:Vimeo, LLC (USA)

Third country transfer:

  • Third country: USA
  • Adequacy decision/safeguards/exemption: Standard contractual clauses, copy to be requested via the contact details under Point 1, consent pursuant to Article 49(1)(a) GDPR

Validity period of the cookie:longer than 12 months

Data processing purposes:Hotjar allows us to create a kind of heat map of selected pages. This allows us to see how users navigate around the site. We can see where they click, how far they scroll and how they move around the page.

Categories of personal data:- IP address, heat maps of usage

Legal basis and legitimate interests pursued, if applicable:

  • Use of the service: Section 25(1)(1) TTDSG
  • Subsequent processing of personal data: Article 6(1)(a) GDPR

Recipients:

  • Internal departments, in so far as access is necessary for task fulfilment
  • Hotjar Ltd.

Third country transfer:None

Validity period of the cookie:12 months

Data processing purposes:Showing of videos

Categories of personal data:IP address, date and time and the website visited

Legal basis and legitimate interests pursued, if applicable:

  • Use of the service: Section 25(1)(1) TTDSG
  • Subsequent processing of personal data: Article 6(1)(a) GDPR

Recipients:Google Ireland Ltd, Google LLC (USA)

Third country transfer:

  • Third country: USA
  • Adequacy decision/safeguards/exemption: Standard contractual clauses, copy to be requested via the contact details under Point 1, consent pursuant to Article 49(1)(a) GDPR

Validity period of the cookie:longer than 12 months

Data processing purposes:Display of interactive maps

Categories of personal data:IP address (anonymised), date and time of the visit to the relevant website, internet address or URL of the website accessed

Legal basis and legitimate interests pursued, if applicable:

  • Use of the service: Section 25(1)(1) TTDSG
  • Subsequent processing of personal data: Article 6(1)(a) GDPR

Recipients:Google Ireland Ltd, Google LLC (USA)

Third country transfer:

  • Third country: USA
  • Adequacy decision/safeguards/exemption: Standard contractual clauses, copy to be requested via the contact details under Point 1, consent pursuant to Article 49(1)(a) GDPR

Validity period of the cookie:12 months

To be able to recognise your interests and show products customised to you.

Data processing purposes:Doubleclick can be used to place and manage adverts on a website. When, where and how often they should appear is controlled by the operator via campaigns.

Categories of personal data:IP address (anonymised)

Legal basis and legitimate interests pursued, if applicable:

  • Use of the service: Section 25(1)(1) TTDSG
  • Subsequent processing of personal data: Article 6(1)(a) GDPR

Recipients:

  • Internal departments, in so far as access is necessary for task fulfilment
  • Google Ireland Ltd, Google LLC (USA)

Third country transfer:

  • Third country: USA
  • Adequacy decision/safeguards/exemption: Standard contractual clauses, copy to be requested via the contact details under Point 1, consent pursuant to Article 49(1)(a) GDPR

Validity period of the cookie:14 months

Data processing purposes:Gira marketing and sales processes can be digitised and automated by tracking how Gira offers are used. By separating subscribers from website visitors, targeted and more personalised information can be provided. Increased attention enables more follow-up activities and increased customer satisfaction can also be achieved.

Categories of personal data:Date and time, type (object, e.g. eMailing, LeadPage), browser referrer, user agent, link ID (optional), object IDs, optional object-dependent information, individual transfer parameters, geocoordinates or alternatively IP-based geocoordinates (for forms with address entry) via Locr GmbH (recording postal addresses without first and last names) with server location in Germany

Legal basis and legitimate interests pursued, if applicable:

  • Use of the service: Section 25(1)(1) TTDSG
  • Subsequent processing of personal data: Article 6(1)(a) GDPR

Recipients:

  • Internal departments, in so far as access is necessary for task fulfilment
  • SC Networks GmbH

Third country transfer:None

Validity period of the cookie:12 months

Data processing purposes:Evaluation of website usage, campaign performance measurement

Categories of personal data:IP address, browser information, website visited, date and time of visit, device information, usage data, click path, geographical location

Legal basis and legitimate interests pursued, if applicable:

  • Use of the service: Section 25(1)(1) TTDSG
  • Subsequent processing of personal data: Article 6(1)(a) GDPR

Recipients:

  • Internal departments, in so far as access is necessary for task fulfilment
  • Meta Platforms Ireland Ltd, Meta Platforms, Inc. (USA)

Third country transfer:

  • Third country: USA
  • Adequacy decision/safeguards/exemption: Standard contractual clauses, copy to be requested via the contact details under Point 1, consent pursuant to Article 49(1)(a) GDPR

Validity period of the cookie:90 days

Data processing purposes:Evaluation of website usage, campaign performance measurement

Categories of personal data:IP address, browser information, website visited, date and time of visit, device information, usage data, click path, geographical location

Legal basis and legitimate interests pursued, if applicable:

  • Use of the service: Section 25(1)(1) TTDSG
  • Subsequent processing of personal data: Article 6(1)(a) GDPR

Recipients:

  • Internal departments, in so far as access is necessary for task fulfilment
  • Pinterest, Inc. (USA)

Third country transfer:

  • Third country: USA
  • Adequacy decision/safeguards/exemption: Standard contractual clauses, copy to be requested via the contact details under Point 1, consent pursuant to Article 49(1)(a) GDPR

Validity period of the cookie:12 months

Data processing purposes:Analysis of website usage, use of this information to serve tailored ads on LinkedIn (retargeting)

Categories of personal data:Device and browser properties, IP address, referrer URL and timestamps

Legal basis and legitimate interests pursued, if applicable:

  • Use of the service: Section 25(1)(1) TTDSG
  • Subsequent processing of personal data: Article 6(1)(a) GDPR

Recipients:

  • Internal departments, in so far as access is necessary for task fulfilment
  • LinkedIn Ireland Unlimited Company

Third country transfer:We do not transfer your personal data to third countries. With regard to the transfer of your personal data to third countries by LinkedIn, we refer to their privacy policy: https://www.linkedin.com/legal/privacy-policy

Validity period of the cookie:12 months

Data processing purposes:Evaluation of website usage, campaign performance measurement. Google Ads uses data to place adverts placed by Gira on websites, social media platforms, in search results and other digital platforms and to measure the success of advertising campaigns.

Categories of personal data:IP address, browser information, website visited, date and time of visit, device information, usage data, click path, geographical location

Legal basis and legitimate interests pursued, if applicable:

  • Use of the service: Section 25(1)(1) TTDSG
  • Subsequent processing of personal data: Article 6(1)(a) GDPR

Recipients:

  • Internal departments, in so far as access is necessary for task fulfilment
  • Google Ireland Ltd, Google LLC (USA)

Third country transfer:

  • Third country: USA
  • Adequacy decision/safeguards/exemption: Standard contractual clauses, copy to be requested via the contact details under Point 1, consent pursuant to Article 49(1)(a) GDPR

Validity period of the cookie:90 days