Privacy Policy

We appreciate your visit to this website and thank you for your interest in our services. NTH considers that the protection of personal data is of the utmost importance and treats them in the same way. This Policy is intended at providing it’s users with an outline of what personal data are collected via this website, how is such data processed and measures of their protection.

Data Controller

Data Controller: NTH AG.

Address: Hardturmstrasse 161, 8005 Zürich, Switzerland


As the Data Controller, we are obliged to inform you about the purposes of collection of your Personal data.

When using our website you are voluntarily sending us some of your Personal data for the purposes described below in this policy.

Data Protection related questions

For questions related to matters related to our processing of your data, you can reach us by e-mail at:

Why and on what basis we process your data

Visiting our website

We use third-party services such as Google Analytics when you visit in order to collect standard internet log information and details on visitor behavior patterns. We do this to find out information such as the number of visitors to various parts of the site. This information is only processed in a way that does not identify anyone. We do not make, and do not allow Google to make, any attempt to find out the identities of visitors to our website. We also use LinkedIn Analytics. For more information, please consult the relevant privacy notice.

When you browse our website, we automatically place necessary cookies on your browser. You can opt in to accept advertising or analytical cookies. The information we collect helps us maintain and improve our website and business. It usually includes your IP address, browser type, the pages you’ve visited and the order you visited them, as well as whether you’re a new or returning visitor. For more information please read our Cookie Policy.

Visiting our social networks

NTH uses certain social networks. Should you contact us through our social network accounts we shall keep and use your data in line with this Personal Data Protection Policy.

We are active on the following social networks:



Inquiries regarding business cooperation or the services we offer

When you are contacting us regarding our services we can use the following contact data:

  • Name (first name and surname)
  • E-mail address
  • Phone number

These could be used on basis of carrying out pre-contractual actions and concluding a contract as well as of our legitimate interest in order to develop further business relationship and possibly conclude an agreement. Your data shall be kept for three years since the day we receive your data. In case the Agreement is concluded between you and NTH, we are obliged by law to keep your data for eleven years since the day of last transaction between you and NTH.

Employment and internship applications

In case you want to work with us and decide to fill in the form on this website we will collect the following data:

  • Name (first name and surname)
  • E-mail address
  • Phone number
  • Your CV

These shall be collected based on the legitimate interest in order to conclude employment agreement. Your data shall be kept for two years since the day we receive them. Should the employment agreement be concluded your data will be kept as long as required by employment laws.

Who has access to your data

Only our authorized employees, solely for the purpose of performing their tasks, will have access to your data. We won’t deliver your data or allow access to your data to anyone unless stated otherwise in this Policy. Exception will be made in case if we receive a lawful request for data from the competent state body.

Where and how we keep your data

All data that we collect is kept in our internal infrastructure which is adequately protected from any risks for the data according to highest industry standards.

Your rights

Under the GDPR you have the following rights:

  • The right to be informed about the processing of your data;
  • The right of access to your data;
  • The right to rectification if the data is inaccurate;
  • The right to erasure of your data at any time, subject to regulations;
  • The right to restrict processing of your personal data;
  • The right to data portability;
  • The right to object to us regarding the data processing at any time;
  • The right to submit a complaint to us (by e-mail:
  1. Technical and organizational security measures
Control TargetMeasure
(1)    Access control

The following measures are used to prevent unauthorized people from having physical access to the server infrastructure for data processing, and in particular to legitimize authorized people.
• Data center locked off from generally accessible areas
• Access only for authorized employees (visits are generally not permitted)
• Access control system (biometric) with logging
• Alarm system/locking system with code lock
• 24-hour security services with linked alarm system
• Video surveillance (exterior, doors and aisles)
• Separately locked racks with the ability to use custom locks and keys
• Cleaning only by authorized employees
(2) Access Control (User Control)

It must be prevented that data processing systems can be used by unauthorized persons.
• Use of firewalls and intrusion detection systems.
• For administrative purposes (e.g. maintenance of the infrastructure and systems), only a small group of internal administrators can access the data processing sys-tems via SSH and web interfaces. Only encrypted communication channels are used for this purpose. The connection is established via VPN, TLS and LDAP.
• Authentication is always done with username and password (internal pass-word policy)
• The user identification must be carried out with personal login data. Sharing login credentials with another person is prohibited.
• Secure password management (use of central device administration software with encryption).
• For emergencies, system administrators can access the servers with root logins if the usual user authentication does not work properly. The use of the root login is logged.
(3) Access and Storage Control

It must be ensured that those authorized to use a data processing system can only access the data that is necessary to perform their tasks (need-to-know) and that is subject to their access authorization, and that customer data (including personal data) are processed, used and after the cannot be read, copied, changed or removed without authorization.
• Protection against unauthorized internal and external access through firewalls, use of authentication and encryption processes.
• Secure password assignment according to internal password policy. Depending on the system or application, compulsory regular password changes and automatic blocking.
• Privileged administrative access for administrative purposes is never given to clients/customers or external parties.
• External access rights to systems and applications are assigned as needed and exclusively to the data subject to their access authorization (creation of user profiles and assignment of user rights). These must be contractually agreed or at least be recorded in the service design (authorization concept).
• Authorizations are only assigned by the person responsible for the service/application, unless otherwise agreed in the authorization concept for the respective service/application. The number of administrators is always reduced to the “necessary”. The granting of additional access rights at the request of the client/customer must be made in writing.
• At the system level, all accesses are always logged by default. In the case of particularly sensitive data, if required by law or at the request of the client/customer, access is also logged at the application level (entry, modification and deletion, as well as calling up the data).
• Safe storage of data carriers
• Secure destruction of data carriers by destroying them
(4) Separation control

It must be ensured that data collected for different purposes can be processed separately.
• Physical separation of functional and expedient different systems, databases and data carriers.
• Defined processes where and how systems, services or applications are in-stalled, delivered and operated (authorization concept at company level)
• Separation of productive and test environment
• Functional and logical client separation
• Defining database rights
(5) Distribution control (disk control, transport control and disclosure control)

It must be ensured that customer data (including personal data) cannot be read, copied, changed or removed without authorization during electronic transmission or during their transport or storage on data carriers, and that it can be checked and determined at which points a transmission of Customer data (including personal data) is provided by data transmission facilities.
• The transmission of data always takes place with secure encryption. This applies in particular to personal data.
• Privileged actions for administrative purposes, e.g. to carry out migrations, can only be carried out via VPN. Only a small group of employees has VPN access with such authorizations.
• All privileged actions at system level are logged (activity log), logging can also be done at application level.
• Documents worthy of protection may only be sent in encrypted form (e.g. compressed by e-mail with password protection, whereby the password must be communicated separately via another channel).
(6) Input control and logging

It must be ensured that it can be subsequently checked and established whether and by whom customer data (including personal data) has been entered, changed or removed in data processing systems.
• Assignment of access rights for entering, changing and deleting data based on the authorization concept
• Logging of the entry, modification and deletion of data is always given at the system level (activity log), at the service/application level if prescribed/required or desired (application purpose and sensitivity of the data).
• Traceability of entering, changing and deleting data through individual user names
(7) Availability control and recovery

It must be ensured that customer data (including personal data) is protected against accidental or willful destruction or loss.
• Uninterruptible power supply (diesel generator and redundant UPS)
• Air conditioning in server rooms
• Devices for monitoring temperature and humidity in server rooms
• Protective power strips in server rooms (PDUs)
• Comprehensive fire protection with gas-assisted fire extinguishing (Inergen)
• Creation of a backup and recovery concept
• Mirroring of hard disks, e.g. RAID method
• Contingency plans that describe in detail error scenarios, precautionary measures and availability measurements
• Server rooms not under sanitary facilities
• Complete data center infrastructure and services are monitored
• Redundant infrastructure
(8) Order control

Measures are taken to ensure that personal data processed on behalf of the customer can only be processed in accordance with the instructions of the client.
• If, during maintenance work on the data processing systems, a possible change in personal data cannot be ruled out, NTH will inform the client about this maintenance window.
• Change and migration requests that contain personal data must be made in writing by the client.
• The data processing takes place in the data center of the NTH, unless the customer explicitly requests other locations (e.g. certain hosting providers).
• Ensuring the destruction of data after completion of the order
(9) Organizational and implementation control

Processes and workflows are defined for the processing of data, which effectively implement the data protection principles and security guarantees in order to meet the data protection requirements and to protect the rights of those affected.
• Regular training and sensitization of employees to the principles of data protection and IT security
• Duty of secrecy regarding trade and business secrets
• Proper and careful handling of data, files, data carriers and other documents
• Checking the implementation and effectiveness of the technical and organizational protective measures through controls and random samples
• Process for incident response management and documentation of security incidents in the ticket system
• Formalized process for processing re-quests for information from data subjects
• NTH guarantees that the provision of services takes place in compliance with data protection law

The technical and organizational measures are subject to technical progress and further development. In this respect, NTH can implement alternative, adequate measures, as long as the security level and the technical requirements in this data protection declaration are not undercut.