We are committed to keep our customers and users data safe and secure. Our servers are hosted in a secure data center and use the latest security practices to protect data. We follow standard industry best practises and never store passwords in a plain format.
The following descriptions provide an overview of the technical and organisational security measures implemented. It should be noted however that, in some circumstances, in order to protect the integrity of the security measures and in the context of data security, detailed descriptions may not be available. It’s acknowledged and agreed that this Security Policy and the technical and organisational measures described herein will be updated and amended from time to time, at our sole discretion. Notwithstanding the foregoing, the technical and organisational measures will not fall short of those measures described in this Security Policy in any material, detrimental way.
Data Center Security
We utilise third party data centres that maintain current ISO 27001 certifications and/or SSAE 16 SOC 1 Type II or SOC 2 Attestation Reports. We will not utilise third party data centres that do not maintain the aforementioned certifications and/or attestations, or other substantially similar or equivalent certifications and/or attestations. Further details about the security used by our data centres can be found at Cloud Security at AWS and Security at Google Cloud.
Application Security and Access Control
Technical and organisational measures regarding the on-demand structure of the authorisation concept, data access rights and monitoring and recording of the same:
Measures regarding data access control are targeted on the basis that only such data can be accessed for which an access authorisation exists and that data cannot be read, copied, changed or deleted in an unauthorised manner during the processing and after the saving of such data.
Technical and organisational measures regarding the user ID and authentication: The aim of the system access control is to prevent unauthorised use of data processing systems that are used for the processing of Personal Data.
Access to data necessary for the performance of the particular task is ensured within the systems and applications by a corresponding role and authorisation concept. In accordance with the “least privilege” and "need-to-know" principles, each role has only those rights which are necessary for the fulfilment of the task to be performed by the individual person. To maintain data access control, state of the art encryption technology is applied to the Personal Data itself where deemed appropriate to protect sensitive data based on risk.