It is our goal to always offer our customers the best standards for data security and data protection. Therefore, we ensure at all times that the environment in which the Evermood services are hosted has at least the following audits and certifications:
We ensure that our organisation meets the criteria of SOC 2 at all times and have this regularly confirmed by an external audit. The current audit result is available for download here.
You can view our complete IT security concept here.
Security Officer at Evermood is:
So that you do not have to search for all the relevant legal resources individually, we have brought them together in a folder. In this folder you will find the following documents:
Our service data is hosted exclusively in Open Telekom Cloud data centers, which are certified under ISO 27001, PCI/DSS Service Provider Level 1, SOC 2 and further standards. You can find out more about compliance at Open Telekom Cloud here.
The servers and infrastructure of Open Telekom Cloud are equipped with backup power, HVAC systems and fire fighting equipment, among other things. This ensures the highest level of protection for your data. You can find out more about the security measures in the Open Telekom Cloud data centers here.
The on-site security of the Open Telekom Cloud data centers is guaranteed by security personnel, fencing, video surveillance, intrusion detection and further measures.
Location of data hosting
Evermood only uses Open Telekom Data data centers located exclusively in Magdeburg, Germany.
Our network is protected by Open Telekom Cloud’s comprehensive security services, integration with our cloudflare-based edge protection networks, regular audits and network intelligence technologies that continuously monitor and block known malicious traffic patterns and network attacks.
Our network security architecture consists of several security zones. More sensitive systems, such as database servers, are located in the most trusted zone. Other systems are located in zones appropriate to their sensitivity depending on their function, information classification and risk. Depending on the zone, additional security monitoring and access controls are used.
Network vulnerability tests
Regular network security audits allow us to quickly identify non-compliant or potentially vulnerable systems.
Penetration testing by external experts
In addition to our comprehensive internal inspection and testing program, Evermood has external security experts conduct a comprehensive penetration test of our entire production and corporate networks every year.
Security Incident Event Management (SIEM)
We use a Security Incident Event Management system (SIEM) to record comprehensive protocols of key network devices and host systems. The SIEM responds to triggers that alert when specific incidents occur. This enables us to initiate investigations and appropriate measures at an early stage.
To effectively provide our services, and to assess and solve any problems which might arise, some employees need access to the systems in which customer data is stored and processed. However, access to these systems is limited to the minimum number of employees necessary (need-to-know principle) who each possess only the minimum required access rights (principle of least rights). Employees of Evermood are only permitted to access such data if it’s absolutely necessary for their immediate work. We have technical controls and audit guidelines in place to ensure that all access to customer data is logged. In order to access the production environment, employees must authenticate themselves multiple times.
We log every sign-in of our employees and record the type of device used as well as the IP address of the connection.
Password policy & two-factor authentication
Whenever possible, our employees are required to authenticate themselves using two-factor authentication. In addition, they are obliged to secure all passwords related to their activities for Evermood in the password manager provided by Evermood (1Password). To create or change passwords, employees will always use the above-mentioned password manager and comply with the recommendations of the BSI (German Federal Office for Information Security).
In addition to our sophisticated monitoring and logging system, we have introduced two-factor authentication for each server access throughout our production environment. Firewalls are configured in line with industry best practices.
Response to security incidents
In the event of a security alert, incidents are escalated to our Security Officer. The Security Officer is trained in reacting to security incidents and is familiar with the respective communication channels and escalation paths.
All Evermood services support the latest recommended secure methods and protocols to encrypt all data in transit. All communication with Evermood’s user interfaces and APIs is encrypted by the industry standard HTTPS/TLS (TLS 1.2 or higher) over public networks. This ensures that all traffic between you and Evermood is secure. We use TLS for email by default. Transport Layer Security (TLS) is a protocol for secure encryption and delivery of emails that prevents eavesdropping between mail servers as long as peer services support this protocol. Exceptions to encryption include, but are not limited to, the use of product-integrated SMS features and third-party applications, integrations or services that Subscribers use at their discretion.
Encryption of Data-at-Rest
All customer data is encrypted when at rest. In Open Telekom Cloud, data is secured using data-at-rest encryption (AES-256).
Evermood uses service clustering and network redundancies to eliminate single points of failure (SPOF). Customer data is stored redundantly at multiple locations in the data centers of our hosting providers. Customer data and our source code are backed up automatically every night. Our strict backup and disaster recovery programs replicate data across multiple availability zones to ensure maximum availability at all times.
We have established a disaster recovery program to ensure that our services remain available or are easily recoverable in the event of a disaster. This is accomplished with a robust technical environment, disaster recovery plans and regular testing activities. We have proven data backup and recovery procedures in place to protect against data loss, even in the event of a major disaster. In the event of a system malfunction, the operational team is notified immediately.
At least once a year, our development team participates in a Secure Coding training course that covers topics such as common attack vectors and Evermood security procedures.
Framework security controls
Evermood uses modern and secure open source frameworks with security controls to reduce the risk of SQL Injection (SQLi), Cross Site Scripting (XSS) and Cross Site Request Forgery (CSRF) as much as possible.
Our Security Officer regularly reviews our code base to identify, test and prioritize security vulnerabilities. New features, functions and design changes are subjected to a security check as well. The Security Officer works closely with the development teams to address other security issues that arise during development.
Evermood’s testing and staging environments are physically and logically separated from the production environment. Customer data is used exclusively in the production environment.
We maintain extensive and centralized logging systems in our staging and production environments that contain information related to security, monitoring, availability, access and other metrics of our service offerings. These logs are analyzed for security events using automatic monitoring software under the supervision of the Security Officer.
We continuously perform automatic vulnerability scans of our staging and production hosts and correct any discovered problems that pose a risk to our environment. To this end, we use various third-party security tools.
Static code analysis
Before being released for production, our source code is always checked and tested with automated software for static analysis.
Penetration tests by external experts
Evermood has external security experts conduct detailed penetration tests on a regular basis.
To support the provision of our services, Evermood may involve and use external data processors with access to certain customer data. Before engaging an external subcontractor, we extensively review and assess their privacy, security and confidentiality practices. The following table lists all current sub-processors of Evermood:
Storage of access data
Evermood always follows the current best practices for secure storage of access data. At no time do we store passwords in a format that can be read by humans. Instead, any access data is stored using a secure, salted, one-way hash function.
Evermood has developed broad and comprehensive security guidelines. All employees and sub-contractors who have access to our databases are aware of these guidelines and are obliged to comply with them.
All Evermood employees take part in security awareness training when they are hired and once a year thereafter. Our development team undergoes annual training on secure coding.
To the extent permitted by law, Evermood conducts a background check on all new employees. The background check includes a review of relevant criminal, educational and employment history. A similar assessment is also required for external contractors.
All newly hired employees of Evermood sign a confidentiality and non-disclosure agreement.