Data security is our top priority

We take data security very seriously and adhere to the highest security standards to ensure that your data is protected at all times and without exception. Our security practices are certified several times and create trust through maximum transparency.
 
 

Safety regulation compliance

Compliance

It is our goal to always offer our customers the best standards for data security and data protection. Therefore, we ensure at all times that the environment in which the Evermood services are hosted has at least the following audits and certifications:

  • C5 (Federal Republic of Germany)
  • ASIP HDS (France)
  • G-Cloud (Great Britain, Northern Ireland)
  • PCI-Certification
  • ISO 9001
  • ISO 27001
  • ISO 27017
  • ISO 27018
  • SOC 1
  • SOC 2
  • SOC 3
SOC 2 Type 2

We ensure that our organisation meets the criteria of SOC 2 at all times and have this regularly confirmed by an external audit. The current audit result is available for download here.

IT Security Concept

You can view our complete IT security concept here.

Security Officer

Security Officer at Evermood is:

Luiz Fonseca

security@evermood.com

So that you do not have to search for all the relevant legal resources individually, we have brought them together in a folder. In this folder you will find the following documents:

  • General Terms and Conditions
  • Data Processing Agreement
  • Technical and organisational measures in accordance with Art. 32 DSGVO (Annex A of the AVV)
  • Extinguishing concept (Annex B of the AVV)
  • Terms of use for users (Annex C of the AVV)
  • Diagram of the network architecture
  • Diagram of the anonymization process of requests
 
 
 

Download Folder

Cloud Security

Facilities

Our service data is hosted exclusively in Open Telekom Cloud data centers, which are certified under ISO 27001, PCI/DSS Service Provider Level 1, SOC 2 and further standards. You can find out more about compliance at Open Telekom Cloud here.

The servers and infrastructure of Open Telekom Cloud are equipped with backup power, HVAC systems and fire fighting equipment, among other things. This ensures the highest level of protection for your data. You can find out more about the security measures in the Open Telekom Cloud data centers here.

On-site security

The on-site security of the Open Telekom Cloud data centers is guaranteed by security personnel, fencing, video surveillance, intrusion detection and further measures.

Location of data hosting

Evermood only uses Open Telekom Data data centers located exclusively in Magdeburg, Germany.

Protection

Our network is protected by Open Telekom Cloud’s comprehensive security services, integration with our cloudflare-based edge protection networks, regular audits and network intelligence technologies that continuously monitor and block known malicious traffic patterns and network attacks.

Architecture

Our network security architecture consists of several security zones. More sensitive systems, such as database servers, are located in the most trusted zone. Other systems are located in zones appropriate to their sensitivity depending on their function, information classification and risk. Depending on the zone, additional security monitoring and access controls are used.

Network vulnerability tests

Regular network security audits allow us to quickly identify non-compliant or potentially vulnerable systems.

Penetration testing by external experts

In addition to our comprehensive internal inspection and testing program, Evermood has external security experts conduct a comprehensive penetration test of our entire production and corporate networks every year.

Security Incident Event Management (SIEM)

We use a Security Incident Event Management system (SIEM) to record comprehensive protocols of key network devices and host systems. The SIEM responds to triggers that alert when specific incidents occur. This enables us to initiate investigations and appropriate measures at an early stage.

Logical access

To effectively provide our services, and to assess and solve any problems which might arise, some employees need access to the systems in which customer data is stored and processed. However, access to these systems is limited to the minimum number of employees necessary (need-to-know principle) who each possess only the minimum required access rights (principle of least rights). Employees of Evermood are only permitted to access such data if it’s absolutely necessary for their immediate work. We have technical controls and audit guidelines in place to ensure that all access to customer data is logged. In order to access the production environment, employees must authenticate themselves multiple times.

Access logging

We log every sign-in of our employees and record the type of device used as well as the IP address of the connection.

Password policy & two-factor authentication

Whenever possible, our employees are required to authenticate themselves using two-factor authentication. In addition, they are obliged to secure all passwords related to their activities for Evermood in the password manager provided by Evermood (1Password). To create or change passwords, employees will always use the above-mentioned password manager and comply with the recommendations of the BSI (German Federal Office for Information Security).

Network protection

In addition to our sophisticated monitoring and logging system, we have introduced two-factor authentication for each server access throughout our production environment. Firewalls are configured in line with industry best practices.

Response to security incidents

In the event of a security alert, incidents are escalated to our Security Officer. The Security Officer is trained in reacting to security incidents and is familiar with the respective communication channels and escalation paths.

Encryption of Data-in-Transit

All Evermood services support the latest recommended secure methods and protocols to encrypt all data in transit. All communication with Evermood’s user interfaces and APIs is encrypted by the industry standard HTTPS/TLS (TLS 1.2 or higher) over public networks. This ensures that all traffic between you and Evermood is secure. We use TLS for email by default. Transport Layer Security (TLS) is a protocol for secure encryption and delivery of emails that prevents eavesdropping between mail servers as long as peer services support this protocol. Exceptions to encryption include, but are not limited to, the use of product-integrated SMS features and third-party applications, integrations or services that Subscribers use at their discretion.

Encryption of Data-at-Rest

All customer data is encrypted when at rest. In Open Telekom Cloud, data is secured using data-at-rest encryption (AES-256).

Redundancy

Evermood uses service clustering and network redundancies to eliminate single points of failure (SPOF). Customer data is stored redundantly at multiple locations in the data centers of our hosting providers. Customer data and our source code are backed up automatically every night. Our strict backup and disaster recovery programs replicate data across multiple availability zones to ensure maximum availability at all times.

Disaster Recovery

We have established a disaster recovery program to ensure that our services remain available or are easily recoverable in the event of a disaster. This is accomplished with a robust technical environment, disaster recovery plans and regular testing activities. We have proven data backup and recovery procedures in place to protect against data loss, even in the event of a major disaster. In the event of a system malfunction, the operational team is notified immediately.

Security

Secure Code Training

At least once a year, our development team participates in a Secure Coding training course that covers topics such as common attack vectors and Evermood security procedures.

Framework security controls

Evermood uses modern and secure open source frameworks with security controls to reduce the risk of SQL Injection (SQLi), Cross Site Scripting (XSS) and Cross Site Request Forgery (CSRF) as much as possible.

Quality Assurance

Our Security Officer regularly reviews our code base to identify, test and prioritize security vulnerabilities. New features, functions and design changes are subjected to a security check as well. The Security Officer works closely with the development teams to address other security issues that arise during development.

Separate Environments

Evermood’s testing and staging environments are physically and logically separated from the production environment. Customer data is used exclusively in the production environment.

Logging

We maintain extensive and centralized logging systems in our staging and production environments that contain information related to security, monitoring, availability, access and other metrics of our service offerings. These logs are analyzed for security events using automatic monitoring software under the supervision of the Security Officer.

Dynamic vulnerability checks

We continuously perform automatic vulnerability scans of our staging and production hosts and correct any discovered problems that pose a risk to our environment. To this end, we use various third-party security tools.

Static code analysis

Before being released for production, our source code is always checked and tested with automated software for static analysis.

Penetration tests by external experts

Evermood has external security experts conduct detailed penetration tests on a regular basis.

Sub contractors

To support the provision of our services, Evermood may involve and use external data processors with access to certain customer data. Before engaging an external subcontractor, we extensively review and assess their privacy, security and confidentiality practices. The following table lists all current sub-processors of Evermood:

  • Open Telekom Cloud (Magdeburg, Germany)
  • Mailjet (Paris, France)

Storage of access data

Evermood always follows the current best practices for secure storage of access data. At no time do we store passwords in a format that can be read by humans. Instead, any access data is stored using a secure, salted, one-way hash function.

Guidelines

Evermood has developed broad and comprehensive security guidelines. All employees and sub-contractors who have access to our databases are aware of these guidelines and are obliged to comply with them.

Trainings

All Evermood employees take part in security awareness training when they are hired and once a year thereafter. Our development team undergoes annual training on secure coding.

Background checks

To the extent permitted by law, Evermood conducts a background check on all new employees. The background check includes a review of relevant criminal, educational and employment history. A similar assessment is also required for external contractors.

Confidentiality agreements

All newly hired employees of Evermood sign a confidentiality and non-disclosure agreement.