evenito security center

This Security Center provides you with resources documenting evenito’s continuous commitment to information security. We regularly monitor and assess our program and internal measures and strive to exceed compliance and regulatory requirements.


Technical Security
ISO 27001:2013 Certification

evenito is ISO 27001:2013 certified. Download the certificate.


At evenito we build on industry-leading infrastructure and host our software on the Google Cloud Platform. As our cloud provider, Google has the following certifications.

Cloud Compliance

Independent verification of security, privacy, and compliance. ISO/IEC 27001/27017/27018/27701, SOC 1/2/3, PCI DSS, VPAT (WCAG, U.S. Section 508, EN 301 549) and FedRAMP certifications are available. Alignment with HIPAA, GDPR, and CCPA, FINMA is ensured. (Source)

Data Center Security

Layered security with custom-designed electronic access cards, alarms, vehicle access barriers, perimeter fencing, metal detectors, biometrics, and laser beam intrusion detection. Data centers  are monitored 24/7.

All data centers are located in Switzerland. evenito has a contractual agreement with Google Ireland Ltd and supports 100% data residency in Switzerland. (Source)

Server Security

Google cloud regulatory compliance with FINMA Circular 2018/3 Outsourcing, KWG §25b & MaRisk BAIT 9, Art. 274 EC Del Reg 2015/35, §38 VAG & BaFin orientation. (Source)

Network Security

All production network systems & devices are constantly monitored and administered by evenito. Access is restricted and two factor authentication is required.

Application Security

The software is developed according to the principles of safe software development.

Moreover, evenito supports 

  • Authentication through Google identity platform 
  • Adaptive web application firewall to block DDoS and Web attacks at scale
  • Role based access controls with clearly defined permission levels
Vulnerability Scanning

Constant network scanning gives us deep insight for quick identification of out-of-compliance or potentially vulnerable systems.

Moreover, at evenito we conduct:

  • Static code analysis through scanning the source code repositories for both our platform and mobile applications
  • Daily SSL certificate checks 
  • Weekly configuration scanning, activity monitoring, and reviewing against best practices
Penetration Tests

In addition to our extensive internal scanning and testing, each year evenito undergoes a third-party penetration test across the production application.

Software Development

Tenants are logically separated. Testing, staging and production are physically separated. Moreover, evenito assigns different roles in the development stage and reduces exposure to Cross Site Scripting (XSS), Cross Site Request Forgery (CSRF), and SQL Injection (SQLi) through inherent controls.

Organizational Security

evenito has agreed on technical and organisational measures to ensure data security (so-called "TOMs").

They can be downloaded here.

Security Awareness

Security policies covering security topics are made available to all employees and contractors. Employees attend security awareness trainings upon hire and regularly thereafter. Additional security awareness updates are provided during internal events & meetings. Moreover, there is a dedicated security team & internal audit and compliance specialists.

Incident Management

Incident management processes for security events that may affect the confidentiality, integrity, or availability of systems or data are in place & documented.

Supplier Risk Management

Security compliance as part of the engagement with evenito is required. A review process is implemented by our ISMS team for any proposed third-party supplier engagements.

Monitoring Management

Information gathered from internal network traffic, employee actions on systems and outside knowledge of vulnerabilities are the focus of the monitoring program. Logs of users, administrators and system operators are reviewed regularly. Implemented methods to prevent, detect and eradicate malware are in place.


Data Privacy

All requirements of the GDPR are implemented. We also work together with a Data Protection Officer (DPO) in this matter. All uploaded client data is processed exclusively for the agreed purpose and is not used by the service provider for any other purpose.


evenito AG has been GDPR compliant since December 2020 and officially ISO 27001 certified since March 2022. We work with a Data Protection Officer (DPO) and Chief Information Security Officer (CISO). 

Our external DPO / CISO partner is Keyed. 

Nils Möllers
Keyed GmbH
Siemensstraße 12
48341 Altenberge, Westfalen
+49 (0) 2505 - 639797

Data retention

Data is retained in accordance with our Information Retention Policy. Data is backed up for up to 90 days. Users can delete all data, however it takes 90 days until it's fully deleted on all back-ups.

Data Security

Data is synchronised in real time. Backups are stored in two physical locations. In addition, physical backups of all data on the production system are made. The physical backups are encrypted (data at rest). The backups are tested every six months (twice a year) by attempting a full restore on a system separate from the test network (to avoid compromising the production data).

Encrypted Data

Data “in transit” between the facilities and “at rest” are encrypted by default. It is ensured that it can only be accessed by authorized roles. For example services with audited access to the encryption keys. evenito supports strong encryption protocols such as TLS/HTTPS to secure the connections.

Encryption standard: 256-bit Advanced Encryption Standard (AES-256) keys in Galois Counter Mode (GCM), padded with Cloud KMS-internal metadata.

Frequently asked questions (FAQ)

Client separation

Q: Are the different clients/customers securely separated from each other and is it ensured that there is no data exchange between data files of different clients?

A: Yes, role based access controls with clearly defined permission levels are implemented.

Security checks

Q: Are regular (at least annual), independent security audits carried out at the provider's premises with regard to information security (security audit, penetration test or similar) 

A: In addition to our extensive internal scanning and testing, each year evenito performs a third-party penetration test across the production application. Here you can find the executive summary of the last conducted penetration test.

Business Continuity

Q: Does a defined process for dealing with emergencies (business continuity, service continuity) exist at the provider and is the process tested regularly (at least annually) by the provider or independent third parties?

A: Yes. We have an Incident Management ("Incident Policy") and an Emergency Handbook. Further information can also be found in our ISMS Policy.

Employee awareness training

Q: Is the staff regularly trained and/or sensitised with regard to information security?

A: Regular training sessions on information security are held by our CISO and an internal awareness software.


Q: Are third-party companies, subcontractors etc. used for the provision of services, for development, operation or support?

A: Yes, all subprocessors are listed in the Data Processing Agreement. A supplier, IT or service provider is only considered after an internal security assessment has been carried out.

Data Location

Q: Where are the data and IT systems of the cloud application located? 

A: All data is securely located in Switzerland. This also complies with the requirements of the GDPR

Release Management

Q: How often is a release made available?

A: Approx. every 1-2 weeks. Customers are notified via email & knowledge base.


Q: Does an Information security management system (ISMS) exist and is it thoroughly practiced?

A: Yes, the ISMS has been implemented in January 2021. evenito is ISO 27001:2013 certified since March 2022.


Q: Is Single Sign On (SSO) supported?

A: We support SSO through SAML v2

Do you have more questions?

We can provide additional resources on request.

Contact us