evenito security center
evenito is ISO 27001:2013 certified. Download the certificate.
At evenito we build on industry-leading infrastructure and host our software on the Google Cloud Platform. As our cloud provider, Google has the following certifications.
Independent verification of security, privacy, and compliance. ISO/IEC 27001/27017/27018/27701, SOC 1/2/3, PCI DSS, VPAT (WCAG, U.S. Section 508, EN 301 549) and FedRAMP certifications are available. Alignment with HIPAA, GDPR, and CCPA, FINMA is ensured. (Source)
Layered security with custom-designed electronic access cards, alarms, vehicle access barriers, perimeter fencing, metal detectors, biometrics, and laser beam intrusion detection. Data centers are monitored 24/7.
All data centers are located in Switzerland. evenito has a contractual agreement with Google Ireland Ltd and supports 100% data residency in Switzerland. (Source)
Google cloud regulatory compliance with FINMA Circular 2018/3 Outsourcing, KWG §25b & MaRisk BAIT 9, Art. 274 EC Del Reg 2015/35, §38 VAG & BaFin orientation. (Source)
All production network systems & devices are constantly monitored and administered by evenito. Access is restricted and two factor authentication is required.
The software is developed according to the principles of safe software development.
Moreover, evenito supports
- Authentication through Google identity platform
- Adaptive web application firewall to block DDoS and Web attacks at scale
- Role based access controls with clearly defined permission levels
Constant network scanning gives us deep insight for quick identification of out-of-compliance or potentially vulnerable systems.
Moreover, at evenito we conduct:
- Static code analysis through scanning the source code repositories for both our platform and mobile applications
- Daily SSL certificate checks
- Weekly configuration scanning, activity monitoring, and reviewing against best practices
In addition to our extensive internal scanning and testing, each year evenito undergoes a third-party penetration test across the production application.
Tenants are logically separated. Testing, staging and production are physically separated. Moreover, evenito assigns different roles in the development stage and reduces exposure to Cross Site Scripting (XSS), Cross Site Request Forgery (CSRF), and SQL Injection (SQLi) through inherent controls.
evenito has agreed on technical and organisational measures to ensure data security (so-called "TOMs").
They can be downloaded here.
Security policies covering security topics are made available to all employees and contractors. Employees attend security awareness trainings upon hire and regularly thereafter. Additional security awareness updates are provided during internal events & meetings. Moreover, there is a dedicated security team & internal audit and compliance specialists.
Incident management processes for security events that may affect the confidentiality, integrity, or availability of systems or data are in place & documented.
Security compliance as part of the engagement with evenito is required. A review process is implemented by our ISMS team for any proposed third-party supplier engagements.
Information gathered from internal network traffic, employee actions on systems and outside knowledge of vulnerabilities are the focus of the monitoring program. Logs of users, administrators and system operators are reviewed regularly. Implemented methods to prevent, detect and eradicate malware are in place.
All requirements of the GDPR are implemented. We also work together with a Data Protection Officer (DPO) in this matter. All uploaded client data is processed exclusively for the agreed purpose and is not used by the service provider for any other purpose.
evenito AG has been GDPR compliant since December 2020 and officially ISO 27001 certified since March 2022. We work with a Data Protection Officer (DPO) and Chief Information Security Officer (CISO).
Our external DPO / CISO partner is Keyed.
48341 Altenberge, Westfalen
+49 (0) 2505 - 639797
Data is retained in accordance with our Information Retention Policy. Data is backed up for up to 90 days. Users can delete all data, however it takes 90 days until it's fully deleted on all back-ups.
Data is synchronised in real time. Backups are stored in two physical locations. In addition, physical backups of all data on the production system are made. The physical backups are encrypted (data at rest). The backups are tested every six months (twice a year) by attempting a full restore on a system separate from the test network (to avoid compromising the production data).
Data “in transit” between the facilities and “at rest” are encrypted by default. It is ensured that it can only be accessed by authorized roles. For example services with audited access to the encryption keys. evenito supports strong encryption protocols such as TLS/HTTPS to secure the connections.
Encryption standard: 256-bit Advanced Encryption Standard (AES-256) keys in Galois Counter Mode (GCM), padded with Cloud KMS-internal metadata.
Frequently asked questions (FAQ)
Q: Are the different clients/customers securely separated from each other and is it ensured that there is no data exchange between data files of different clients?
A: Yes, role based access controls with clearly defined permission levels are implemented.
Q: Are regular (at least annual), independent security audits carried out at the provider's premises with regard to information security (security audit, penetration test or similar)
A: In addition to our extensive internal scanning and testing, each year evenito performs a third-party penetration test across the production application. Here you can find the executive summary of the last conducted penetration test.
Q: Does a defined process for dealing with emergencies (business continuity, service continuity) exist at the provider and is the process tested regularly (at least annually) by the provider or independent third parties?
A: Yes. We have an Incident Management ("Incident Policy") and an Emergency Handbook. Further information can also be found in our ISMS Policy.
Q: Is the staff regularly trained and/or sensitised with regard to information security?
A: Regular training sessions on information security are held by our CISO and an internal awareness software.
Q: Are third-party companies, subcontractors etc. used for the provision of services, for development, operation or support?
A: Yes, all subprocessors are listed in the Data Processing Agreement. A supplier, IT or service provider is only considered after an internal security assessment has been carried out.
Q: Where are the data and IT systems of the cloud application located?
A: All data is securely located in Switzerland. This also complies with the requirements of the GDPR
Q: How often is a release made available?
A: Approx. every 1-2 weeks. Customers are notified via email & knowledge base.
Q: Does an Information security management system (ISMS) exist and is it thoroughly practiced?
A: Yes, the ISMS has been implemented in January 2021. evenito is ISO 27001:2013 certified since March 2022.
Q: Is Single Sign On (SSO) supported?
A: We support SSO through SAML v2