Security & Data Protection
What about the protection and security of your data in Evalanche?
For us, one thing is for certain: Whoever says "marketing automation" also has to say "data protection"! Personal data – whether names, job positions, interests, contact histories or click behavior – are among the most valuable assets in your company. However, this information has economic value only if it is collected lawfully and processed and stored securely. Data subjects' data must always be handled respectfully and in compliance with applicable laws. In this respect, security and data privacy begin long before the use of our software.
We understand data privacy as a modern human right in a digital world. We help ensure that every company respects people's right to informational self-determination by reliably implementing data protection, data security and digital sovereignty. For us, digital sovereignty encompasses the self-determination as well as the competence of people and companies to use digitization purposefully for their own benefit.
To achieve this, we not only create the appropriate technological basis, but also foster an adequate understanding of the topics of data protection and data security by providing purposeful information. We also uphold the right of every individual to make decisions upon their own data, its disclosure and use. We firmly reject surveillance, exploitation, manipulation, lack of transparency and forced dependence on providers.
Our security concept for your data
Thanks to an end-to-end security architecture, Evalanche reliably protects your data against loss, theft, and misuse – at all levels and according to the highest security standards.
27001 Certificate for highest security standards
SC-Networks is TÜV-certified according to ISO/IEC 27001. The certification according to the internationally leading standard for information security management systems proves compliance with the highest IT security standards throughout the entire company. This enables us to demonstrate the security and quality of our IT systems and business processes to our customers and partners. Further certifications and memberships:
- The "IT Security made in Germany" certification confirms that our IT security solutions are trustworthy, developed exclusively in Germany, and that our company complies with German data protection law.
- Due to our DDV membership, we and Evalanche are bound by the code of honor for legally compliant permission marketing. We thus expressly distance ourselves from sending unsolicited advertising by email.
- Evalanche is certified by the Certified Senders Alliance (CSA) and thus a member of the CSA whitelist. This ensures high delivery rates of emailings.
- Through cooperation with Internet Service Providers (ISPs) and continuous blacklist monitoring, we protect ourselves against delivery blockages.
- Through continuous Robinson list matching, we prevent the receipt of unsolicited advertising via Evalanche.
Learn more about our certifications and memberships – from ISO 27001 to CSA to cloud services "made in Germany".
Security – the Centerpiece of Evalanche | SC-Networks
Compliance with certain technical and organizational measures serves to ensure data protection and data security as well as confidentiality, integrity and availability of the information processed in the company.
Partner and staff security
At the core of Evalanche's security architecture are reliable and trustworthy employees who are contractually obligated to comply with data protection and data security policies and receive regular training. An independent data protection and information security officer arranges for the documentation of the rules of use, monitors their application and compliance and all technical and organizational measures for data protection and information security.
We also carefully select our suppliers and check their suitability with regard to data protection and information security. Documented agreements guarantee the protection and confidentiality of our assets and data. Suppliers are therefore obliged to take appropriate technical and organizational measures. After termination of the supplier relationship, they are obliged to destroy the data and assets received from us. In addition, the obligation to maintain confidentiality applies indefinitely.
Crisis-Proof (Business Continuity Management)
As part of information security, the availability of systems is assessed and documented. An overarching emergency plan provides the framework for corresponding behavioral guidelines to be adhered to in selected, documented emergency scenarios. The emergency management system is complemented by continuously updated training plans for the test of the measures implemented as well as the documentation of the implementation of corresponding tests. Multi-year service contracts including short (mission critical) response times have been agreed upon for all critical servers and storage systems.
All SC-Networks IT systems are also secured against external attacks. Thanks to regular checks, these security measures are always up to date. Internal company servers are installed in separate and secured server rooms. Only IT administrators have access to these rooms. Data on backup media is encrypted and the media is stored securely in a safe. Only management and IT administrators have access to the safe.
Data and information security is an integral part throughout the lifecycle of our systems. This includes the requirements for and security of information systems providing services over public networks. In addition, we have established a system change management process to ensure the integrity of the system, applications, and products from the early design phases through any subsequent maintenance.
When changes are made to operating platforms, we review and test business-critical applications to ensure there is no negative impact on business operations or organizational security. We have a managed process for analyzing, developing, and maintaining secure IT systems. Updates are regularly applied and released centrally. Approval processes and associated criteria are defined for new information systems, updates, and new versions.
We have defined comprehensive guidelines and instructions to ensure the proper and secure operation of information and data processing facilities. Data backups, which are automatically generated once a day, are stored in AES-256 encrypted form on servers in the data center as well as in a safe in a separate building. In our company, it is essential to separate development, test, and operational environments: data of customers and own data of SC-Networks GmbH are separated from each other by access control and additionally by different server hardware. Measures for detection, prevention, and recovery to protect against malware are regularly updated. If an audit review of our information systems needs to be carried out, we have defined steps that minimize disruptions to business processes as much as possible.
For us as a technology company, the security of our personal data and information stored in networks and network services is imperative. We have therefore documented procedures that manage, control, and secure our networks. As a matter of principle, data is transported via networks using encrypted connections. The establishment of data connections from unauthorized networks is prevented. Information services, users and information systems are kept separate as needed. We have developed and strictly apply policies and procedures for information and data transfer, as well as agreements for information transfer to external entities.
Equipment and Asset Security
We inventory and maintain all assets (such as equipment, removable media, laptops) and information related to personal data. Rules exist for the permissible use of our assets, which must be observed by all employees. We also have a documented and regulated process for transporting data media to protect them from unauthorized access, misuse, or corruption. Our data carriers and data backup media used are encrypted and stored securely. This also applies to data media in productive systems. We dispose of data media that are no longer required securely and using formal procedures.
Optimally protected in the data center
Evalanche runs as a fail-safe Software-as-a-Service (SaaS) on servers in two physically separated and TÜV-certified high-performance data centers in Germany.
- Administration access is limited to IT administrators of SC-Networks GmbH and authorized employees in the data centers.
- The highest security standards apply in the data centers – multi-level access controls via security gates with video surveillance prevent unauthorized persons from entering.
- Seamless video surveillance in the data center and logging of access to the systems – to prevent authorized persons from gaining unauthorized access to third-party systems.
- State-of-the-art fire prevention technologies with fire alarm and fire protection system – including protective gas extinguishing process to prevent damage from firefighting water in case of fire.
- Evalanche runs on multi-redundant systems – and remains accessible online even if individual systems fail.
- Data is stored on multi-redundant disks – with data integrity even if individual disks fail.
- Communication takes place via multi-redundant high-speed internet connections – Evalanche remains accessible even if individual Internet connections fail.
- Secure communication with encryption via Transport Layer Security (TLS) and HyperText Transfer Protocol Secure (https) – preventing wiretap operations on your session.
- Redundant, uninterruptible power supply (UPS) – even in case of longer power failures at the server location, Evalanche remains accessible via emergency power supply by diesel generator.
Well-thought-out Data Privacy and Security
Evalanche follows the principles of Data Protection by Design and Data Protection by Default – and thus complies with the requirements of the GDPR.
- Personal data that is transmitted to us in the course of a registration or inquiry is used exclusively for the purpose intended, i.e., for answering the inquiry or providing users with access to protected areas of the Evalanche account.
- Security-relevant updates of the software products are applied and activated at a central location. Thus, all system users are always up to date at the same time.
- The data processed by Evalanche is protected against unauthorized access by extensive security measures at various levels. The basis is a differentiated role and rights concept with precise assignment of which information each user is allowed to see and what they are allowed to do with it.
- Access to data on the Evalanche servers takes place in the browser via a secure access protocol (https) using a security architecture integrated into the software to prevent unauthorized access.
- Passwords are stored in the system in encrypted form – with the use of a one-way HASH code key. During the setting and change of passwords, there is always a check for compliance with security-relevant features of passwords: minimum length, use of upper and lower case, digits, and special characters.
- The system logs all security-relevant actions, e.g., login attempts. Optionally, we provide our customers with two-factor authentication to additionally protect system access via USB security key.
- We provide centrally monitored and protected event logging and ensure data protection in case sensitive personal data is stored. All logging facilities and logging information, including administrator and operator logs, are protected from tampering and unauthorized access.
- Scheduled automatic termination of Evalanche sessions upon inactivity. Session data remains backed up in the system, allowing for restart without data loss.
- We create continuous data backups through automatic, time-controlled database backups – and store them protected from unauthorized access at different, secure locations. Upon request, we can also create complete backups and send them free of charge – for additional security with storage directly at the owner's premises.
- Security policies that can be configured as needed allow for differentiated settings of the security level with regard to password complexity, IP restrictions, security keys and much more. Individually customizable security settings also allow for the customization of cookie configurations, IP address capture with web forms, and settings in regard of tracking (pseudonymized tracking).
Get to know all the features of Evalanche now that will enable you to be absolutely GDPR-compliant!
Reliability is not a coincidence – it is a promise
To ensure the protection of our information and data, we regularly commission an independent review of the level of our information security and protection standards, our security and privacy policies, and our compliance with technical requirements.
In order to get an overview of potential vulnerabilities in our externally accessible IT infrastructure, we commissioned activemind AG to perform an initial pentest, followed by regular follow-up scans. The penetration test was based on the Open Source Security Testing Methodology Manual (OSSTMM). This is a widely used standard for conducting security audits and penetration tests.
Security Tests Web Services
To ensure the integrity of the EVALANCHE API, SC-Networks has established a predefined automated test procedure using a proven test suite. Complete security scans of the API are performed automatically. The control process defined ensures that the report is reviewed, messages are analyzed immediately, and errors are corrected.
Your questions about security and data protection – our answers
In marketing today, personal data is indispensable. In order to understand how (potential) customers think, decide and act on the one hand, and on the other hand to provide them with personalized content tailored to their needs, you need corresponding information. However, the demands of Internet users as well as legal regulations in this country – including the EU General Data Protection Regulation (GDPR), the German Federal Data Protection Act (BDSG) and the Act against Unfair Competition (UWG) – require that certain requirements be met when collecting, storing, processing, and using personal data for advertising purposes. Otherwise, there is a risk of severe penalties, fines, and damage to the image – both of the companies processing the data, such as software providers, and of the companies commissioning the work.
Who is responsible for data processing?
The client, i.e., the company that uses software, has the same responsibilities as the data-processing company or software provider (processor). According to Article 28 of the GDPR, companies are obliged to commission only processors that provide sufficient guarantees for legally compliant processing and the protection of data subjects' rights. A data processing agreement is therefore mandatory, although not a guarantee. Ultimately, the company as the one accountable must also ensure that the processor effectively meets the requirements.
How can data protection be put into practice?
Personal data must always be handled with the utmost respect for the privacy of individuals. Only with their consent (such as a double opt-in process ) is it permitted to collect, process, and use this data. Without technological support, neither this transformation is possible efficiently, nor is compliance with and control of privacy requirements. When it comes to processing personal data, GDPR requires the implementation of appropriate technical and organizational measures to ensure data protection.
Thus, companies need a tool that makes it easier for them to implement data protection rather than making it more difficult.
What do Data Protection by Design and Data Protection by Default mean in plain language?
Data Protection by Design describes that a software like Evalanche is designed to implement data-protection principles, such as data minimization, into the data processing. Right from the beginning the software should work, be developed and used in a GDPR-compliant way. This is where measures like pseudonymization are employed. Data Protection by Default, on the other hand, complements this general technology design in that all default settings are both GDPR-compliant and as restrictive as possible: here, for example, it is important that data forms have only a few mandatory fields and that checkboxes are not pre-ticked. As data controllers, companies must check whether their contractual partner and their software solution operate according to these principles.
What does digital sovereignty mean for Internet users and companies?
Digital sovereignty describes the independence and self-determination of companies. It is them who decide what happens to data collected in compliance with the law and who has access to it. This is the only way to prevent customer data from being used in a way that violates privacy laws, for example by unauthorized third parties or for analysis and advertising purposes. In addition to this data sovereignty, it is also crucial that a company is independent of any regulations such as inflexible license agreements and the rights and actions of the software provider or cloud provider. From a company's perspective, digital sovereignty is just as valuable as privacy is for data subjects.
Why are U.S. providers problematic in terms of privacy?
Providers from the USA, in particular, are being heavily criticized with regard to compliance with European privacy requirements and the granting of digital sovereignty. The fact is that since the Privacy Shield was declared invalid in 2020, cooperation with US software providers is not permitted without further measures. The level of data protection in the U.S. is insufficient by GDPR standards, and there is no other agreement either that eliminates this circumstance. The reason for this is U.S. laws that allow U.S. authorities to gain access to any data owned, custodied or controlled by a U.S. company. Server location is not the only criterion here, as U.S. subsidiaries are also subject to these U.S. laws. Measures that are alternative to the agreements and are intended to legitimize the use of U.S. solutions – such as standard contractual clauses of the European Commission – should also be judged with caution. Legally reviewing them in advance is imperative.
How can I recognize a suitable provider?
These are some key criteria that can be used to check whether a cloud provider or software provider can be considered from a data protection perspective at all:
- The provider attaches great importance to privacy and data protection.
- Data is hosted exclusively in a European, or even better, certified data center.
- There is no exchange of data or metadata with the USA or other third countries without a sufficient level of data protection.
- The data center is independent of U.S. systems. Maintenance, backups, and administration take place exclusively in the EU.
- The effectiveness of non-GDPR-compliant laws such as the U.S. CLOUD Act is excluded.
- Standard contractual clauses for data protection according to GDPR are legally verified and sufficiently supplemented by further measures.
- The principles of Data Protection by Design and Data Protection by Default are taken into account.