Trust Center

We as A1 Digital are committed to maintaining confidentiality, integrity, and availability of all our partners and customers' data. Therefore, this site is your gateway to understanding A1 Digital’s devotion to cyber security, data privacy, and compliance. Here you can find all our certifications, external reports, compliance documentation as well as answers to frequently asked questions related to security and privacy. It is particularly important to us to be as transparent as possible with our customers and partners to constantly improve confidence in our capabilities. This portal is designed to provide you with all the information you need to build trust in our ability to protect your data.

Table of Contents

- Corporate Security Principles

- Security/Privacy Measures in our Software Development Lifecycle

- Security/Privacy Governance

- Data Privacy and Legal Measures

- Report a Vulnerability

- Frequently Asked Questions

- Downloads

Corporate Security Principles

• Employee Security/Privacy Training: We follow a yearly training plan for all our personnel, covering secure use of data, password security, social engineering awareness, GDPR and compliance topics. The training plan also includes social engineering exercises, such as phishing tests.
• Encryption in transit: Our products use state-of-the-art encryption to secure transmission of your data over the internet.
• Access Control: We use user management processes and systems to ensure least privilege and need-to-know principles. Our user rights and roles are regularly reviewed.
• Internal SSO: We use a single-sign-on service to streamline authentication to our infrastructure and internal applications.
• Password Security: Our password policy follows state-of-the-art practices and includes a requirement for use of MFA on all systems. Passwords are stored encrypted in a company managed password manager.
• Logging: We have enabled logging of relevant security events in our environment.
• Security Information and Event Management: Relevant security logs of our infrastructure are centrally stored and protected from unauthorized access. Alarms are created automatically for several potential security threats.
• Network Time Protocol: Our systems use the same, standard time servers throughout our infrastructure.
• Monitoring: Our systems and services are subject to availability monitoring. Alarms are configured for timely notification in case of an unplanned outage.
• Infrastructure Security: We utilize infrastructure-as-code techniques to securely deploy resources in our environment.
• Backup and Restore: We conduct backups on a regular basis. To ensure the quality of backups, we perform restore tests to be able to quickly restore our products in the event of a data loss.
• Data Deletion: We have procedures and technical measures in place to ensure that your data is deleted after our contract with you has ended or upon your request.
• Endpoint Security: Our endpoints are equipped with full-disk encryption, DNS filtering to protect web traffic as well as an Endpoint Detection & Response (EDR) system to protect against malware and other attacks.
• Email Protection: We use a mail protection system that also scans links and attachments in our mail flow for security threats.
• Data Loss Prevention: Removable media on endpoints is restricted. Endpoints are equipped with a data loss prevention system to detect/prevent data exfiltration.
• Security Operations Center
• Multi-client capabilities: The architecture of our products ensures that customer data is adequately separated from each other.
• Separation of Environments: Customer data is never transferred to non-production environments.
• Firewall: We use firewalling to monitor and control traffic in our infrastructure.
• Physical Security: As we do not operate our own data centers, for physical security of our infrastructure we rely on our cloud provider Exoscale: www.exoscale.com/compliance

Security/Privacy Measures in our Software Development Lifecycle

• Secure Development Policy: Our guideline for developers specifies security and privacy controls over the development lifecycle – from design to deployment.
• Code Analysis: We use tools to identify issues in our code and third-party dependencies.
• Security Testing: Whenever we launch a new product or release a major update, we ensure that a comprehensive penetration test is performed to identify possible risks from vulnerabilities, insecure configurations, or outdated encryption.
• Developer Trainings: We ensure that our internal developers receive regular training in secure software development techniques and technologies.

Security/Privacy Governance

Below you will find an excerpt of our current policy framework:

• Acceptable Use Policy: Not only taught to but also lived by our employees.
• Access Control Policy: How does someone get access to which data - there must be guidance, right?
• Code of Conduct: Behave!
• Cryptography Policy: How key management is done, and which encryption standards and procedures are valid for our purposes.
• Data Management Policy: How to classify data.
• Incident Response Policy: Be prepared in case of a security related incident, and train regularly.
• Information Security Policy: Roles and responsibilities for our employees.
• Operations Security Policy: In the case an incident occurs you'll need data - how to log and monitor our network.
• Risk Management Policy: We conduct risk assessments on a regular basis.
• Secure Development Policy: Rules to consider to create rock-solid software.
• Third Party Management Policy: We don't just set our own security standards, but we also make sure our suppliers meet them.
• Vulnerability Management Policy: How to get rid of those vulnerabilities.
• BCM policy: We have a formal Business Continuity and Disaster Recovery plan, which is exercised, reviewed and approved annually.

Data Privacy and Legal Measures

• Cookies: Please see our Privacy Policy for details on our use of cookies.
• PII Usage: We do not use personal information provided to us or uploaded to our products for any other purposes other than defined in our Privacy Policy and Terms and Conditions.
• Data Breach Notifications: In accordance with our requirements from GDPR as well as ISO 27701/27018, we will notify you as soon as possible of data breaches including your data.
• Data Privacy Officer: Please see our Privacy Policy for contact information.
• Data Transfer Impact Assessment: We have a very limited number of suppliers outside the European Union and non-EU countries with adequate level of data protection. For those few suppliers we performed a thorough privacy risk assessment regarding the data transfer and put adequate measures in place to protect your personal information (e.g. EU Standard Contractual Clauses (SCC).

Report a Vulnerability

Thank you for working with us! We appreciate the contributions of ethical hackers who help us uphold our security and privacy.

Please contact us via responsible.disclosure@a1.group

Please be compliant with the following conditions:

• You can exploit the vulnerability for demonstration purposes, but this should not lead to service outages (DoS) as well as the manipulation or loss of data. The purpose of the demonstration should be to show the attack vector and should not cause any damage.
• Do not share information gathered with third parties.
• These areas/fields are not part of the responsible disclosure process:
  • Physical security
  • Social engineering
  • Distributed Denial of Service (DDoS) attacks
  • Spam & Phishing
  • Exploiting vulnerabilities on systems which are dedicated to our customers.
• Please make sure to provide enough information so that we can reproduce the issue.

A brief description including a problem description and the URL/IP of the affected system should be sufficient.

What we will do:

• We will not press any legal charges caused by demonstrating the vulnerability. The prerequisite is that you comply with the conditions above.
• We will not share your data with third parties without your consent. Our correspondence will be treated as confidential.
• We will keep you updated on the resolution of the vulnerability.
  

Contact details:

Our email address is responsible.disclosure@a1.group

PGP Key: C451 95B3 EB90 8ADB CDD2 982C 8F52 2AE8 1AE8 85B2

FAQ

Is A1 Digital ISO certified?
A1 Digital has been holding the ISO 27001 and 27018 since 2017. In 2024, we obtained further ISO certifications and held ISO 27701 and 27017 in addition.

Which compliance frameworks does A1 Digital adhere to?
Currently, our compliance management system is pursuant to IDW AssS 980 (09/2022). It is regularly audited by an external auditor.

Does A1 Digital have a formal information security policy that is reviewed at least once a year and approved by a senior executive?
All our information security policies are reviewed annually and approved by management.

Do A1 Digital employees receive data protection training?
We have a training program in place which ensures each employee has mandatory training regularly. Additionally, Security and Privacy personal receive training on specific topics

Does A1 Digital have a Cyber Security Incident Response plan and corresponding processes to report and handle an incident?
All our employees receive regular training on how to behave in the event of an incident. The Security Response team is following a clearly defined plan which includes detailed methods and procedures to identify, contain, investigate, report and respond to every incident.

What security measures exist to protect data in a product of A1 Digital?
All products of A1 Digital are protected by the security measures documented on this page. Our products further offer individual, application-specific security measures, such as multi-factor authentication, that you can enable at your convenience.

I have more questions on Security, Compliance or Privacy, who do I contact?
security@a1.digital