top of page
VeniceAI_h2s1LA7.png

Security & Trust

How we protect your data

Security, privacy, and availability are built into every layer of our service. Our information security management system is aligned with international standards and backed by formal, auditable policies.

ISO 27001:2022
Trust shield for compliance
SOC 2
Trust shield for compliance
GDPR
Trust shield for compliance
🔐 Data Protection

  • All data encrypted in transit (TLS 1.2 or higher)

  • Database encrypted at rest using industry-standard encryption

  • Backups encrypted before storage and transfer

  •  Weak or deprecated cryptographic algorithms explicitly prohibited

  • TLS certificates automatically renewed

  • Customer data is not stored on employee devices

🖥️ Infrastructure Security

  • Production infrastructure hosted in certified EU data centres (Germany)

  • Customer data hosted in the EU. Some real-time processing may involve certified providers outside the EU

  •  Firewalls and brute-force protection active on all servers

  • Remote server access restricted to key-based authentication only

  • Container networking isolated — databases not exposed to the public internet

  • Server snapshots created regularly and before every maintenance window

  • Full disaster recovery procedure documented and tested

🔄 Change Management

  • All production changes require formal approval and documented risk assessment

  • Independent code review required before deployment

  • Changes tested in a non-production environment before release

  • Rollback plan required for every change

  • Emergency change procedure with post-incident review

  • Complete audit trail maintained in version control

🗝️ Credential Management

  • All credentials stored in an end-to-end encrypted password manager

  • Secrets never stored in source code, repositories, or log files

  • Separate credentials maintained per environment

  • Credentials rotated on a defined schedule

  • Immediate rotation triggered by personnel changes or suspected compromise

  • Compromised credential response target: replaced within 1 hour

🔑 Access Control

  • Every individual has a unique account — shared accounts prohibited

  • Multi-factor authentication required on all systems

  • Access granted on a least-privilege basis with documented approval

  • Privileged access requires senior management approval

  • Access rights reviewed quarterly; privileged access reviewed monthly

  • Access revoked on the day of departure with immediate credential rotation

  • Automated lockout after repeated failed login attempts

🛡️ Vulnerability Management

  • Vulnerabilities prioritised by severity — critical issues addressed within 48 hours

  • Automated daily dependency scanning

  • Regular operating system and container patching schedule

  • Security advisories from all key vendors actively monitored

  • Pre-update snapshots and rollback procedures for every change

🏢 Vendor Security

  • Security certification required before vendor approval

  • Data Processing Agreements in place for all vendors handling personal data

  • All active vendors independently certified (SOC 2 Type 2 or ISO 27001)

  • Vendor assessments cover encryption, incident response, data residency, and sub-processors

  • Quarterly vendor reviews with documented risk ratings

  • Vendor offboarding includes verified data deletion and credential rotation

🚨 Incident Response

  • Documented incident response plan with severity classification and defined response times

  • Designated incident commander with senior management escalation path

  • All personnel required to report security events promptly

  • Evidence preservation and root cause investigation for every incident

  • Post-incident review with documented corrective actions

  • GDPR-compliant breach notification procedure with prepared templates

📜 Governance

  • Formal ISMS scope covering all systems, personnel, and data

  • Statement of Applicability addressing 93 ISO 27001:2022 Annex A controls

  • Risk and asset register maintained with assigned owners

  • Information classification scheme with access controls per level

  • All policies version-controlled and reviewed annually

  • Exceptions require senior management approval with compensating controls

👤 People Security

  • Identity verification required before system access is granted

  • Confidentiality agreements signed before access to any system

  • Security briefing on first day covering policies, data protection, and incident reporting

  • Device security verified during onboarding

  • Annual security awareness training required

  • Comprehensive offboarding procedure with management sign-off

📋 Business Continuity

  • Business impact analysis conducted for all critical functions

  • Defined recovery time and recovery point objectives

  • Disaster recovery procedures documented for all failure scenarios

  • Regular encrypted backups with defined retention periods

  • Recovery procedures tested regularly with documented results

  • Customer communication procedure defined for service disruptions

🌍 Privacy & GDPR

  • All customer data hosted and processed in the EU

  • Record of Processing Activities maintained

  • Data Processing Agreements in place with all relevant vendors

  • Data minimisation: only data necessary for service delivery is processed

  • Supervisory authority identified with breach notification procedure prepared

  • Staff trained on data protection during onboarding and annually

Click button to be routed to contact form to request information by email.
bottom of page