Security and Privacy Policy » History » Version 7
Nico Schottelius, 02/05/2020 10:11 AM
| 1 | 1 | Nico Schottelius | h1. Security and Privacy Policy |
|---|---|---|---|
| 2 | |||
| 3 | 2 | Nico Schottelius | {{toc}} |
| 4 | |||
| 5 | 1 | Nico Schottelius | h2. Status |
| 6 | |||
| 7 | 6 | Nico Schottelius | This document is **version 2020-02-05--1**. |
| 8 | 1 | Nico Schottelius | |
| 9 | h2. Introduction |
||
| 10 | |||
| 11 | The following chapters describe our policy in regards to security and privacy concerns. |
||
| 12 | 4 | Nico Schottelius | This document is kept simple and short with the intention of being easy to understand. |
| 13 | 1 | Nico Schottelius | |
| 14 | 5 | Nico Schottelius | h2. Privacy |
| 15 | 1 | Nico Schottelius | |
| 16 | 5 | Nico Schottelius | h3. Logging only the necessary |
| 17 | 1 | Nico Schottelius | |
| 18 | Logs are taken only where necessary and kept only as long as relevant to operation procedure. |
||
| 19 | Specifically network traffic **content** is not logged. |
||
| 20 | |||
| 21 | 5 | Nico Schottelius | h3. Non disclosure |
| 22 | 1 | Nico Schottelius | |
| 23 | No information is given to the public about our customers or customer use cases. |
||
| 24 | An exception to this is prior public information or explicit consent from the customer. |
||
| 25 | |||
| 26 | 5 | Nico Schottelius | h3. Acting by Swiss law |
| 27 | 1 | Nico Schottelius | |
| 28 | According to Swiss laws, the **only** authority that is allowed to request network access |
||
| 29 | is the "PTSS":https://www.li.admin.ch/en . It may only request access after a Swiss court ruling and only for |
||
| 30 | cases that violate Swiss law. |
||
| 31 | |||
| 32 | 5 | Nico Schottelius | h3. Access to data or network traffic from foreign entities |
| 33 | 1 | Nico Schottelius | |
| 34 | No access is granted. |
||
| 35 | |||
| 36 | 5 | Nico Schottelius | h3. Access to data or network traffic from domestic entities |
| 37 | 1 | Nico Schottelius | |
| 38 | Access to our infrastructure is granted based on Swiss laws and requires a Swiss court order. |
||
| 39 | |||
| 40 | 5 | Nico Schottelius | h3. Access to data or network traffic from our staff |
| 41 | 1 | Nico Schottelius | |
| 42 | For operational activities staff members can and will investigate network traffic to ensure the stability of our platform. |
||
| 43 | Access to customer specific data is strictly forbidden. |
||
| 44 | |||
| 45 | An exception to above rule is if the customer specifically granted permission for it. |
||
| 46 | 5 | Nico Schottelius | |
| 47 | h2. Operational Security |
||
| 48 | |||
| 49 | h3. Automatic security updates |
||
| 50 | |||
| 51 | All production systems are configured to automatically apply security updates where possible. |
||
| 52 | |||
| 53 | h3. Regular audits |
||
| 54 | |||
| 55 | The infrastructure is audited in respect to security issues on regular basis, at least once per year. |
||
| 56 | 7 | Nico Schottelius | |
| 57 | h3. Disk encryption |
||
| 58 | |||
| 59 | The disk of client devices from staff is to be encrypted. |