Data security and platform availability are top priorities at Scompler Technologies GmbH. For this reason, we have decided to build our services to the highest standards. Our cloud services are hosted in AWS data centers located in Europe, chosen for their robust and secure infrastructure. These data centers are designed with advanced security features to provide exceptional protection and reliability.
Incident management
Scompler defines and maintains procedures for managing security events and incidents. This includes detection, evidence collection, assessment, prioritization, escalation, immediate actions, corrective actions and lessons learned. Potential violations handled by the incident management procedure include: service unavailability, loss of confidential data, unauthorized access.
Status updates on incident management are delivered to affected customers either via customer support and/or through the Scompler status page (https://status.scompler.com/). Records of incidents and following actions are kept to be used in “lessons learned”.
Cryptographic controls
Scompler deploys cryptographic measures to protect customer data. This includes data-in-transit-encryption: Transferred customer data is encrypted via protocol TLS 1.3 (authentication: RSA 2048, encryption: AES-128-GCM, hash-function: SHA384). We also deploy data-at-rest-encryption: All customer data stored on our storage infrastructure is encrypted with AES-256, including backups.
Backup capabilities
Customer data is backed up at two intervals to ensure comprehensive data protection and reliability. The primary backup is performed every 24 hours (daily) and is retained for the past 30 days. Additionally, a second type of backup is conducted every 15 days, and these backups are stored for 365 days. Both types of backups are encrypted and stored on isolated storage infrastructure.
Backup restoration tests are conducted at regular intervals to validate the data's integrity and confirm the restoration procedure's effectiveness and speed. The results of the tests are evaluated.
Management of technical vulnerabilities
Procedures implemented by Scompler cover identification, assessment and implementation of proper actions to address technical vulnerabilities. Measures for identification include monitoring systems and services, regular external penetration testing, threat intelligence, and contact with special interest groups. Identified vulnerabilities are assessed based on the involved risk, resulting in the prioritization of remedial actions. The actions are then implemented and deployed within our controlled change and patch management.
Secure development procedures
Development is conducted by adhering to common best practices and secure coding principles specifically targeting the technology used. Changes are assessed regarding information security objectives and tested within isolated, specialized test environments. Code reviews are part of the testing and deployment process. Production and development environments are segregated from each other.
Secure data isolation
We employ a row-level security (RLS) approach within our SaaS application to ensure the strict isolation of customer data. This method enforces data access controls, restricting each user’s access to only the data rows they are authorized to view or interact with. Row-level security policies are carefully implemented and managed to prevent unauthorized access across customer data boundaries, providing a high standard of data protection and integrity.
Third-party security attestation
Scompler Technologies GmbH has completed a Trusted Information Security Assessment Exchange (TISAX) assessment. This standard provides the European automotive industry with a consistent, standardized approach to information security systems. The scope ID and assessment ID for the ENX portal are SYPM0Z and ALKKL7-1, respectively.
Scompler conducts an annual penetration test by a certified service provider. We check for unauthorized access to the platform and possible security aspects of the platform when it is used. A report is created for each penetration test.
Data protection
Scompler Technologies GmbH ensures compliance with GDPR by conducting third-party audits at least once a year. These audits are performed by certified independent service providers who thoroughly evaluate data protection practices and processes. A detailed report is generated following each audit, outlining findings and recommendations to maintain and enhance data security and privacy standards.
Scompler holds a Digital Privacy Protection Certificate issued by Herold Unternehmensberatung GmbH confirming the implementation of effective processes to protect personal data and fulfils the current EU data protection legislation, nationally applicable data protection law and IT security best practices. The certificate is valid until 31.10.2025.