IT Security

Information security as a foundational principle

We take information security very seriously—not as a box-ticking exercise, but as a core element of our business model. Our products and services are designed for small and medium-sized organizations that must be able to rely on the continuous protection of data, systems, and business processes. For this reason, our security approach is aligned with guidance from the Federal Office for Information Security (BSI) and established international standards such as ISO/IEC 2700x, and is continuously reviewed and improved.

Arvelindo security approach

We follow a holistic approach to information security that covers technology, processes, and people. Confidentiality, integrity, and availability of information are the guiding principles across all our solutions.

Security considerations are embedded from the earliest stages of development (“security by design”). At the same time, we apply data minimization and privacy-friendly defaults (“privacy by default”), ensuring that only data strictly necessary for the intended purpose is collected and processed. Protection of personal data in accordance with the GDPR is an integral part of our security concept.

Arvelindo Sicherheit

Data location and hosting within the European Union

Unless explicitly agreed otherwise, data is processed exclusively in data centers located within the European Union. We work only with hosting and cloud partners that can demonstrate a high level of protection and hold recognized certifications.

Processing locations, subprocessors, and data transfers are carefully assessed, contractually regulated, and documented as part of our data protection and information security management. Wherever possible, data transfers to third countries outside the EU or EEA are avoided. If such transfers are required in exceptional cases, appropriate safeguards are implemented to ensure an adequate level of protection.

Encryption and protection of sensitive data

On a technical level, encryption plays a central role:

  • Data in transit is protected using modern transport encryption (for example TLS) with up-to-date cipher suites.
  • Where appropriate, data is additionally encrypted at rest.
  • Credentials, cryptographic keys, and other sensitive secrets are stored separately, protected, and handled according to the principle of least privilege.
  • Passwords are never stored in plain text; they are stored exclusively in hashed form using proven and secure methods.

Secure processes and access control

Our internal processes follow practices recommended by BSI and ISO standards. This includes clearly defined role and permission models to ensure that only authorized individuals can access sensitive systems and data.

Access management follows structured processes for granting, modifying, and revoking permissions—for example in the case of role changes or employee departures. Technical and organizational measures such as network segmentation, system hardening, secure configurations, patch and update management, logging, and regular security reviews are integral parts of our operations.

Incident response and emergency management

A structured incident and emergency management process is standard practice for us. Security incidents are handled according to a defined workflow—from initial reporting and prioritization through analysis, remediation, and post-incident documentation.

Suspicious activities are taken seriously and investigated promptly. In the event of a confirmed security incident, immediate measures are taken to limit impact and address root causes. If personal data is affected, we assess without delay whether notification obligations toward supervisory authorities and, where required, affected individuals apply, and we meet these obligations within the required timeframes.

Emergency management also covers scenarios such as system outages, data loss, service provider failures, or other critical disruptions. For key systems and services, we maintain contingency plans that define responsibilities, communication paths, and recovery strategies. The objective is to ensure business and service continuity and to minimize downtime.

Backups, recovery, and monitoring

Backup, recoverability, and monitoring are essential pillars of our security concept:

  • Data is backed up regularly according to documented procedures.
  • Backup strategies are designed to allow restoration of business-critical information within reasonable timeframes.
  • Where possible, backups are stored in geographically separated locations and protected against unauthorized access.
  • Recovery tests are carried out at appropriate intervals to verify the effectiveness of backup strategies.

In addition, monitoring and logging solutions are used to oversee system availability, detect anomalies, and enable timely responses to irregularities.

Continuous improvement and external review

Our security concept is based on continuous improvement. Changes in the threat landscape, technological developments, and regulatory updates are continuously incorporated into our security considerations.

Processes, policies, and technical measures are reviewed regularly and adjusted where necessary. Where appropriate, we involve external expertise—for example through audits, penetration tests, or specialized security reviews—to strengthen our overall security posture.

Security awareness and responsibility

Information security is not a one-time effort, but an ongoing process. This includes regular awareness and training measures for our employees, covering topics such as phishing, secure password handling, data protection, and incident reporting.

Confidentiality obligations and clear rules of conduct ensure that security requirements are applied consistently in daily work. For our customers—especially small and medium-sized organizations—we aim to be a reliable partner that does not merely promise security, but demonstrably implements it.

Upon request, we provide additional information on our security and data protection measures and support customers in assessing how our solutions fit into their existing security and compliance environments. If you have specific requirements arising from industry regulations, BSI guidance, or internal compliance policies, we are happy to review together how these can best be addressed.

Frequently asked questions (FAQ)

How do you ensure that data is processed only within the EU?

We carefully select infrastructure providers based on location and certifications. By default, data processing takes place exclusively in data centers within the European Union. Processing outside the EU occurs only if explicitly agreed and safeguarded by appropriate protection mechanisms.

Which encryption methods are used?

Data is transmitted using modern transport encryption (TLS). Depending on the system and use case, additional encryption at rest is applied. Passwords and comparable secrets are stored exclusively in hashed and salted form.

What does “security by design” mean in practice?

Security requirements are considered from the earliest design stages. This includes minimal data collection, clear access control concepts, secure default configurations, and regular risk-oriented reviews before release.

How does access and permission management work?

Access rights are granted strictly according to the principle of least privilege. Changes such as role transitions or employee departures follow defined processes. Permissions are reviewed regularly and adjusted when necessary.

How are security incidents handled?

We operate a defined incident management process. Suspected incidents are analyzed, prioritized, and technically assessed. Confirmed incidents trigger immediate countermeasures and full documentation, including GDPR-related notification steps where applicable.

Do you have emergency and recovery plans?

Yes. For critical systems, we maintain emergency and recovery plans defining responsibilities, communication paths, and restart procedures. These plans are reviewed and updated regularly.

How often are backups performed?

Backups are created regularly according to documented schedules and retention periods. They are protected, geographically separated where possible, and tested through recovery exercises.

How do you keep systems up to date?

We apply structured patch and update management. Security-relevant updates are prioritized and deployed promptly. Continuous monitoring helps identify vulnerabilities early.

Are external security reviews conducted?

Depending on the product and risk profile, we conduct external audits, penetration tests, or technical security assessments. Findings are incorporated into continuous improvement.

How is monitoring implemented?

Relevant systems are monitored continuously or at defined intervals to detect anomalies, overloads, or potential risks. Logging follows clear rules to ensure traceability and secure evaluation.

How are service providers and subprocessors handled?

Before engagement, we assess technical and organizational measures and certifications. Contracts define clear requirements for data protection, security, availability, deletion periods, and incident reporting.

How are employees trained on security?

Employees receive regular training on topics such as password security, phishing, data protection, and incident reporting. New hires complete mandatory security onboarding.

Can industry-specific security requirements be addressed?

Yes. Clearly defined requirements from internal policies, industry standards, or specific regulatory frameworks can be considered. We support evaluation and implementation where feasible.

How are customers informed about changes to the security concept?

Material changes are documented and made available upon request. Customers are proactively informed of security-relevant changes that may affect integrations or data processing.

Further information and references