IT & Data Security Measures

Introduction

This document describes the IT security measures implemented at TariffPilot to meet information security, privacy and compliance requirements.

Risk Management

Certification according to an ISMS standard such as ISO 27001 or PCI DSS is in place with our infrastructure provider, Google Cloud EMEA. TariffPilot is guided by the information security standards according to BSI IT-Grundschutz. In the long term, we are striving for ISO 27001 certification based on BSI IT-Grundschutz.

Requirements Management

Requirements management at TariffPilot is implemented based on SCRUM, which enables the cloud service provider to quickly and effectively capture, prioritize, and implement customer requirements. Scrum offers an iterative and incremental approach that allows the team to quickly respond to changes and continuously create value for the customer. Requirements are documented as SCRUM items in a product backlog or sprint backlog based on a SCRUM tool.

Personnel Security

Regular mandatory training and information events on IT security are conducted for employees.

Encryption

In TariffPilot Cloud Platform both data at rest as well as data in transit both are encrypted with state of the art encryption. We follow industry best practices and standards such as AES and TLS.

Data at rest

Data at rest is encrypted with the integrated Google encryption and then again with our own AES encryption. We have our own AES key.

For any data at rest, there are automated expiration dates ranging from 7 days to 720 days maximum. The tenant owner decides which data is to be stored and for how long.

Data in transit

Data in transit is encrypted with point-to-point encryption to ensure confidentiality and integrity during data transfer. This also applies to data transfer with Azure OpenAI services, OpenAI, and other third-party services. Point-to-point encryption is implemented at the protocol level with TLS for HTTPS and SMTPS. All keys are automatically managed by Google Cloud Run.

Development

Development Process

The development of TariffPilot Cloud Platform is based on SCRUM methodology. New features and code adaptations are developed in sprints of approximately 2 weeks. According to test-driven development (TDD) and continuous integration (CI) the development process is based on an automated test suite, which is executed after each push into version control by Git push. Version control is based on Git. Access to the Git repository relies on two-factor authentication (2FA).

Development of features and code adaptations is done by developers on branches. Branches are merged into the main branch via pull requests. Each pull request is peer reviewed, before being merged into the main branch.

Release Process

A new release may be deployed once or twice a month. Releases are packaged by development lead, mostly CTO. Only the CTO and one additional developer have access to the production environment and thus can deploy releases. Access to the production environment relies on two-factor authentication (2FA).

TariffPilot Infrastructure

TariffPilot has basic security measures such as change management, protection against malware, data backup and restore, hardening, patch management, vulnerability management, and encryption in place. Policies and procedures are defined for these processes.

IT Emergency Management

To guarantee the continuation of service delivery, the vast majority of TariffPilot’s operations are implemented through managed services (PaaS) in the Google Cloud Platform. In the event of software and hardware failures beyond change requests, a reaction by the Google Cloud Platform usually occurs automatically. Failures in the context of change requests are monitored by management.

Physical Protection and Environment-related Security for IT Equipment

TariffPilot utilizes the infrastructure of the Google Cloud Platform, which provides physical protection and environment-related security for IT equipment. This includes securing supply facilities such as power and climate.

Access Management

TariffPilot uses a role-based security system and two-factor authentication (2FA) for logical access and access to the platform. The office spaces are lockable and visitors are only allowed in the company of employees.

IT Operating Process

IT operating processes at TariffPilot are based on ITIL. These include capacity management, availability management, change management, release and deployment management, incident management, and problem management.

Procurement, Development, and Maintenance of Systems

Systems are used in the following areas:

• Servers (hardware and software): The hardware used for the production of TariffPilot is fully managed by the Google Cloud Platform. The software used, including operating systems, is also fully managed by the Google Cloud Platform. Only TariffPilot’s own code for the TariffPilot cloud platform is primarily managed by the DevOps team in the form of Docker containers.

Vulnerability and Threat Management

TariffPilot has a vulnerability and threat management system on multiple levels. On the development side, dependencies are continually monitored for vulnerabilities and reported to the development team via email. On the operational side, data access in tenants is logged, and if there is an unusual concentration of data access, an email is sent.

Zero Trust

TariffPilot Cloud Platform does not rely on VPN or IP address access control, but instead applies a Zero Trust Strategy (cf. M-22-09 Federal Zero Trust Strategy). Thus all endpoints of TariffPilot Cloud Platform have to be hardened so that only authorized users can access data and services.

Logical Separation

The development environment is strictly separated from the production environment. Thus, developers with exception of the CTO and one further developer cannot access the production environment. Instead, all developers can access a staging environment, which however does not contain production data.

Password Policy

For applications used at TariffPilot, we enforce strong passwords. Initial passwords must be changed in order to use the application.

Bring Your Own Device

Employees who potentially or actually deal with customer data must only use company hardware.

Secure WIFI

Only encrypted WIFI networks (at least WPA2) are used.

Firewall

Cloud production servers are protected by a cloud firewall system.

SPAM Filter

Mandatory Integrated SPAM filter for all company inboxes.

Admin Audit Logs

Admin activity in the infrastructure systems is stored and archived.

Deletion concept for data deletion and disposal of data carriers and devices

For any data at rest, there are automated expiration dates ranging from 7 days to 720 days maximum. The tenant owner decides which data is to be stored and for how long. Customer data is encrypted with AES encryption. Offsite backups are stored on selected encrypted devices, which are under management supervision.

Process to ensure compliance with storage and deletion periods

The deletion is performed by an automated process. The deletion date (expires_at) is already obligatory set at creation.

Access Authorization

Access Authorization for employees is handled by the principle of least privilege. This is enabled by roles and a limited group of personnel with access rights to TariffPilot infrastructure. Access rights for the TariffPilot platform are managed by the tenant owners. Employee access authorizations are checked for necessity at regular intervals.

Emergency and Recovery Plans

For security reasons, TariffPilot solely relies on managed cloud environments (PaaS). Remaining risks are mitigated by always having at least one employee with the qualification and authorization for recovery on standby.

TariffPilot Platform

Role-based security

With TariffPilot Cloud Platform each tenant can have one or multiple users, and each user can be assigned as a member to one or multiple tenants. Each membership of a user in a tenant is specified with one user role in that specific tenant. Possible user roles as provided by TariffPilot Cloud Platform are Editor, Knowledge, Owner, Revision, Support, Translator, and Viewer.

• Editor: Can create and edit memos.
• Owner: Can do all an editor can, as well as administrate the tenant, including user management.
• Revision: Can view everything, but not apply changes.

User Access

TariffPilot Cloud Platform provides users with two modes of authentication. (1) Users can sign into the TariffPilot Cloud Manager with a magic link sent via email to the user email address. (2) Users can sign into the TariffPilot Cloud Manager with a FIDO2 hardware token (e.g. YubiKey). The latter approach is heavily recommended and at the current state of technology represents the most secure industry approach for securing user accounts.

Logging, Monitoring, Alerting

With TariffPilot Cloud Platform there is a system-wide logging system, which is monitored by TariffPilot staff with access to the production environment.

With the system-wide logging system in case of technical incidents TariffPilot staff is alerted automatically via email.

Incident Management

TariffPilot uses an incident management process based on Git tooling for capturing, reporting, and resolving issues.

Password Policy

For the TariffPilot Platform, we do not use passwords.