Contents
Security
Infrastructure
Our entire service infrastructure is based on state-of-the-art cloud technology. We have deliberately chosen not to operate our own hardware and completely refrain from using our own routers, load balancers, DNS servers, or physical servers. Instead, we rely on the services of leading cloud providers such as Google Cloud, Amazon Web Services, and Microsoft Azure. To meet the strict requirements of data protection, we take special care to ensure that our services are hosted on servers within the European Union. We consciously avoid hosting on US servers to ensure maximum data security and compliance. Our flexibility allows us to cater to the individual needs of our customers. If required, we can offer specific providers or alternative geographical locations, always taking into account applicable data protection regulations and security requirements.
Network
The security of our network is our highest priority. Our architecture encompasses multiple security zones that ensure comprehensive protection against unauthorized access. We rely on a virtual private cloud (VPC) with strict network access control lists (ACLs) and refrain from using public IP addresses. A key element of our strategy is the use of a modern, WireGuard-based VPN tool that strictly controls access to our infrastructure: Only verified administrators can access our systems through this secure network. An advanced firewall continuously monitors and controls network traffic, while strict IP address filtering further restricts access. We use state-of-the-art defense mechanisms to protect against DDoS attacks. These comprehensive measures ensure that our network is protected around the clock and potential threats are detected and mitigated early.
Encryption
The protection of sensitive data is a core aspect of our security strategy. We employ a two-tier encryption strategy to ensure maximum security. All data sent to or received from our infrastructure is encrypted during transmission using Transport Layer Security (TLS) according to the latest industry standards. This ensures that information is protected from unauthorized access during transport. In addition to encryption during transmission, we also rely on robust encryption at rest. All user data, including sensitive information such as passwords, is secured in our database using proven and reliable encryption algorithms. This double layer of protection ensures that your data is optimally protected at all times - whether during transmission or storage.
Data Storage
Our approach to data storage and deletion is designed to meet both legal requirements and the individual needs of our customers. By default, we store data for a period of up to 12 months. However, we understand that different companies and industries may have varying data storage requirements. Therefore, we offer our customers customized data storage policies. These range from 1-month storage to shorter periods such as a week or a day, down to hourly storage. For customers with particularly high security requirements, we even offer the option of immediate data deletion. After the specified retention period expires, all data is completely and irrevocably removed from our dashboard and server. We place great importance on transparency and control: Every user has the right to request the deletion of their usage data at any time through a simple contact with our support team.
Data Processing
Biem uses advanced artificial intelligence to develop state-of-the-art models. Our approach to data processing and model training is based on transparency and respect for our users' privacy. Regardless of whether our customers use the Elemental, Professional, or Enterprise package, the same regulation applies to all regarding the use of data for AI training and model development. We place great emphasis on ensuring that the use of data for training our AI models is based on a conscious and informed decision by our customers. Therefore, the use of user data for this purpose is disabled by default. Customers must explicitly give their consent before their data or the data from their installations are used for training AI models.
This approach ensures that our customers retain full control over their data and can decide for themselves whether they want to contribute to the further development of our AI technologies. We ensure that this process is transparent and easily understandable for our customers, allowing them to make an informed decision. This approach underscores our commitment to data protection while respecting the desire of many customers to participate in the development of innovative AI solutions.
Continuity
Ensuring business continuity and an effective disaster recovery strategy are central aspects of our corporate philosophy. We rely on a robust system of regular backups for all critical assets. To ensure the reliability and speed of our recovery process, we conduct recovery tests at regular intervals. This practice allows us to guarantee rapid recovery in the event of an unforeseen incident and minimize potential downtime. The security of your data always remains our top priority: All our backups are encrypted at rest to ensure their confidentiality even in the unlikely event of unauthorized access to the backup data.
Application Security
The security of our applications is our highest priority. We employ advanced protection mechanisms developed at the enterprise level to comprehensively protect our infrastructure and our customers' data. Our security system provides robust protection against DDoS (Distributed Denial of Service) attacks while also functioning as a powerful Web Application Firewall (WAF). This technology allows us to quickly detect and effectively mitigate attacks on our cloud-based workloads and virtual machines. A special feature of our security approach is the use of machine learning. This adaptive protection mechanism enables us to detect and block Layer-7 DDoS attacks in real-time, keeping us one step ahead.
We place particular emphasis on mitigating the Top 10 risks identified by OWASP (Open Web Application Security Project). Our security system protects our workloads both locally and in the cloud from these most common and critical security threats. Additionally, we have implemented advanced bot management. This uses modern bot detection technologies to prevent fraud on edge devices and ensure the integrity of our services. Through these comprehensive security measures, we ensure that our applications and our customers' data are protected to the best possible extent. We remain constantly vigilant and continuously adapt our security strategies to stay one step ahead of the ever-evolving threats in the digital world.
Development
Our development processes follow strict security guidelines and best practices aligned with leading security frameworks such as OWASP Top 10 and SANS Top 25. This alignment enables us to identify and address potential vulnerabilities early, ensuring the highest level of security in our products. Our development team undergoes regular training to stay informed about the latest security threats and defense mechanisms. This continuous education empowers us to integrate security from the ground up into our products and proactively respond to new challenges. We employ multi-layered security checks in our development process, including code reviews where experienced developers scrutinize the code for security vulnerabilities.
Additionally, we use automated tools for static and dynamic application security testing (SAST and DAST) to identify potential vulnerabilities in the code and in the running application. Our dependencies are regularly updated and checked for known security vulnerabilities to ensure we don't use vulnerable components in our software. Furthermore, we conduct automated penetration tests and annually engage external security experts for comprehensive manual penetration tests of our applications. This holistic approach to secure development allows us to continuously improve the security of our products and strengthen our customers' trust in our solutions.
User Security
The security and comfort of our users are at the center of our authentication strategy. We offer advanced Single Sign-On (SSO) solutions that allow users to securely and conveniently access our services. For our enterprise customers, we provide SSO options that can be seamlessly integrated into their existing identity management systems. This not only increases security by utilizing centralized authentication mechanisms but also improves the user experience by eliminating the need for multiple passwords. Our authentication system is designed to meet modern security standards while being flexible enough to adapt to the specific needs and preferences of our various user groups. By implementing advanced authentication methods, we not only strengthen the security of our platform but also improve the overall efficiency and user-friendliness of our system.
Compliance
As a Swiss provider, we place the highest value on compliance with national and international data protection regulations. Our compliance framework is primarily based on the Swiss Federal Act on Data Protection (FADP). At the same time, we meet the requirements of the European General Data Protection Regulation (GDPR). We have carefully adapted our processes, policies, and technical measures to the requirements of both the FADP and the GDPR. This ensures comprehensive protection of personal data and the preservation of extended rights of data subjects under both laws.
Our measures include improved transparency in data processing, strict consent requirements, and extended rights of access, deletion, and data portability. In addition to these legal obligations, we are working on obtaining further important certifications. We are in the process of achieving SOC 2 Type II compliance and obtaining ISO 27001 certification. These internationally recognized standards underscore our commitment to information security, availability, processing integrity, and confidentiality.
Our multi-layered compliance approach, which incorporates national, EU-wide, and international standards, demonstrates our tireless commitment to protecting our customers' data. We strive not only to meet the minimum legal requirements but to implement best practices in data protection and information security. Through this comprehensive approach, we strengthen our customers' trust in our ability to protect their sensitive information with the utmost care and in accordance with the strictest legal and ethical standards.
Payment Security
The secure handling of our customers' payment information is our top priority. To ensure the highest level of security, we have chosen to outsource the processing of all payment instruments to Stripe, a leading provider of payment infrastructures certified as a PCI Level 1 Service Provider. This certification represents the highest security standard in the payment card industry. Through this outsourcing, we ensure that our customers' sensitive financial data is treated with the utmost care and in compliance with the strictest security protocols. A key advantage of this approach is that we ourselves do not collect or store any payment information.
This significantly minimizes the risk of data leaks and exempts us from the complex PCI DSS obligations that would come with directly processing credit card data. Stripe's robust security infrastructure includes advanced encryption technologies, regular security audits, and continuous monitoring to prevent fraud and unauthorized access. By using these highly specialized services, we can focus on our core competencies while guaranteeing our customers the highest level of security for their financial transactions. We encourage our customers to learn about Stripe's detailed security practices to gain a comprehensive understanding of the protective measures safeguarding their payment data.
Employee Access
Responsible handling of customer data begins with our own employees. We have implemented strict internal procedures that severely restrict employee or administrator access to user data. These measures serve to protect our customers' privacy and minimize the risk of unauthorized data access. Our access management is based on the principle of least privilege, meaning employees can only access data and systems that are absolutely necessary for their specific role. In exceptional cases, such as for customer support, limited access may be granted, but only after a strict approval process and with precise logging of all activities.
For further security, we use advanced authentication methods such as two-factor authentication for all employee accesses. Every employee who gains access to sensitive systems or data must first complete comprehensive training on data protection and information security. Additionally, all our employees sign a strict confidentiality and non-disclosure agreement upon joining the company. This agreement legally obligates them to protect and treat our customers' sensitive information confidentially. Regular audits and reviews ensure that these policies are adhered to and that access rights are always current and appropriate. Through these multi-layered security measures, we create a corporate culture where the protection of customer data is not just a regulation, but a deeply ingrained responsibility of each individual employee.
Security Research
Our commitment to security goes beyond internal measures. We run a proactive bug bounty program that leverages the collective intelligence and expertise of the global security community to continuously improve and secure our platform. This program actively invites ethical hackers and security researchers to discover and report potential vulnerabilities in our systems. Program participants are rewarded for responsibly uncovering and reporting security issues, with the reward amount depending on the severity and impact of the reported vulnerability. Each report is carefully reviewed and prioritized by our security team to implement remedial measures as quickly as possible.
This program not only promotes the continuous improvement of our security infrastructure but also demonstrates our openness to external audits and our confidence in the robustness of our systems. It underscores our commitment to transparency and our proactive approach to cybersecurity. Interested security researchers can obtain detailed information about the scope, rules, and rewards of the program upon request through our special portal. For questions or to report potential security issues, our dedicated security team is available at security@biem.ch. By involving the broader security community in our defense strategy, we not only strengthen the security of our platform but also foster a culture of shared responsibility for cybersecurity across the tech industry.
Commitment
The security measures and practices outlined in this document form the foundation of our tireless commitment to protecting your data and the integrity of our services. From robust infrastructure security to stringent development standards to proactive measures like our bug bounty program, we take a holistic approach to cybersecurity. We understand that security in the digital world is not a one-time task, but a continuous process. Therefore, we commit to constantly reviewing, updating, and improving our security practices to keep pace with evolving threats.
Our commitment goes beyond mere compliance with regulations - we strive to be industry leaders in data protection and information security. We invite our customers to ask questions, raise concerns, and actively engage with us on security topics. Transparency and trust are the cornerstones of our relationships, and we are always striving to strengthen these.
By employing cutting-edge technologies, following strict policies, and fostering a culture of security throughout our entire company, we work tirelessly to provide you with the highest level of protection and reliability. Your trust is our most valuable asset, and we do everything in our power to justify it anew every day. Together, we are building a more secure digital future.
Contact
If you have any questions about security, please contact us.