Cyber Security has put in place technical and organizational measures to ensure that we maintain IT security across operations at An overview of some of the technical and organizational measures has implemented are listed below.


As of May 25th, 2018, is compliant with the EU’s General Data Protection Regulations (GDPR). has undergone the appropriate measures to be compliant, and by definition, is a Processor under GDPR. You can find more details in our privacy policy.

IT Security policies has established written IT Security Policies to give guidance on various areas of IT Security. Further technical and organizational measures are contained in these policies, and they are based on best practice and international standards, e.g., ISO27k1 and NIST. These policies are regularly reviewed and take into account, among other things, the state of the art and risks faced by so as to provide adequate IT Security which protects against accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed at

Vendor assessments ensures a high level of IT Security across its operations by choosing vendors which are ISO27K1 certified or SOC certified for critical vendors or vendors which can provide an otherwise equally high level of IT Security.

Encryption’s Cloud Computing storage is encrypted by default. The key management sovereignty is held within and cannot be accessed by third parties.’s workstations and laptops are encrypted to protect from data theft. Encryption and decryption are centrally managed by the IT Support Team.

Penetration testing conducts penetration testing by third-party experts once a quarter throughout all customer-facing systems. Results and issues are logged, assessed, and are managed centrally by the Incident and Response Team.

Vulnerability disclosure program offers a bug bounty program to attract hackers to find IT Security bugs in’s products with the goal to continually improve the level of IT Security of products. If you would like to participate in this program, please send an email to

Firewalls makes use of network segmentation supported by state-of-the-art firewall technologies for on-premise systems as well as cloud systems.

DDoS attack prevention makes use of extensive services that prevent and mitigate DDoS attacks.

Pseudonymization or anonymization

Where possible, has automated pseudonymization or alternatively anonymization processes in systems handling personal data.

Access control has processes and procedures for access control, including on- and offboarding of employees as well as granting, revoking, and reviewing user access rights. User access rights are centrally managed in the Active Directory. Every user retrieves a unique user account; shared user accounts are prohibited.

Physical access controls are realized via ID-badges. The details of visitors to offices are recorded and visitors are provided with least-access ID-badges. Offices are supervised 24/7 by trained security personnel.

Need-to-know restrictions’s rights management system corresponds the Least-Privilege Access principle where users receive the least possible set of privileges on a computer system necessary to execute their responsibilities.

Segregation of duties’s software operation pipelines include the segregation of duties to effectively prevent software engineers from publishing and committing code changes without the review of colleagues.

To further improve code quality, implemented two testing stages prior to production environment. user personal data is only available on production level systems and restricted to non-human access.

Awareness and training continually trains its staff. Courses are updated regularly to cover individual learning objectives and has compulsory baseline knowledge areas such as IT Security and Data Protection.


All contracts with employees and freelancers working for include confidentiality provisions. makes extensive use of non-disclosure agreements to ensure that confidentiality is maintained when working with third parties.

Incident response has an incident response team which consists of members from the following three organizational teams:

Legal Team and Data Protection Officer

IT Security Team

Incident Team

All incident reports, penetration test results, and bug bounty submissions are centrally assessed, documented, tracked, and monitored.

How to contact us

We take IT Security seriously. If you have any additional questions that aren’t answered above or by the Help Center, please email and we’ll reply as quickly as we can.