Security & data protection
Multiple certifications!

What about the protection and security of your data in Evalanche?

For us, it's clear: if you say “marketing automation,” you also have to say “data protection”! Personal data—whether names, professional positions, interests, contact histories, or click behavior—is among the most valuable assets in your company. But this information only has economic value if it is collected, processed, and stored lawfully and securely.

The data of those affected must be handled respectfully at all times and in accordance with applicable legal regulations. Security and data protection begin long before our software is used.

Our vision

We see data protection as a modern human right in a digital world. We help ensure that every company respects people's right to informational self-determination by enabling them to reliably implement data protection, data security, and digital sovereignty. For us, digital sovereignty encompasses the aforementioned self-determination as well as the ability of people and companies to use digitalization in a targeted manner for their own benefit.

Our mission

To this end, we not only create the necessary technological conditions, but also promote an adequate understanding of data protection and data security through targeted information. We also uphold the right of every individual to determine how their own data is disclosed and used. We firmly reject surveillance, exploitation, manipulation, lack of transparency, and forced dependence on providers.

Our security concept for your data

Evalanche reliably protects your data at all levels and in accordance with the highest security standards against loss, theft, and misuse—thanks to a comprehensive security architecture.

Evalanche Icon TÜV zertifiziert

TÜV certified

Evalanche Icon intern geschützt

Internally protected

Evalanche Icon sicher gehostet

Securely hosted

Evalanche Icon Datenschutzkonform

Data protection
compliant

Evalanche Icon Sicher getestet

Reliably tested

Our data protection package contains all the relevant information for data protection officers and security officers! You can request this from us at sales@evalanche.com.

27001 Certificate for the highest safety standards

SC-Networks is TÜV-certified according to ISO/IEC 27001. Certification according to the leading international standard for information security management systems proves compliance with the highest IT security standards throughout the company. This allows us to demonstrate the security and quality of our IT systems and business processes to our customers and partners. Further certifications and memberships:

  • The “IT Security made in Germany” certification confirms that our IT security solutions are trustworthy and developed exclusively in Germany, and that our company complies with German data protection law.
  • Through our DDV membership, we are bound by Evalanche's code of ethics for legally compliant permission marketing. We therefore expressly distance ourselves from sending unsolicited advertising by email.
  • Evalanche is certified by the Certified Senders Alliance (CSA) and is therefore a member of the CSA whitelist. This ensures high delivery rates when sending emails.
  • Through cooperation with Internet service providers (ISPs) and continuous blacklist monitoring, we protect ourselves against mailing blocks.
  • By continuously checking against Robinson lists, we prevent the receipt of unwanted advertising via Evalanche.

Learn more about our certifications and memberships – from ISO 27001 and CSA to cloud services “made in Germany.”

Security – at the heart of Evalanche | SC-Networks

Compliance with certain technical and organizational measures serves to ensure data protection and data security as well as the confidentiality, integrity, and availability of the information processed within the company.

Evalanche Icon Partner- und- Personalsicherheit

Partner and personnel security

At the core of Evalanche's security architecture are reliable and trustworthy employees who are contractually obligated to comply with data protection and data security guidelines and receive regular training. An independent data protection and information security officer initiates the documentation of usage rules, monitors their application and compliance, and oversees all technical and organizational measures for data protection and information security.

We also carefully select our suppliers and check their suitability with regard to data protection and information security. Documented agreements guarantee the protection and confidentiality of our values and data. Suppliers are therefore obliged to take appropriate technical and organizational measures. Upon termination of the supplier relationship, they are obliged to destroy the data and assets received from us. In addition, the obligation to maintain confidentiality applies indefinitely.

Crisis security (business continuity management)

As part of information security, we evaluate and document the availability of systems. A comprehensive emergency plan provides the framework for corresponding instructions, which are to be implemented in selected, documented emergency scenarios. Continuously updated exercise plans for testing the measures used and documenting the implementation of corresponding tests round off the emergency management system. Multi-year service contracts with short response times (mission critical) have been agreed for all critical servers and storage systems.

All SC-Networks IT systems are also protected against external attacks. These security measures are always up to date thanks to regular checks. Internal company servers are installed in separate, secure server rooms. Only IT administrators have access to these rooms. Data on backup media is encrypted and the media is stored securely in a vault. Only management and IT administrators have access to the vault.

Evalanche Icon Krisensicherheit
Evalanche Icon Systemsicherheit

System security

Data and information security is an integral part of the entire life cycle of our systems. This also includes the requirements for and security of information systems that provide services via public networks. In addition, we have established a procedure for managing system changes to ensure the integrity of the system, applications, and products from the early design phases through to all subsequent maintenance work.

When changes are made to operating platforms, we review and test business-critical applications to ensure that there is no negative impact on business processes or organizational security. We have a controlled process for analyzing, developing, and maintaining secure IT systems. Updates are regularly installed and released centrally. Acceptance processes and associated criteria are defined for new information systems, updates, and new versions.

Operational reliability

We have defined comprehensive guidelines and instructions to ensure the proper and secure operation of information and data processing facilities. Data backups are generated automatically on a daily basis and stored in AES-256 encrypted form on servers in the data center and additionally in a vault in another building. In our company, it is essential to separate development, test, and operating environments from each other: Customer data and SC-Networks GmbH's own data are separated from each other by access control and additionally by different server hardware. Measures for detection, prevention, and recovery to protect against malware are regularly updated. In the event of an audit of our information systems, we have defined steps to minimize disruptions to business processes as much as possible.

Evalanche Icon Betriebssicherheit
Evalanche Icon Kommunikationssicherheit

Communication security

As a technology company, the security of personal data and information stored in our networks and network services is essential to us. We have therefore documented procedures that manage, control, and secure our networks. Data is always transported via encrypted connections over the network. The establishment of data connections from unauthorized networks is prevented. Information services, users, and information systems are kept separate from each other as required. We have developed guidelines and procedures for information and data transmission, as well as agreements for information transmission to external parties, and we apply these strictly.

Device and value security

All assets (such as operating resources, removable data carriers, laptops) and information related to personal data are inventoried and maintained by us. There are rules governing the permissible use of our assets, which must be observed by all employees. We also have a documented and regulated process for transporting data carriers to protect them from unauthorized access, misuse, or falsification. The data carriers and data backup media we use are encrypted and stored securely. This also applies to data carriers in production systems. We dispose of data carriers that are no longer needed securely and using formal procedures.

Evalanche Icon Geräte Wertesicherheit

Benefits

"We save >150k and make 7-digit additional turnover!"

> 25 years

as a company on the market

over 250

Partner in the growing Evalanche ecosystem

Logo-Leiste-Referenzen

Optimally protected in the data center

Evalanche runs as fail-safe software-as-a-service (SaaS) on servers in two physically separate, TÜV-certified high-performance data centers in Germany.

<ul ">

  • Administrative access is restricted to IT administrators at SC-Networks GmbH and authorized employees in the data centers.
  • The highest security standards apply in the data centers – multi-level access controls via security gates with video surveillance prevent unauthorized persons from entering.
  • Seamless video surveillance in the data center and logging of system access – to prevent authorized persons from gaining unauthorized access to third-party systems.
  • Latest fire prevention technologies with fire alarm and fire protection systems – including inert gas extinguishing systems to prevent damage caused by extinguishing water in the event of a fire.
  • Evalanche runs on multiple redundant systems – and remains accessible online even if individual systems fail.
  • Data is stored on multiple redundant data carriers – ensuring data integrity even if individual hard drives fail.
  • Communication takes place via multiple redundant high-speed Internet connections – Evalanche remains accessible even if individual Internet connections fail.
  • Secure communication with encryption via Transport Layer Security (TLS) and HyperText Transfer Protocol Secure (https) – this prevents your session from being spied on by eavesdropping attacks.
  • Redundant, uninterruptible power supply (UPS) – even during prolonged power outages at the server location, Evalanche remains accessible via emergency power supply from a diesel generator.

Systematic data protection and security

Evalanche follows the principles of privacy by design and privacy by default, thereby complying with the requirements of the GDPR.

  • We use personal data provided to us during registration or in response to an inquiry exclusively for the intended purpose of responding to the inquiry or setting up user access to protected areas of the Evalanche account.
  • Security-related updates for software products are installed and activated centrally. This ensures that all system users are simultaneously up to date.
  • The data processed by Evalanche is protected against unauthorized access by extensive security measures at various levels. This is based on a differentiated role and rights concept with precise assignment of which information each user can see and what they are allowed to do with it.
  • Access to data on the Evalanche servers is provided in the browser via a secure access protocol (https) using a security architecture embedded in the software to prevent unauthorized access.
  • Passwords are stored in encrypted form in the system using a one-way hash code key. When setting up and changing passwords, the system always checks that they comply with security-related requirements: minimum length, use of upper and lower case letters, numbers, and special characters.
  • The system logs all security-related actions, such as login attempts. We offer our customers optional two-factor authentication to provide additional protection for system access via a USB security key.
  • We have centrally monitored and protected event logging and ensure privacy protection in the event that sensitive personal data is stored. All logging facilities and log information, including administrator and operator logs, are protected against manipulation and unauthorized access.
  • Time-controlled automatic termination of Evalanche sessions in case of inactivity. The session data remains stored in the system, allowing for restarting without data loss.
  • We continuously create data backups through automatic, time-controlled database backups – and store them in various secure locations, protected from unauthorized access. Upon request, we also create complete backups with free shipping – for additional security with storage directly at the owner's premises.
  • Security policies that can be configured to suit your needs allow you to set different security levels for password complexity, IP restrictions, security keys, and much more. Individually definable security settings also allow you to customize cookie configurations, IP address collection for web forms, and tracking settings (pseudonymized tracking)

Discover all the features of Evalanche that enable you to operate in full compliance with the GDPR!

Reliability is not a coincidence – it is a promise

To ensure the protection of our information and data, we regularly commission an independent review of our information security and data protection levels, our security and data protection guidelines, and our compliance with technical specifications.

Penetration tests

In order to gain an overview of potential vulnerabilities in the externally accessible IT infrastructure, we commissioned activemind AG to carry out an initial penetration test, followed by regular follow-up scans. The penetration test was based on the Open Source Security Testing Methodology Manual (OSSTMM). This is a widely used standard for conducting security audits and penetration tests.

Security Tests Webservices

To ensure the integrity of the EVALANCHE API, SC-Networks has established a predefined automated testing procedure using a recognized test suite. Complete security scans of the API are performed automatically. The defined control process ensures that the report is reviewed, messages are analyzed immediately, and errors are corrected.

Your questions about security and data protection – our answers

Personal data is indispensable in marketing today. In order to understand how (potential) customers think, decide, and act on the one hand, and to provide them with tailored, personalized content on the other, the relevant information is required. However, the demands of internet users and the legal regulations in this country – including the EU General Data Protection Regulation (GDPR), the Federal Data Protection Act (BDSG) and the Unfair Competition Act (UWG) – require that certain guidelines be followed when collecting, storing, processing and using personal data for advertising purposes. Otherwise, there is a risk of severe penalties, fines, and damage to reputation – both for the data-processing companies such as software providers and for the commissioning companies.

Wer trägt die Verantwortung bei der Datenverarbeitung?

Dem Auftraggeber, also dem Unternehmen, das eine Software einsetzt, obliegen dieselben Verantwortlichkeiten wie dem datenverarbeitenden Unternehmen beziehungsweise Software-Anbieter. Unternehmen sind nach Art. 28 DSGVO dazu verpflichtet, nur Anbieter zu beauftragen, die hinreichende Garantien für eine rechtskonforme Verarbeitung und die Wahrung von Betroffenenrechten bieten. Ein Auftragsverarbeitungsvertrag ist daher Pflicht, wenn auch keine Garantie. Letztlich muss das Unternehmen als Verantwortlicher auch dafür sorgen, dass der Anbieter die Anforderungen tatsächlich umsetzt.

Wie lässt sich Datenschutz in der Realität umsetzen?

Der Umgang mit personenbezogenen Daten muss stets mit höchstem Respekt vor der Privatsphäre der Personen erfolgen. Nur mit deren Einverständnis (etwa einem Double-Opt-in-Verfahren) ist es gestattet, diese Daten zu erheben, zu verarbeiten und in Maßnahmen zu übersetzen. Ohne technologische Unterstützung ist weder diese Transformation effizient möglich noch die Einhaltung und Kontrolle von datenschutzrechtlichen Anforderungen. Wenn es darum geht, personenbezogene Daten zu verarbeiten, gilt nach DSGVO die Umsetzung von Datenschutz durch Technikgestaltung (Privacy by Design) und datenschutzfreundliche Voreinstellungen (Privacy by Default). Unternehmen benötigen daher ein Tool, das ihnen die Umsetzung von Datenschutz erleichtert und nicht erschwert.

Was bedeutet Privacy by Design beziehungsweise Privacy by Default im Klartext?

Privacy by Design beschreibt, dass eine Software wie Evalanche von Grund auf datenschutzkonform funktionieren sowie entwickelt und eingesetzt werden soll. Hier kommen Maßnahmen wie Pseudonymisierung zum Einsatz. Privacy by Default hingegen ergänzt diese allgemeine Technikgestaltung, indem alle Voreinstellungen sowohl datenschutzkonform als auch möglichst restriktiv sind: Hier gilt es beispielsweise, Datenformulare mit nur wenigen Pflichtfeldern auszustatten und keine vorab angeklickten Checkboxen zu verwenden. Als für die Datenverarbeitung Verantwortlicher müssen die Unternehmen prüfen, ob ihr Vertragspartner und seine Software-Lösung nach diesen Prinzipien arbeiten.

Was bedeutet digitale Souveränität für Internetnutzer und Unternehmen?

Digitale Souveränität beschreibt die Unabhängigkeit und Selbstbestimmtheit von Unternehmen. Sie allein fällen die Entscheidung, was mit den rechtskonform erhobenen Daten passiert und wer darauf Zugriff hat. Nur so lässt sich eine datenschutzwidrige Verwertung von Kundendaten, etwa durch unberechtigte Dritte oder zu Analyse- und Werbezwecken, verhindern. Neben dieser Datenhoheit ist auch entscheidend, dass ein Unternehmen unabhängig von etwaigen Regelungen wie unflexiblen Lizenzvereinbarungen sowie Rechten und Handlungen des Software-Anbieters oder Cloud-Providers ist. Aus Sicht der Unternehmen ist die digitale Souveränität ebenso wertvoll wie der Schutz der Daten für die Betroffenen.

Was ist das Problem mit US-Anbietern?

Insbesondere Anbieter aus den USA stehen bezüglich der Einhaltung europäischer Datenschutzvorgaben und Gewährung digitaler Souveränität in der Kritik. Fakt ist: Seit Kippen des Privacy-Shield-Abkommens im Jahr 2020 ist die Zusammenarbeit mit US-amerikanischen Softwareanbietern nicht ohne Weiteres zulässig. Das Datenschutzniveau in den USA ist nach DSGVO-Maßstab nicht ausreichend und es gibt kein Abkommen mehr, das diesen Umstand ausräumt. Grund dafür sind US-Gesetze, die es US-Behörden gestatten, Zugang zu jeglichen Daten zu erhalten, die sich in Besitz, in der Obhut oder unter der Kontrolle eines US-Unternehmens befinden. Der Serverstandort ist dabei nicht das einzige Kriterium, da auch US-Tochterfirmen diesen US-Gesetzen unterliegen. Auch zu den Abkommen alternative Maßnahmen, die den Einsatz von US-Lösungen legitimieren sollen – etwa Standardvertragsklauseln der Europäischen Kommission – sind mit Vorsicht zu betrachten und zwingend vorab rechtlich zu überprüfen.

Woran erkenne ich einen passenden Anbieter?

Einige zentrale Kriterien, mit denen sich überprüfen lässt, ob ein Cloud-Provider oder Software-Anbieter datenschutzrechtlich überhaupt in Erwägung gezogen werden kann, sind folgende:

  • Der Anbieter misst Datenschutz einen hohen Stellenwert bei.
  • Daten werden ausschließlich in einem europäischen, besser noch zertifizierten Rechenzentrum gehostet.
  • Es findet kein Daten- oder Metadaten-Austausch mit den USA oder anderen Drittstaaten ohne ausreichendes Datenschutz-Niveau statt.
  • Das Rechenzentrum läuft autark von US-Systemen. Wartung, Backups und Administration erfolgen ausschließlich in der EU.
  • Die Wirksamkeit von nicht-DSGVO-konformen Gesetzen wie dem US-CLOUD-Act ist ausgeschlossen.
  • Standardvertragsklauseln für den Datenschutz nach DSGVO sind rechtlich geprüft und durch weitere Maßnahmen hinreichend ergänzt.
  • Die Prinzipien Privacy by Design und Privacy by Default sind berücksichtigt.

Zuverlässig und sicher – probieren Sie es aus!

Wenn Sie datenschutzkonformes Marketing umsetzen wollen, sollten Sie Evalanche kennenlernen!