Privacy and performance – by design and by default

Marketing Automation made in Germany

Security and data protection you can trust

For us, one thing is certain: marketing automation always goes hand in hand with data protection! Personal data—whether names, job titles, interests, contact histories, or click behavior—are among the most valuable assets in your company. However, this information only has economic value if it is collected, processed, and stored lawfully and securely.

The data of those affected must be handled respectfully at all times and in accordance with applicable legal regulations. Security and data protection begin long before our software is used.

Benefits

"We save >150k and make 7-digit additional turnover!"

> 25 years

as a company on the market

over 250

Partner in the growing Evalanche ecosystem

Logo-Leiste-Referenzen

Our vision: enabling secure and purposeful digital use

We see data protection as a modern human right in a digital world. We help ensure that every company respects individuals’ right to informational self-determination by enabling them to reliably implement data protection, data security, and digital sovereignty. For us, digital sovereignty encompasses self-determination as well as the ability of people and companies to use digitalization for their own benefit.

Our mission: securing digital rights

To this end, we provide the necessary technological foundations and promote an adequate understanding of data protection and data security through focused information and communication. We also uphold the right of every individual to determine how their own data is disclosed and used. We firmly reject surveillance, exploitation, manipulation, lack of transparency, and forced dependence on providers.

Our security concept for your data

Evalanche reliably protects your data at all levels and in accordance with the highest security standards against loss, theft, and misuse—thanks to a comprehensive security architecture.

Evalanche Icon TÜV zertifiziert

TÜV certified

Evalanche Icon intern geschützt

Internally protected

Evalanche Icon sicher gehostet

Securely hosted

Evalanche Icon Datenschutzkonform

Data protection
compliant

Evalanche Icon Sicher getestet

Reliably tested

Our data protection package contains all the relevant information for data protection officers and security officers! You can request this from us at sales@evalanche.com.

27001 Certified for Top Security Standards

SC-Networks is TÜV-certified according to ISO/IEC 27001. Certification according to the leading international standard for information security management systems proves compliance with the highest IT security standards throughout the company. This allows us to demonstrate the security and quality of our IT systems and business processes to our customers and partners. Further certifications and memberships:

  • The “IT Security made in Germany” certification confirms that our IT security solutions are trustworthy and developed exclusively in Germany, and that our company complies with German data protection law.
  • Through our DDV membership, we are bound by Evalanche's code of ethics for legally compliant permission marketing. We therefore explicitly distance ourselves from sending unsolicited advertising by email.
  • Evalanche is certified by the Certified Senders Alliance (CSA) and is therefore a member of the CSA whitelist. This ensures high delivery rates when sending emails.
  • Through cooperation with Internet service providers (ISPs) and continuous blacklist monitoring, we protect ourselves against mailing blocks.
  • By continuously checking against Robinson lists, we prevent the receipt of unwanted advertising via Evalanche.

Learn more about our certifications and memberships – from ISO 27001 and CSA to cloud services “made in Germany.”

Security – at the heart of Evalanche | SC-Networks

Compliance with certain technical and organizational measures serves to ensure data protection and data security as well as the confidentiality, integrity, and availability of the information processed within the company.

Evalanche Icon Partner- und- Personalsicherheit

Employee and Supplier Security

At the core of Evalanche's security architecture are trusted employees who are contractually obligated to comply with data protection and data security guidelines and receive regular training. An independent data protection and information security officer initiates the documentation of usage rules, monitors their application and compliance and oversees all technical and organizational measures for data protection and information security.

We also carefully select our suppliers and check their suitability with regard to data protection and information security. Documented agreements guarantee the protection and confidentiality of our values and data. Suppliers are therefore obliged to take appropriate technical and organizational measures. Upon termination of the supplier relationship, they are obliged to destroy the data and assets received from us. In addition, the obligation to maintain confidentiality applies indefinitely.

Crisis resilience (business continuity management)

As part of information security, we evaluate and document the availability of systems. A comprehensive emergency plan provides the framework for instructions, which are to be applied in documented emergency scenarios. Continuously updated exercise plans test the measures and document test execution, rounding out the emergency management system. Multi‑year service contracts with short response times (mission‑critical) are in place for all critical servers and storage systems.

All SC-Networks IT systems are also protected against external attacks. These security measures are up to date thanks to regular audits. Internal company servers are installed in separate, secure server rooms. Only IT administrators have access to these rooms. Data on backup media is encrypted and the media are stored securely in a vault. Only management and IT administrators have access to the vault.

Evalanche Icon Krisensicherheit
Evalanche Icon Systemsicherheit

System security

Data and information security are an integral part of the life cycle of our systems. This includes the requirements for and security of information systems that provide services over public networks. In addition, we have established a change‑management procedure to ensure the integrity of the system, applications, and products from the early design phases through all subsequent maintenance.

When changes are made to operating platforms, we review and test business‑critical applications to ensure no negative impact on business processes or organizational security. We have a controlled process for analyzing, developing, and maintaining secure IT systems. Updates are regularly installed and deployed centrally. Acceptance processes and associated criteria are defined for new information systems, updates, and versions.

Operational reliability

We have defined comprehensive guidelines and instructions to ensure the secure operation of information and data processing facilities. Data backups are automatically generated daily and stored in AES‑256‑encrypted form on servers in the data center and in a vault in another building. It is essential to separate development, test, and production environments: Customer data and SC‑Networks GmbH’s own data are separated by access controls and by different server hardware. Malware detection, prevention, and recovery measures are regularly updated. In the event of an audit of our information systems, we have defined steps to minimize disruptions to business processes.

Evalanche Icon Betriebssicherheit
Evalanche Icon Kommunikationssicherheit

Communication security

The security of personal data and information stored in our networks and network services is essential. We have documented procedures that manage, monitor, and secure our networks. Data is transported through encrypted connections. Data connections from unauthorized networks are blocked. Information services, users, and information systems are kept separate as required. We have developed guidelines and procedures for information and data transmission, as well as agreements for transmission to external parties, which we apply strictly.

Device and value security

All assets (equipment, removable storage media, laptops) and information containing personal data are inventoried and maintained. Rules governing the acceptable use of our assets must be observed by all employees. We also have a documented process for transporting storage media to protect them from unauthorized access, misuse, or falsification. The storage media and data backup media we use are encrypted and stored securely. This also applies to storage media in production systems. We dispose of storage media no longer needed using formal procedures.

Evalanche Icon Geräte Wertesicherheit

Robust data center protection

Evalanche runs as fail-safe software‑as‑a‑service (SaaS) on servers in two physically separate, TÜV‑certified high‑performance data centers in Germany.

  • Administrative access is restricted to IT administrators at SC‑Networks GmbH and authorized data center operators.
  • The highest security standards apply in the data centers – multi-level access controls via security gates with video surveillance prevent unauthorized entry.
  • Video surveillance and system‑access logging help prevent unauthorized access to third‑party systems.
  • State‑of‑the‑art fire prevention technologies with fire alarm and fire protection systems—including inert gas suppression systems—prevent water damage in the event of a fire.
  • Evalanche runs on multiple redundant systems and remains accessible online even if individual systems fail.
  • Data is stored on multiple redundant storage media, ensuring data integrity even if individual hard drives fail.
  • Communication takes place via multiple redundant high‑speed Internet connections – Evalanche remains accessible even if individual Internet connections fail.
  • Secure communication via Transport Layer Security (TLS) and Hypertext Transfer Protocol Secure (HTTPS) – this prevents your session from being intercepted.
  • An uninterruptible power supply (UPS) ensures availability during prolonged power outages at the server location, with backup power provided by a diesel generator.

Systematic data protection and security

Evalanche follows the principles of privacy by design and privacy by default, complying with the requirements of the GDPR.

  • We use personal data provided during registration or in response to an inquiry exclusively for the intended purpose of responding to the inquiry or setting up user access to protected areas of the Evalanche account.
  • Security-related updates for software products are installed and activated centrally. This ensures that all system users are up to date.
  • The data processed by Evalanche is protected against unauthorized access by extensive security measures at various levels. This is based on a differentiated role‑ and rights‑based model with precise assignment of what each user can see and do.
  • Access to data on the Evalanche servers is provided via a secure protocol (HTTPS) using a security architecture to prevent unauthorized access.
  • Passwords are stored as one‑way hashes using industry‑standard methods. When setting up and changing passwords, the system checks compliance with security requirements: minimum length, use of uppercase and lowercase letters, numbers, and special characters.
  • The system logs all security-related actions, such as login attempts. We offer our customers optional two-factor authentication to provide additional protection for system access via a USB security key.
  • We have centrally monitored and protected event logging and ensure privacy protection if sensitive personal data is stored. All logging facilities and log information, including administrator and operator logs, are protected against tampering and unauthorized access.
  • Automatic session timeout in case of inactivity. The session data is retained, allowing restart without data loss.
  • We create data backups through automatic, scheduled database backups, and store them in various secure locations, protected from unauthorized access. Upon request, we also create complete backups with free shipping—for additional security with storage directly at the owner's premises.
  • Configurable security policies allow you to set different security levels for password complexity, IP restrictions, security keys, and more. Customizable security settings also allow you to configure cookie settings, IP address collection for web forms, and tracking settings (pseudonymized tracking).

Discover all the features of Evalanche that enable you to operate in full compliance with the GDPR!

Reliability is no coincidence — it’s a promise

To protect our information and data, we regularly commission an independent review of our information security and data protection levels, policies, and our compliance with technical specifications.

Penetration tests

To assess potential vulnerabilities in the externally accessible IT infrastructure, we commissioned activemind AG to conduct an initial penetration test, followed by regular follow-up scans. The penetration test was based on the Open Source Security Testing Methodology Manual (OSSTMM), a widely adopted standard for security audits and penetration testing.

Security tests for web services

To ensure the integrity of the Evalanche API, SC‑Networks has established an automated testing procedure using an industry‑recognized test suite. Comprehensive security scans are run regularly. The control process ensures that the report is reviewed, alerts are analyzed immediately, and issues are remediated.

Questions? We have the answers. Get in touch now!

Icon Kontakt

Our experts will be happy to answer all your questions about Evalanche in our free consultation.

We are happy to assist our customers with all technical questions relating to our marketing automation solution.

Icon Helpcenter

Our Help Center offers help on the use and functions of Evalanche - well structured, with a search field.

To the Helpcenter

Icon Youtube

You can discover webinars, tutorials and exciting keynotes in our extensive media library.

To the media library

Your questions about security and data protection – our answers

Personal data is indispensable in marketing today. To understand how (potential) customers think, decide, and act, and to provide them with tailored, personalized content, companies need relevant information. However, user expectations and legal regulations in Germany and the EU – including the EU General Data Protection Regulation (GDPR), the Federal Data Protection Act (BDSG), and the Unfair Competition Act (UWG) – require compliance with specific guidelines for the collection, storage, processing, and use of personal data for advertising purposes. Otherwise, companies risk severe penalties, fines, and reputational damage – both for data-processing companies (e.g., software providers) and for contracting companies.

Who is responsible for data processing?

The client, the company using the software, has responsibilities comparable to those of the data processor (software provider). According to Art. 28 GDPR, companies are obliged to commission providers who offer sufficient guarantees for legally compliant processing and the protection of data subjects' rights. A data processing agreement is mandatory, even if it is not a guarantee. Ultimately, the company, as the controller, must ensure that the provider actually implements the requirements.

How can data protection be implemented in reality?

Personal data must be handled with the utmost respect for individuals' privacy. Only with their consent (e.g., through a double opt-in procedure) is it permissible to collect, process, and convert this data into actions. Without technological support, neither this transformation nor compliance with and monitoring of data protection requirements is possible efficiently. When it comes to processing personal data, the GDPR requires the implementation of privacy by design and privacy by default. Companies need a tool that facilitates rather than hinders the implementation of data protection.

What does privacy by design or privacy by default mean in plain language?

Privacy by design describes how software such as Evalanche should be developed and used in a way that complies with data protection regulations from the ground up. Measures such as pseudonymization are used. Privacy by default, on the other hand, complements this general technical design by ensuring that all default settings are both data protection-compliant and as restrictive as possible: for example, forms should only have a few mandatory fields and no prechecked checkboxes should be used. As data controllers, companies must check whether their contractual partners and their software solutions operate in accordance with these principles.

What does digital sovereignty mean for internet users and businesses?

Digital sovereignty describes the independence and self-determination of companies. They alone decide what happens to the data collected in compliance with the law and who has access to it. This prevents the use of customer data in violation of data protection regulations, for example by unauthorized third parties or for analysis and advertising purposes. In addition to this data sovereignty, it is also crucial that a company is independent of restrictions such as inflexible license agreements and the rights and actions of the software provider or cloud provider. From the perspective of companies, digital sovereignty is just as valuable as data protection for those affected.

What is the issue with US providers?

Providers from the US are criticized for compliance with European data protection regulations and the granting of digital sovereignty. Since the Privacy Shield agreement was overturned in 2020, cooperation with US software providers is no longer automatically permissible. The level of data protection in the US is insufficient according to GDPR standards, and there is no longer an agreement that remedies this situation. The reason for this is US legislation that allows US authorities to access any data that is owned, held, or controlled by a US company. The server location is not the only factor here, as US subsidiaries are also subject to these US laws. Alternative measures intended to legitimize the use of US solutions – such as standard contractual clauses of the European Commission – should also be viewed with caution and must be reviewed in advance from a legal perspective.

How can I identify a suitable provider?

Some key criteria that can be used to check whether a cloud provider or software provider can be considered under data protection law are as follows:

  • The provider places strong emphasis on privacy.
  • Data is hosted exclusively in a European, preferably certified, data center.
  • No data or metadata are exchanged with the US or other third countries without an adequate level of data protection.
  • The data center operates independently of US systems. Maintenance, backups, and administration are carried out exclusively in the EU.
  • The effectiveness of non-GDPR-compliant laws such as the US CLOUD Act is contractually excluded.
  • Standard contractual clauses for data protection in accordance with the GDPR have been legally reviewed and sufficiently supplemented by further measures.
  • The principles of privacy by design and privacy by default are taken into account.

Reliable, secure, and GDPR-ready

Test Evalanche and see how marketing automation, personalization, and reporting drive measurable results-compliantly.