Security & GDPR
Privacy and security are our highest priorities
We are happy that you have shown interest in our services. The protection of your privacy and data is one of our top priorities and has deeply influenced our technical architecture, the selection of our tools and frameworks as well as a lot of business decisions along the way.
As the data controller, tchop GmbH has implemented numerous technical and organizational measures to ensure the protection of personal data processed through this website in the best possible way.
- Focus on infrastructure
and System Security
- The tchop platform is hosted by Amazon Web Services (AWS) , which complies to ISO 27001 and SSAE-16 standards, ensuring full data security. All information is encrypted using TLS 1.2 and PFS, security incidents are reported to our security team 24/7 and access to the tchop production servers is restricted. We do daily backups and have a contractually binding uptime of 99.9%.
- European servers
- tchop servers are located in Europe. Amazon Web Services facilities are compliant to ISO 27001 as well as SSAE-16 certification.
- Secure Architecture
- Our platform architecture is designed to minimize the risk of a security breach by permitting access to the minimal required systems only, while other systems, such as database servers, are only accessible internally. All traffic to our application servers is routed through our proxies and gateways. All other systems in our data centers never have direct access to the Internet - neither inbound nor outbound.
- Our network is protected by redundant layer-4 firewalls, secure HTTPS-transport communication over public networks, VPN only access to our production and testing systems and key-based authentication for system administrators for maintenance purposes.
- Security Incident
- A security incident event management (SIEM) system gathers all available logs from our systems to analyze these for correlated events. The SIEM system notifies the tchop team about the event, so that the team can respond quickly.
- DDoS Protection
- Distributed Denial of Service (DDoS) is mitigated by our hosting provider Amazon Web Services. 'AWS Shield' provides always-on detection and automatic inline mitigations that minimize application downtime and latency. You can find more info
- Access to the tchop production environment is restricted to the core operations team. This includes frequently auditing and monitoring the accesses. All productive systems are secured by VPN and require key-based authentication.
- Encryption in transit
- All communication of our systems over public networks is encrypted using HTTPS with Transport Layer Security (TLS 1.2) and Perfect Forward Secrecy (PFS). We disabled SSLv3 on all systems to prevent security breaches.
- Encryption at rest
- All user passwords are encrypted by using best-practice one-way hash functions to minimize the impact of a data breach.
- End-to-end encrypted chat
- We use a secure end-to-end AES 256 and TLS 1.2 encryption for our chat. All chat messages and chat history are also stored fully encrypted on European servers only. For the technical implementation we use infrastructure and servers of Pubnub https://www.pubnub.com
- We guarantee a minimum 99.9% uptime for the tchop platform.
- We do backups of all relevant systems in daily frequency and store these backups up to a month for restoring based on identified incidents. Also, all productive services of the tchop platform run at least in dual-mode to provide a fast performing failover. Our development team is equipped with plans for different scenarios and therefore is able to regain data in cases of emergency.
- We perform automated tests on our code base in order to ensure a maximum level on QA. Also, we follow a test-driven development approach and peer-review all code changes that are submitted to the code base by our team.
- Secure environments
- We work with testing and staging systems that are logically separated from production systems, so that we can rollout and improve on beta and alpha versions in an iterative process that never harms live services.
- Secure Credential Storage
- Passwords in tchop cannot be extracted, as they are stored in the database using bcrypt, a one-way-hash function designed to be collision free.
- Security training
- We periodically train our developers to be aware of common security risks for development as well as the data privacy of our customers' data.
- Confidentiality Agreement
- All our team members have signed a confidentiality agreement to protect customer data, as well as agreements obligating them to comply with the data secrecy provisions of § 5 of the BDSG (Bundesdatenschutzgesetz) and the confidentiality of telecommunications (§ 88 Telecommunications Act).
- Reduced Access
- Access to our production systems is reduced to a minimum set of people responsible for maintenance and operations. Only our management has access to the most sensitive spaces.
- User Management
- We offer several ways for onboarding your users. They can be invited directly by email. Soon you will be able to also use registration based on domain bonding. That is, every user with a certain email domain can register without having been invited individually. Even when you do not know the email address of your users, you can invite them by generating unique access codes for one-time registration. Finally, you can use SSO for registration.
- Data Processing
- Where required under applicable data protection law, we provide an agreement on commissioned data processing.
- EU General Data Protection
- tchop complies with the requirements of the EU General Data Protection Regulation and provides a secure communication platform that protects employee and customer data equally. The privacy rights of our customers and the security of their personal data are our highest priorities.