Security & Data Protection

Overview

Mindbreeze is part of the Fabasoft Group and uses Fabasoft Cloud Services. Data protection and data security have the utmost priority for Fabasoft as a software manufacturer and cloud provider.

Fabasoft Security Guideline:

Fabasoft has made a binding commitment to data protection and information security with the adoption of the Fabasoft Security Guideline as part of the overall Fabasoft strategy. The Security Guideline communicates the significance of information security, Fabasoft’s information security targets, the organisation of its information security management as well as the security measures taken and its efforts to ensure continuous improvement in the field of information security.

The Fabasoft Security Guideline is available for Download (PDF): Fabasoft Security Guideline

Mindbreeze Privacy Statement:

Due to the nature of the business, data protection is of particularly high importance to the Fabasoft Group. Fabasoft plc and its subsidiary companies have dedicated themselves to the protection of data and, in particular, of personal data. Exactly how Fabasoft uses and protects personal data, such as first and surnames, email addresses or telephone numbers, will be outlined in more detail in our privacy statement.

The Mindbreeze Privacy Statement is available for Download (PDF): Mindbreeze Privacy Statement.

If you need more information about our certifications and attestations, please send your request to: trust@mindbreeze.com

Certified security and reliability

ISO 9001 - Quality Management

Since 2005 the entire Fabasoft company has been ISO 9001 certified.

Once a year our quality management is audited and certified by a leading certification body. The aims of the audit are to examine the conformity with demand models and the identifying of potential for the further development of the quality management system.

Fabasoft was successfully recertified in accordance with ISO 9001:2015 by TÜV AUSTRIA CERT GMBH in October 2020.

Continuous Improvement

The quality management system at Fabasoft is a living system. This means that work methods, processes and their corresponding documentation are continuously adapted to the new data and constantly undergoing improvements.

All Fabasoft business-relevant processes are depicted in the form of graphic process diagrams in the process landscape in the internal system. The further development, checking and approval of these processes is the responsibility of the process owner and is defined for every process.

Focus on Customer Orientation

A strategic aim of Fabasoft lies in a strong customer orientation of the quality management system. At Fabasoft customer satisfaction is of the highest importance. Fabasoft customers have the opportunity to share their opinions and improvement suggestions with us. In regular meetings (User Group) customers can give their feedback directly to the Fabasoft employee in charge. The results and evaluations of customer surveys are analyzed and integrated into the improvement processes to ensure that the customer demands are met.

Scope

Development and sales of own software produces, cloud services, Software-as-a-Service applications, appliances and provision of related services.

Download certificate

ISO 20000-1 - IT Service Management

In May 2011 Fabasoft received the ISO 20000 certificate for the IT services Folio Cloud (today: Fabasoft Cloud) and Folio SaaS for the first time. The scope was subsequently expanded to include Mindbreeze InSpire SaaS. The ISO 20000-1 standard is an internationally recognized standard for IT service management systems which documents the requirements for professional IT service management.

Implementation of International Standards

With this certification, Fabasoft underlines its strategy of implementing international standards.

ISO 20000-1 serves as a measurable quality standard for IT Service Management (ITSM). The aim of ISO 20000 is to deliver a higher quality of IT services to customers. Alignment according to the needs and requirements of customers plays a primary role.

ITIL orientation in IT Service Management

The standard also serves as an instrument to model processes in an optimized management system as they are described in the Office Government Commerce (OGC)’s IT Infrastructure Library (ITIL). This encompasses such core processes as change, release, incident, problem and security management.

The certification brings with it many advantages. Alongside the targeted improvement of processes through regulated structures, service level maintenance, customer satisfaction and availability of services are more easily measurable by means of key performance indicators.

Fabasoft was successfully re-certified in accordance with ISO 20000-1:2018 by TÜV Austria HELLAS in October 2020.

Scope

The IT Service Management System of Fabasoft supporting the provision of Fabasoft Cloud, Fabasoft Folio SaaS and Mindbreeze InSpire SaaS to internal and external customers.

Download certificate

ISO 27001 & ISO 27018 - Information Security and Protection of personal data

In June 2008 Fabasoft received the ISO 27001 certificate for the first time. The standard is a globally recognized standard for the assessment of the security of IT environments.

In July 2015 Fabasoft was audited successfully and gained also certification under ISO 27018. This international standard was published in 2014 and specifies data protection requirements for cloud service providers. 

Clearly Defined Standards

The certification's range of validity specifies the requirements for fully comprehensive information security management concerning all IT and business processes as well as all confidential company information. For customers, the ISO 27001 certification means compliance with clearly defined technical and security based standards and thereby defined service levels for the Fabasoft data centers.

The international standard ISO 27018 defines data protection requirements for cloud service providers. They have to undertake major obligations regarding notification, information, transparency and burden of proof in order to build trust with clients and public institutions concerning the processing of personal data within the cloud.

Continual Adaptation

Periodical internal controlling of the processes and provisions detailed in the ISO 27001 incl. the ISO 27018 is the basis for the further development of internal IT security standards and the continual adaptation according to changing frameworks and tasks.

Fabasoft was successfully recertified in accordance with ISO 27001 incl. audit according to ISO 27018 by TÜV AUSTRIA Deutschland GmbH in October 2020.

Scope

Development and sales of own software produces, cloud services, Software-as-a-Service applications, appliances and provision of related services.

Download certificate

BSI C5 Logo

BSI C5:2020

Mindbreeze receives attestation for its Mindbreeze InSpire SaaS service according to the specifications of the C5 catalogue of requirements (Cloud Computing Compliance Criteria Catalogue, abbreviated C5), published by the German Federal Office for Information Security (BSI). The Mindbreeze InSpire SaaS service is professionally operated in Mindbreeze data centers on behalf of the customers. The C5 attestation pursuant to the requirements of the BSI is a recognized and reliable proof which transparently reveals the high level of information security of for all Mindbreeze customers. Until 2020 the KPMG Alpen-Treuhand GmbH Wirtschaftsprüfungs- und Steuerberatungsgesellschaft issued the attestation.

Following the initial audit in accordance with BSI Standard C5:2020 at the beginning of 2021, this audit was carried out again at the beginning of 2022 by PricewaterhouseCoopers GmbH Wirtschaftsprüfungsgesellschaft, Germany, on behalf of Mindbreeze.

The C5 certificate (ISAE 3000 Report Type 2) is a recognized and reliable proof for all customers using Mindbreeze in the cloud (Mindbreeze InSpire SaaS), which verifiably discloses the high level of information security.

The catalogue of requirements of the BSI specifies the minimum requirements that cloud service providers must meet. The information on the general conditions of the cloud service serves to provide customers with additional information on the level of information security offered by Mindbreeze and ensures transparency with regard to information on jurisdiction and locations, availability and incident handling during regular operation, recovery parameters in emergency operation, availability of the data center, how investigation enquiries from government authorities are handled and certifications or attestations.

For more information on the audit report, please contact us at trust@mindbreeze.com.

ISAE 3000 SOC2 TYP 1

Mindbreeze completed the SOC2 Type 2 audit for its Mindbreeze InSpire SaaS Services at the beginning of 2022. PricewaterhouseCoopers GmbH Wirtschaftsprüfungsgesellschaft, Germany, issued the audit report.

As part of the audit process, PwC checked whether the Trust Service Criteria (TSC) for Security – issued by the American Institute of Certified Public Accountants (AICPA) – are being adhered to. Therefore, the existing internal control mechanisms for the services offered – for example with regard to risk minimization, access controls, monitoring measures or communication – were examined and documented. The audit took the form of an ISAE 3000 Type 2 audit (checking the control implementation within a defined test period). Mindbreeze received the final audit results as an ISAE 3000 SOC2 Type 2 report.

For more information on the audit report, please contact us at trust@mindbreeze.com.

ISAE 3402 TYPE 2

The International Standard on Assurance Engagements (ISAE 3402) is the international testing standard that assesses the effectiveness of internal control systems (IKS) of service providing organizations. The standard was created by the International Auditing and Assurance Standards Board (IAASB) as a successor to the SAS 70 Standard. Up until 2011 Fabasoft was tested according to the AICPA's reporting standard SAS 70 Type 2, afterwards according to ISAE.

ISAE 3402 aims to extensively test an organization's internal control system and to rate its effectiveness in detail. The testing takes place over a twelve month period. The ISAE 3402 test report contains the opinion of an external test company on the control procedure at the service provider, a description of the control points, the test methods and controls, information about the test period and a statement about the effectiveness of the controls.

For more information on the audit report, please contact us at trust@mindbreeze.com.

ACCESSIBILITY

Equal opportunities for people with disabilities and their integration into society and work require the accessible use of software, which is also defined by law. Mindbreeze InSpire is offering accessibility for almost all kinds of disabilities.

Mindbreeze InSpire is the first enterprise search and big data solution to be evaluated by Pfennigparade. The standard recognized benchmark for the evaluation of Internet offerings is the BITV-Test, which was supplemented by a usability test to cover the full range of test criteria. Mindbreeze InSpire (search appliance) received a total BITV test score of 98.75 points. The component was given a rating of “very accessible”.

AUDIT-PROOF ARCHIVING

The vision of a paper-free office is as old as the first IBM PC that fitted onto a regular desk - but we're still chasing that dream. The rules and regulations governing the storage of business records, invoices, contracts, documentation for accounts and financial records are partly to blame for this. Time limits legally required for storage vary from a few years to eternity and beyond.

Fabasoft Folio is a huge step forward, as audit-proof electronic storage eliminates the costs and space requirements needed for hard-copy storage.

Verified Quality

The PricewaterhouseCoopers auditors worked according to a checklist. Some of the most important points, which were naturally found to be without faults, were:

  • Data access. Already in the course of the ISAE 3402 Type 2 test, virtual and physical access restrictions were thoroughly checked and found to be sufficient. Client data is safe from prying eyes.
  • Data cannot be amended retrospectively.
  • Relevant documents cannot be deleted before the time limit expires - not even by Fabasoft administrators.
  • The trail from paper to electronic storage is sufficiently secured.
  • All legal requirements are met.

Web Accessibility Certificate Austria (WACA) for web accessibility

WACA is Austria's first and only quality seal to make accessibility on the web recognizable to the outside world according to the international W3C guidelines. The certificate of the WACA initiative and the independent certification body TÜV Austria is intended to ensure accessibility for all people on the professionally tested website.

Mindbreeze meets the requirements of WCAG 2.1 - AA to a high degree and was awarded silver for this reason.

The following criteria must be met for the Web Accessibility Certificate Austria (WACA) in Silver:

  • Website largely complies with WCAG 2.1 - AA success criteria
  • All content is accessible to all users
  • The basic functionality is accessible to all users without restrictions
  • Parts of the extended/optional functionality are more cumbersome to use for some users, but still accessible

 

Download Certificate

National and European data protection laws

As a European company we are subject to the strictest data protection laws.

European Union

  • Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
  • Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications).

 

Germany

 

Austria

 

Switzerland

Data security: Security of customer data

Customer data lies in Fabasoft's own servers within its own protected networks to which only a small number of selected members of the operations management team have access. Even operations management employees do not have authorization to access customer data. These mechanisms are regularly checked via external audits. But in short, customer data cannot be viewed by employees.

Fabasoft Code of Conduct for Contractors

As Mindbreeze's business partner, which is part of the Fabasoft Group, Contractors accept the "Fabasoft AG Conditions of Purchase for Fabasoft and its subsidiaries" and all associated agreements, including the Fabasoft Code of Conduct for Contractors – see https://www.fabasoft.com/en/about-us/sustainability-and-compliance.