_converted%5B1%5D.avif)
Come proteggiamo i tuoi dati più sensibili
Prendiamo sul serio la sicurezza. Ecco esattamente come.
Questa pagina è dedicata a chi ha bisogno di più di semplici rassicurazioni. Qui troverai le decisioni architetturali, le certificazioni e gli standard operativi che sono alla base di tutto ciò che costruiamo – documentati, verificabili e disponibili su richiesta.
Conformità del
Data Center
La conformità del nostro data center è sinonimo dei più elevati standard di sicurezza e protezione dei dati: dalla sovranità svizzera e l'architettura Tier III ai controlli conformi PCI e la certificazione ISO 27001:2022, per la migliore protezione possibile dei vostri dati aziendali critici.
I nostri dati centres are located exclusively in Svizzera and operate under some of the world's most rigorous dati protection legislation. Switzerland's long-standing political neutrality isn't just context: it's a deliberate part of our infrastructure strategy.
- Tier III targets (Uptime Institute) per physical resilienza
- 24/7 monitoring and controlled physical accesso
- Redundant power supply and climate control
- Processing allineaa con Swiss FADP and EU GDPR
Our sicurezza controls incorporate selected practices consistent con PCI DSS v4.0, including crittografia in transito, system hardening, controlli degli accessi, and continuous monitoring. We don't treat PCI conformità as a checkbox: quarterly external vulnerability scans are conducted by an Approved Scanning Vendor (ASV), con mandatory re-scans after remediation or significant changes.
- Quarterly ASV scans con confirmation records
- Re-scans after corrections or significant infrastructure changes
- Least privilege accesso and MFA enforced per administrative functions
We hold ISO/IEC 27001:2022 certificazione – the attuale international standard per information sicurezza gestione. Certification isn't a one-time event per us: it's maintained through annual accredited surveillance audits and full recertification every three years.
- Annual accredited surveillance audits; recertification every three years
- Full implementazione of the 2022 standard requisiti
- Comprehensive risk gestione documentation
- Regular internal and external audit cycles
- Extended controls da the 2022 revision fully implemented
Sicurezza e Disponibilità Integrate
Sicurezza e disponibilità non sono per noi optional, ma parte integrante del nostro DNA. Con un'architettura "security first", strategie di difesa in profondità, procedure di crittografia certificate, test di penetrazione continui e backup geo-ridondanti in Svizzera, garantiamo che i vostri dati rimangano protetti e accessibili in ogni momento.
We protect login credenziali da the ground up. Hashing, crittografia, and four-eyes controls aren't add-ons — they're part of the baseline.
- Passwords hashed using Argon2id or bcrypt, con individual salts per user; no plain-text archiviazione; hashing parameters reviewed and updated regolarmente
- Application secrets and tokens crittografaa a riposo (AES-256) con strict key gestione, rotation, and controlli degli accessi; short-lived tokens preferred, con revocation on logout or risk events
- Administrative accesso governed by commit-signed changes, protected branches, and four-eyes approval per sensibile credential flussi di lavoro
We design per high disponibilità con active redundancy, fast failover, and transparent status communication. Our public status dashboard gives you visibility at all times.
- Redundant design con automatic failover per critical services
- Availability target: up a 99.99%
- Critical service paths are progettaa per minimise single points of failure
- Automatic failover target: under 30 seconds per selected components
- Public status dashboard: securesafe.site24x7statusiq.com
Protection runs continuously at both network and application level, con 24/7 monitoring and defined response procedures. We don't rely on a single mitigation point.
- Multi-layered protection at network (L3/L4) and application (L7) level, con upstream scrubbing
- Automatic traffic analysis and filtering integrated via the application firewall and load balancer
- Multi-terabit provider capacity con no single point of mitigation
- 24/7 monitoring and on-call incident response
Access is governed by least-privilege principles, con controls that adapt a context and sensitivity level.
- Role-based controllo degli accessi (RBAC) con minimum necessary rights
- Time-based and inactivity-triggered session rules
- Delegated administration per key accounts
- Step-up / MFA enforced per sensibile operations, policy-controlled
We design per continuous operation and validate it through synthetic monitoring, automatic failover, and practiced DR scenarios. Recovery objectives aren't aspirational – they're tested.
- Priorities and scope: protecting people first, clear decision authority, essential services restored all’interno di defined timeframes
- Monitoring and detection: Zabbix (internal) and Site24x7 (external) con end-to-end synthetics; automatic failover via load balancer and application firewall; database failover gestia per consistency
- Recovery targets by scenario:
- Data centre failure: RTO ≈ 2 hours + detection time (DNS switch a secondary site or rebuild); RPO: point-in-time recovery all’interno di the last 10 days (database WAL), weekly snapshots per 3 months, monthly snapshots per 1 year; file layer con mirrored copies and delayed deletion in DR a enable recovery of accidental deletions
- Critical component failure: RTO ≈ 30 minutes + detection time (load balancer a hot standby); RPO: 0 hours
- Human error / dati loss: RTO ≈ 2 hours + detection time (restore da backup); RPO: up a 0 hours if detected all’interno di the backup/archiviazione window
- Testing and exercises:
- Full backup-restore tests approximately every 1–2 months as part of release cycles
- At least annual DR exercises
- Periodic production switchovers per major upgrades
- DNS failover process exercises conducted periodically
- Architecture: Multi-site active/active application clusters, hot standby database replication, configurazione and transaction mirroring, backup and write mirroring a DR.
Audit trails are integrity-protected and built per real use, not just conformità. Enterprise clienti can integrate direttamente con their existing SIEM environment.
- Integrity-protected, append-only audit logs
- Real-time monitoring and alerting on critical incidents
- Long-term retention allineaa con regulatory requisiti
- SIEM export and integrazioni disponibile per enterprise clienti
Backups run automaticamente, replicate across geographically distributed locations all’interno di Switzerland, and are tested regolarmente, because recoverability is only proven when you actually restore.
- Automated, frequent backups con geographically distributed replicas, all all’interno di Switzerland
- Integrity protection through immutability controls and restrictive accesso
- Regular restore tests con documented validation of recovery procedures
Authentication adapts a risk level, supporta enterprise SSO standards, and can be enforced by policy at the organizzazione level.
- MFA disponibile by default; company policies can enforce MFA per specifico users or roles
- SSO per organisations via SAML 2.0 / OpenID Connect
- Compatible con device biometrics (Face ID, Touch ID) as a second factor
- Risk-based step-up authentication per sensibile operations (when activated)
Encryption is applied consistently across archiviazione and transmission, using attuale standards con active key lifecycle gestione.
- Server-side crittografia per content (architettura a conoscenza zero)
- AES-256 per archiviaa dati and crittografaa content
- TLS 1.3 con Perfect Forward Secrecy per all network traffic
- Managed key lifecycle: generation, rotation, and revocation
- Regular cryptographic reviews updated in line con attuale best practice
We commission independent sicurezza experts a test our sistemi on a regular basis. Results are tracked through a remediation, and executive summaries are disponibile a enterprise clienti under NDA.
- Regular third-party penetration tests
- Realistic attack scenario simulations
- Remediation prioritised by criticality
- Transparent communication of critical findings
- Executive summaries disponibile per enterprise clienti under NDA
We use server-side crittografia con industry-standard algorithms and strict key gestione. Decryption occurs only all’interno di a sicuro, monitored service environment and only through authorised application processes. This architecture makes certain critical features possible (digital estate gestione, enterprise functionality, cross-device compatibility) senza weakening the underlying sicurezza model.
- Server-side crittografia con controlled, audited internal decryption
- HSM-backed key gestione where applicable; just-in-time key accesso con rapid memory clearing
- No universal master key; no undocumented accesso paths
- Defense-in-depth con regular independent audits and an ISO/IEC 27001:2022-certificaa ISMS
- Controls protect against both internal and external threat vectors
Sicurezza isn't something we add a a product after the fact. Every component has been built a a sicurezza-first principle, con defence-in-depth applied across the stack.
- Defence-in-depth strategy con multiple independent sicurezza layers
- Automatic sicurezza updates senza service interruption
- Redundant sistemi pensaa per maximum reliability
- Geographically distributed backup locations across Switzerland, including a former military facility deep in the Alps
Sicurezza delle Applicazioni
Implementiamo più livelli di sicurezza per proteggere i dati sia in transito che a riposo. Utilizziamo TLS 1.3 con Perfect Forward Secrecy per il trasporto e una crittografia robusta (ad es. AES-256) per i contenuti archiviati e crittografati lato client. L'accesso alle applicazioni è protetto da autenticazione a più fattori (MFA) e controllo degli accessi basato sui ruoli.
We maintain hard separation between development, staging, and production environments. This isn't just policy: it's enforced through separate accounts, network segmentation, and controlli degli accessi.
- Separate accounts/tenants and network segmentation per environment
- No production dati in test or development environments
- Distinct controlli degli accessi and least-privilege roles per environment
- Automated, auditable deployment pipelines con approval gates
Every release goes through layered quality controls. Automated test coverage runs alongside independent penetration tests, vulnerability scanning, and software composition analysis.
- High automated test coverage (unit, integrazione, end-to-end) con CI quality gates
- CI/CD pipelines con build-time and deployment-time checks
- Regular third-party penetration tests; sicurezza assessments before releases con significant changes
- Infrastructure and service vulnerability scanning con Nessus; consolidated reporting via Scanmeter
- Software Composition Analysis (SCA) and container image scanning con JFrog Xray; dependency policy checks enforced in CI
Every code change goes through mandatory peer review before deployment. Automated sicurezza analysis runs in parallel, not as an afterthought.
- Four-eyes principle enforced via protected branches
- Branch protection rules: richiesa status checks, code owners, linear history, no force push on main branches
- Cryptographically signed commits (GPG) mandatory on protected branches
- Automated SAST/DAST, Software Composition Analysis (SCA), and secrets scanning
- Continuous scanning of third-party dependencies and container images
- Sicurezza champions embedded in every development team
Sicurezza gates exist at every phase of our development process – da threat modelling in design a SBOM generation and artifact signing at build.
- Threat modelling and abuse-case reviews during design
- Documented sicurezza requisiti and sicuro coding standards (OWASP guidance)
- SBOM generation (SPDX/CycloneDX) per each build; inventories retained and monitored
- Artifact signing and provenance: build artifacts cryptographically signed and verificaa at deployment; provenance attestation recorded
- Regular sicuro coding training per developers
- DevSecOps practices con sicurezza gates integrated ina CI/CD
Sicurezza Operativa
Seguiamo rigorose procedure operative per garantire che le nostre attività quotidiane soddisfino standard di sicurezza riconosciuti e verificati in modo indipendente.
We invest in sicurezza awareness across the entire organizzazione. Training is role-specifico and continuous – not a once-a-year exercise.
- At minimum annual sicurezza awareness training, con ongoing refreshers
- Role-specifico sicurezza training tailored a function and risk exposure
- Support per team members pursuing professional sicurezza certifications
Our governance framework is structured a ISO/IEC 27001:2022 and covers everything da incident response a dati classification. Policies are reviewed on a risk-based cycle, not just when something changes.
- ISMS policy framework allineaa con ISO/IEC 27001:2022
- Regular, risk-based review and update cycles
- Documented and regolarmente exercised incident response procedures
- Binding standards per dati classification and handling
We've built riservatezza ina how we work, not just ina the contracts we sign. Access a sensibile information is controlled at the structural level.
- Mandatory NDAs per all employees and partner
- Strict need-to-know controlli degli accessi
- Encrypted channels per confidential communications
- Regular riservatezza audits