Standard Answers

this page answers general questions about information and data security at smart-me AG and aims to enable partners to answer the standard security questionnaires independently.

Contact: security@smart-me.com

Last Update: 16.1.2025

General Information

Additional Documents

Terms of Service (ToS)
Data Processing Agreement: Part of ToS
Data Privacy Policy

Link to the documents

Data protection and processing

Is personal data processed in accordance with the FADP/DSGVO?

For the purchase of license using a credit card, the credit card information is processed via Stripe.
For orders and quotations, customer information is processed via Bexio.
Support cases and their information are processed via Freshdesk.

How is data deleted?

Customers are responsible for their own smart-me accounts and can delete them at any time in the web portal.
If a customer deletes their account, this data is irreversibly removed.
After 30 days, no backup is available.
Data processed via Freshdesk or Bexio can be deleted on request.

Who has access to the data?

Access to our servers is restricted to internal IPs of the cluster. Smart-me only has access to customer account data with the explicit permission of the customer.

Hosting and Infrastructure

Where is the application hosted?

All smart-me services are hosted on Microsoft Azure Switzerland servers. We do not operate any servers ourselves.

How is the data protected?

The servers are protected by Microsoft Azure measures. In addition, we use Cloudflare as a web application firewall (WAF) and load management.

How do we ensure the availability of our systems?

System availability is guaranteed by the Microsoft Azure infrastructure.

Further Information

Data security and encryption

How is data encrypted?

The data is not individually encrypted by customer but the database as a whole, in which the data is contained, is.

Communication between meters and the cloud is encrypted using AES-256.

How are passwords for smart-me accounts hashed?

Passwords are hashed using RIPEMD-160 with dynamic salt.

Do we support federated identities?

No. The exception is access via our API, which also supports oAuth 2.0 in addition to Basic Auth.

Backups

The meter data is subject do daily backups by Instaclustr. More Info

Customer data that is processed via Freshdesk, Bexio or Stripe is subject to the data security of the respective manufactureres and therefore also their backup processes.

Security Guidelines and processes

Do we have specific documented information security policies?

Do we have documented secure development guidelines?

Do we follow a secure development process?

Yes, but the specific details are confidential.

Do we have a information security certificate?

No, but our cloud infrastructure provider Microsoft Azure is ISO27001 certified.

Do we carry out IT Security audits at our providers?

Do we have a documented buisness continuity plan?

Do we allow IT audits?

Yes, but only with publicly available information

Endpoint and Network security

Have we implemented a network segmentation concept?

As our application is not hosted locally, our network architecture is independent of the server architecture. The local segmentation is as follows:

Production Network
Guest Wifi
Office Network

Do we make employees aware of cyber security?

Yes, syber security training is provided:

Frequency: Every six months and during onboarding.
Additional training courses: Depending on current events or emerging threats.

Have we been victim of security incidents or data breaches in the last 12 months?

Do we have dedicated cyber security resources?

Yes, we have internal cyber security resources.

Do we keep your software and systems up to date?

Yes, all systems and devices are regularly updated to the latest stable versions.

Do we have an AV protection solution installed?

Yes, all devices are equipped with:

Endpoint Detection and Response (EDR)
Network Detection and Response (NDR)
Windows Defender as Antivirus (AV)

Do we have a SIEM solution?

Page updated

Report abuse