Security Controls
This page describes the technical and organizational measures ilert implements to protect customer data. These controls are referenced in ilert's Data Processing Agreement (Annex III) and form part of ilert's ISO 27001 certified ISMS.
Architecture and Data Segregation
ilert operates a multi-tenant architecture designed to segregate and restrict data access. The architecture provides a logical data separation for each customer via a unique ID. Tenant data is logically separated at application, database, and file levels. Logging and monitoring do not commingle data of different customers.
The production environment is fully isolated from development, test, and acceptance environments.
Public Cloud Infrastructure
ilert's infrastructure is hosted on AWS and Google Cloud Platform. The underlying infrastructure is managed by external cloud operators whose security certifications and compliance reports are available through their respective compliance programs (e.g., AWS Compliance, Google Cloud Compliance).
For details on regions, residency, and disaster recovery, see Infrastructure.
Audits
ilert's services undergo security assessments by internal personnel and external security firms who perform regular audits. ilert employs continuous hybrid automated scanning alongside periodic audits to identify vulnerabilities. Annual ISO surveillance audits are conducted by an independent certification body.
Certifications
ISO/IEC 27001 — ilert GmbH holds ISO 27001 certification covering the SaaS platform and support operations. See ISO 27001 for details.
Infrastructure runs in ISO-certified AWS data centers.
Access Logging
ilert logs every time an account signs in, noting the type of device used and the IP address of the connection. Customer-facing audit logs are available for review via the UI and API.
Access Management
Administrators can remotely terminate connections and sign out authenticated devices on demand. Access is governed by role-based access control (RBAC) with team-level and account-wide roles. SSO (SAML 2.0, OAuth2) and SCIM provisioning are supported.
Strict controls govern employee access to customer data — access is granted only when necessary for service operations or troubleshooting, and all access is logged.
Host Management
Automated vulnerability scans are performed on production hosts. Screen lockouts and full disk encryption are enforced on all employee workstations.
Network Protection
Two-factor authentication is required for all server access. Firewalls are configured per industry best practices using AWS security groups. Additional protections include IDS/IPS, WAF, and anti-DDoS measures.
Product Security
New features undergo security review. Code receives automated static analysis, testing, and peer review before deployment. OWASP standards are followed during the software development lifecycle. Penetration testing covers web applications, mobile clients, and APIs.
Intrusion Detection
ilert, or an authorized external entity, monitors ilert's services for unauthorized intrusions.
Security Logs
Systems maintain centralized logging capturing security events, monitoring data, availability metrics, and access information. Logs are analyzed via automated software for anomalies and potential threats.
Data Encryption
ilert's services use industry-accepted encryption products to protect customer data:
In transit — TLS 1.2+ with latest secure cipher suites between customer networks and ilert's services
At rest — AES-256 encryption managed via AWS KMS
Incident Management
ilert notifies impacted customers of unauthorized data disclosure without undue delay. System status is published on status.ilert.com. Significant incidents are communicated via email and the status page.
For confirmed Major ICT Incidents (per DORA Art. 3(8)), ilert provides:
Initial customer notification within 4 hours
Progress updates at least every 4 hours
Written post-incident report within 5 business days
ilert provides fee-free assistance for investigation, forensics, regulator queries, and final incident reports.
Reliability, Backup, and Business Continuity
Infrastructure features fault-tolerant systems surviving individual server or data center failures. ilert performs regular backups, facilitates rollbacks of software and system changes when necessary, and replicates data as needed. Customer data is stored redundantly across multiple data center locations. Backups undergo integrity and restoration testing every 90 days.
Daily backups with 30+ days retention, AES-256 encrypted
Active/active architecture — see Infrastructure for regions and DR parameters
Return of Customer Data
Within 30 days post-termination, customers may request their submitted data. Self-service data exports are available via API in JSON/CSV format.
Deletion of Customer Data
Account Owners can delete customer data at any time. Within 24 hours of Account Owner-initiated deletion, ilert hard deletes all information from currently running production systems. Backups are destroyed within 30 days. Following paid subscription termination, ilert deletes all customer data copies within 90 days.
Confidentiality
ilert places strict controls over employee access to customer data. Employees access customer data only when necessary for service operations or troubleshooting. All access is logged and monitored.
Personnel Practices
ilert conducts background checks on all employees before employment. Employees receive privacy and security training during onboarding and on an ongoing basis (quarterly). All employees sign comprehensive information security policies and are bound by confidentiality obligations.
Last updated
Was this helpful?