Data protection is an important issue in the countries in which Vertec operates. The relevant rules are defined in the DSGVO in the EU and in the DSG in Switzerland. As a software manufacturer and cloud operator, we are of course also very directly affected, because we partly process data that is owned by customers. This issue is therefore also very important to us.
On this page, we would like to explain to Vertec’s leads, customers and partners what our specific position on data protection is at Vertec. One of the first principles we follow is that we handle data protection not only “formally,” as we see it in many others, but also completely “concrete.” Of course, the standards impose certain formalities that we must adhere to. But often these do not increase the level of data protection at all (but only reduce one’s own legal risk). That is not our rate.
For us, “data protection concretely” means that we first and foremost take the subject of “information security” very seriously – so seriously that we have successfully had our information security management system (ISMS) certified according to ISO 27001 since 2013. We guarantee our customers (via the “Regulation on Ordered Data Processing”) that we will maintain this certificate.
“Information security” is about “data protection”. After all, “data protection” only concerns data from and about natural persons (so-called “personal data”), i.e. people. But we ourselves and our customers own much more highly sensitive data that does not fall under “data protection,” e.g. customer lists or transactions with the largest customers. “Information security” is about all sensitive data, not just those that are protected by “data protection”.
Certification according to ISO 27001 means that we assess risks for all significant information “assets,” according to the three dimensions “confidentiality,” “availability” and “integrity”. Whether our Cloud Suite is running and our customers can use it does not fall under data protection, but of course under information security in the area of “availability”. Clearly assigned asset responsibilities ensure that each asset is cared for. Those responsible are also responsible for managing the risks and, if the level of risk is deemed unacceptable, for implementing measures to reduce the risks. This can be compared to “TOMs” under the DSGVO. But it goes beyond that, because it is not just about data protection, and according to the ISO standard, we are also obliged to continuously increase information security.
Some examples of what we do as part of the ISO 27001 certification:
ISMS and clear thinking in assets also helps us keep track of data protection. Wherever possible, we try not to collect data in the first place – because data you don’t have doesn’t have to be protected. A good example of this is our own website, where we do not use consent-based tracking.
But, of course, we cannot avoid coming into contact with data that are subject to data protection. The most prominent example is certainly the Vertec Cloud Suite, where we operate Vertec in the cloud for our customers. In this case, in addition to the terms and conditions, the “regulation on ordered data processing” applies, which explains in what case we become a data processor at all and how we deal with this. For the Cloud Suite operation, we also use subcontractors. We list these companies together with their purpose on the subcontractors page.
In addition, of course, we also collect data that is necessary for order processing (e.g. customer orders) or to ensure the quality of service. For example, we document all support requests in writing. However, in no case do such data contain personal data that is particularly worthy of protection within the meaning of data protection.