Security & Data Protection
Certified security and reliability
Since 2008 the Fabasoft Linz head office has been certified according to the ISO norm 27001 for IT information security. Since 2010 Fabasoft Folio Cloud has been tested according to ISAE 3402 Type 2 and since 2011 additionally according to ISO 20000-1. You can find out more about these certifications on this page.
ISO 27001 certification
In June 2008 Fabasoft received the ISO 27001 certificate for its Head Office in Linz. The ISO 27001 standard is a globally recognized standard for the assessment of the security of IT environments.
The certification’s range of validity specifies the requirements for fully comprehensive information security management concerning all IT and business processes as well as all confidential company information. For customers, the ISO 27001 certification means compliance with clearly defined technical and security based standards and thereby defined service levels for the Fabasoft data centers.
Regular internal controlling of the processes and provisions detailed in the ISO 27001 is the basis for the further development of internal IT security standards and the continual adaptation according to changing frameworks and tasks.
ISO 20000 certification
In May 2011 Fabasoft received the ISO 20000 certificate for the IT services Folio Cloud and Folio SaaS. The ISO 20000 standard is an internationally recognized standard for IT service management which documents the requirements for professional IT service management.
With this certification, Fabasoft continues its strategy of implementing international standards. The company is already ISO 9001 and ISO 27001 certified. Fabasoft belongs to an elite group of just 12 companies in Austria that hold the ISO 20000 certification.
ISO 20000 serves as a measurable quality standard for IT Service Management (ITSM). The aim of ISO 20000 is to deliver a higher quality of IT services to customers. Alignment according to the needs and requirements of customers plays a primary role.
The standard also serves as an instrument to model processes in an optimized management system as they are described in the Office Government Commerce (OGC)’s IT Infrastructure Library (ITIL). This encompasses such core processes as change, release, incident, problem and security management.
The certification brings with it many advantages. Alongside the targeted improvement of processes through regulated structures, service level maintenance, customer satisfaction and availability of services are more easily measurable by means of key performance indicators.
ISO 9001 certified quality management
Since 2005 the entire Fabasoft company has been ISO 9001:2008 certified. Once a year the integrated management system is examined in an external audit conducted by Quality Austria.
The aims of the audit are to examine the conformity with demand models and the identifying of potential for the further development of the quality management system.
The quality management system at Fabasoft is a living system. This means that work methods, processes and their corresponding documentation are continuously adapted to the new data and therefore constantly undergoing improvements.
All Fabasoft business-relevant processes are depicted in the form of graphic process diagrams in the process landscape in the internal system. The further development, checking and approval of these processes is the responsibility of the process designer and is defined for every process.
A strategic aim of Fabasoft lies in a strong customer orientation of the quality management system. At Fabasoft customer satisfaction is of the highest importance. Our customers have the opportunity to share their opinions and improvement suggestions with us. In regular meetings (User Group) customers can give their feedback directly to Fabasoft. The results and evaluations of customer surveys are analyzed and integrated into the improvement processes to ensure that the customer demands are met.
ISAE 3402 Type 2
The International Standard on Assurance Engagements (ISAE 3402) is the new international testing standard that assesses the effectiveness of internal control systems (IKS) of service providing organizations. the standard was created by the American Institute of Certified Public Accountants (AICPA) as a successor to the SAS 70 Standard. Up until 2011 Fabasoft was tested according to the AICPA’s reporting standard SAS 70 Type II.
ISAE 3402 aims to extensively test an organization’s internal control system and to rate its effectiveness in detail. The testing takes place over a six month period. The ISAE 3402 test report contains the opinion of an external test company on the control procedure at the service provider, a description of the control points, the test methods and controls, information about the test period and a statement about the effectiveness of the controls.
The independent auditor PricewaterhouseCoopers issued an unrestricted ISAE 3402 confirmation endorsement without exceptions for the products Fabasoft Folio Cloud, Fabasoft Folio Software as a Service, Mindbreeze InSite and app.telemetry Cloud. This gives companies the assurance that their data is secure with Fabasoft.
Audit-proof archiving - Archive 2010
The vision of a paper-free office is as old as the first IBM PC that fitted onto a regular desk – but we're still chasing that dream. The rules and regulations governing the storage of business records, invoices, contracts, documentation for accounts and financial records are partly to blame for this. Time limits legally required for storage vary from a few years to eternity and beyond. Folio Cloud is a huge step forward, as audit-proof electronic storage eliminates the costs and space requirements needed for hard-copy storage.
The PricewaterhouseCoopers auditors worked according to a checklist. Some of the most important points, which were naturally found to be without faults, were:
- Data access. Already in the course of the SAS 70 Type II test, virtual and physical access restrictions were thoroughly checked and found to be sufficient. Client data is safe from prying eyes.
- Data cannot be amended retrospectively.
- Relevant documents cannot be deleted before the time limit expires –not even by Fabasoft administrators.
- The trail from paper to electronic storage is sufficently secured.
- All legal requirements are met.
National and European data protection laws
As a European company we are subject to the strictest data protection laws.
European Union
- Directive 95/46/ECis the reference text, at European level, on the protection of personal data. It sets up a regulatory framework which seeks to strike a balance between a high level of protection for the privacy of individuals and the free movement of personal data within the European Union (EU). To do so, the Directive sets strict limits on the collection and use of personal data and demands that each Member State set up an independent national body responsible for the protection of these data.
- Directive 2002/58/ECof the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications). This Directive was adopted in 2002 at the same time as a new legislative framework designed to regulate the electronic communications sector. It contains provisions on a number of more or less sensitive topics, such as the Member States keeping connection data for the purposes of police surveillance (the retention of data), the sending of unsolicited e-mail, the use of cookies and the inclusion of personal data in public directories.
Germany
Austria
Data security: Security of customer data
Customer data lies in Fabasoft's own servers within its own protected networks to which only a small number of selected members of the operations management team have access. Even operations management employees do not have authorization to access customer data. These mechanisms are regularly checked via external audits. But in short, customer data cannot be viewed by Fabasoft employees.