Security and Compliance at Consor

Date of effectiveness: 01.07.2024

Protecting personal and confidential customer information is our top priority. In the interests of our clients, our business ethics and our values, we do not compromise when it comes to data security. As part of this commitment, we operate with the highest level of transparency. The following overview provides a summary of our constantly evolving security measures.

We meet the highest security and data protection standards.

GDPR – Consor is audited annually by external, independent auditors for compliance with the GDPR data protection regulations. By complying with GDPR, we demonstrate our commitment to protecting personal data and enforcing a consent-based model for processing personal data. Consor is ISO27001 certified, meeting the highest independently audited information security management standards.

Our encryption protocols are standards-compliant.

In a multi-cloud environment, we encrypt all data using the best security algorithms such as RSA4096, SHA256 and AES256. Data sent to or from our infrastructure is encrypted in transit using TLS (Transport Layer Security). All data is encrypted using proven encryption algorithms and stored securely.

With end-to-end encryption at every stage – at rest, in transit or in cloud storage – Consor services ensure that your data is always secure and private.

Our security measures are constantly evolving to keep pace with the changing threat landscape.

Our work on security and privacy is a constant cycle of analysis, revision, implementation, testing, remediation, scaling, lockdown and approval. We are constantly working to meet and exceed the requirements of regulators, customers, partners and users, and we live the security processes every day. Security and data protection are an integral part of our corporate culture.

We take all necessary infrastructural precautions.

All our services run in cloud environments. We do not host or operate our own routers, load balancers, DNS servers or physical servers. The cloud providers we use regularly undergo an independent review of security, data protection and compliance controls in accordance with the following standards: ISO/IEC 27001, ISO/IEC 27017, SOC 1, SOC 2, SOC 3, PCI DSS, HIPAA, CSA Star, FedRAMP and many others.

Secure code: transparent development with security in mind.

In order to protect customer data from current threats, the products we develop must be developed with security in mind. The following practices ensure the highest level of security in our software:

• Application of the Secure Software Development Life Cycle (S-SDLC), which focuses on incorporating security into the development cycle
• Development and continuous maintenance of a corporate culture committed to security
• We assess the security of our code against industry recognized security frameworks such as ATT&CK, OWASP Top 10 and SANS Top 25.
• Developers regularly attend security training to learn about vulnerabilities, threats and best practices for secure coding.
• We check our code for security vulnerabilities
• We regularly update our backend infrastructure and software and ensure that there are no known vulnerabilities.
• We use static application security testing (SAST) and dynamic application security testing (DAST) to identify basic security vulnerabilities in our code base.
• We regularly conduct external penetration tests in our production environments.

Our application security monitoring and protection solutions allow us to stay on top of things:

• Detect attacks and respond to a data breach
• Monitor exceptions and logs and detect anomalies in our applications
• Capture and store logs to create an audit trail of our applications’ activities

We also use a runtime protection system that identifies and blocks web attacks and attacks on business logic in real time, as well as security headers to protect our users from attacks.

We practice strict security monitoring and protection at the network level.

Our network consists of multiple security zones that we monitor and protect with trusted firewalls, including IP address filtering, to prevent unauthorized access. We deploy an intrusion detection and/or prevention solution (IDS/IPS) that monitors and blocks potentially malicious packets, as well as Distributed Denial of Service (DDoS) mitigation services supported by an industry-leading solution.

We have an industry-leading security team.

Our security team consists of security experts who are dedicated to continuously improving the security of our organization. Our team is trained and certified in security threat detection and incident response, security engineering, penetration testing, application security, security management compliance and the latest security best practices.

We encourage responsible disclosure.

If you discover vulnerabilities in our application or infrastructure, we encourage you to notify our team by contacting security@consor.ch and attaching proof to your email. We will respond to your report as quickly as possible and will not take legal action if you comply with the responsible disclosure process:

• Please avoid automated tests and only carry out security tests with your own data.
• Please attach proof to your e-mail
• Do not pass on any information about the vulnerabilities until you have received clear authorization.

General information security policy

Protect Consor’s information and IT assets (including, but not limited to, all computers, mobile devices, network equipment, software and sensitive data) from all internal, external, intentional or accidental threats and mitigate the risks associated with theft, loss, misuse, damage or abuse of these systems;

Ensure that information is protected from unauthorized access. Users may only access the resources for which they have special access authorization. The allocation of privileges is strictly controlled and regularly reviewed.

Protecting the CONFIDENTIALITY of information. When we talk about confidentiality of information, we are talking about protecting the information from disclosure to unauthorized persons;

Ensuring the INTEGRITY of information. The integrity of information refers to the protection of information from modification by unauthorized persons;

Maintaining the AVAILABILITY of information for business processes. Availability of information refers to ensuring that authorized parties can access the information when needed.

Complying with and, where possible, exceeding national legal and regulatory requirements, standards and best practice;

Developing, maintaining and reviewing business continuity plans to ensure that we stay on track despite any obstacles we may encounter.

Raise awareness of information security by providing information security training to all employees. Security awareness and targeted training must be consistently delivered, responsibility for security must be reflected in job descriptions, and compliance with security requirements must be expected and accepted as part of our culture;

Ensure that no action is taken against employees who disclose an information security issue by reporting or directly contacting the Head of Information Security Management, unless such disclosure clearly indicates an illegal act, gross negligence or repeated willful or deliberate disregard of rules or procedures;

Report all actual or suspected information security breaches to security@consor.ch