Security and Compliance
ISO 27001 (Information Security Standard)
ISO 27001 is recognized as the premier information security management system (ISMS) standard around the world. The standards also leverage the security best practices detailed in ISO 27002. To be worthy of your trust, we’re continually and comprehensively managing and improving our physical, technical, and legal controls at arago according to this standard. Arago is in the process of getting an ISO27001 certification for the operation of HIRO™ SaaS. The datacenters and services arago uses at AWS are, among other standards, certified based on ISO27001.
The Trusted Cloud Seal is an assessment for cloud services initiated by the German government, Federal Ministry for Economic Affairs and Energy. Apart from security and organizational issues, the label also assesses compliance with the data privacy regulations as required by GDPR/ DS-GVO.
arago holds a Trusted Cloud certification as of summer 2018.
EU-U.S. Privacy Shield
The EU-U.S. and Swiss-U.S. Privacy Shield is a framework as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information transferred from the Euro-pean Union, the European Economic Area, and Switzerland to the United States. Adhering to the Privacy Shield Principles ensures that an U.S. organization provides adequate privacy protection under the EU data protection directive (GDPR). As arago is a European company, there is no need to follow these American standards. Much more important, as arago is headquartered in Germany, GDPR is a local law for us which means that our solution already includes a much higher standard of data privacy as implemented by the U.S. Privacy Shield.
EU General Data Protection Regulation (GDPR)
The General Data Protection Regulation 2016/679, or GDPR, is a European Union regulation that marks a significant change to the existing framework for processing personal data of individuals in the EU. The GDPR introduced a series of new or enhanced requirements that will apply to companies which handle personal data. Arago is GDPR-compliant so that customers can use HIRO™ SaaS without risking compliance issues. When customers use HIRO™ SaaS to process personal data, arago will sign a data processing agreement as described in article 28 of GDPR with that customer. This also includes a list of the required technical and organizational measures (“TOMs”) which are in place to protect customer data. Arago has a data privacy officer who is responsible for managing privacy issues and review compliance on a regular basis. The data privacy officer and his contact details are also listed in the data privacy section of this webpage.
Certifications of AWS as our Datacenter and SaaS Provider
Our data center and service providers like Amazon Webservices (AWS) also undergo regular SOC 1, SOC 2, and/ or ISO 27001 audits to verify their security practices. At least annually, arago reviews the results of these audits or performs vendor security reviews if an audit report is not available as part of our information security management program. In the event these audits or reviews have material findings which we determine present risks to arago or our customers, we’ll work with the service provider to understand any potential impact to customer data and track remediation efforts until the is-sue has been resolved.
Independent Third party Security Audits
We have commissioned independent external auditors to regularly check our systems and controls for compliance with the world’s most important security standards and security best practices such as ISO 27001 and OWASP. These audits are carried out at least once a year by recognized auditing and security companies who conduct their audits independently and with the greatest care.
Internal and external Security Checks of the HIRO™ SaaS Service and Application
Our security department and product management regularly carry out automated and manual security tests in order to find and fix potential security weaknesses and errors in our HIRO™ application and SaaS service. We also work with external security experts, other industry security teams, and the research community in the area of data security.
Continual Improvement of Security (PDCA)
An important part of any information security management strategy is the continuous improvement of security programs, systems and controls. arago therefore always endeavors to obtain the opinion of the different teams in-house, its customers as well as internal and external auditors and to take the feedback gained into account when further developing its processes and controls.