Data Security & Safety

Data Safety, Privacy & Security

Your site and user data are safe with Smylor. There are a number of steps we take to ensure you are the only person who can access your site data and that your users' privacy is respected.

Data storage 

User and usage data that Smylor collects through its software is stored in Switzerland and Germany data centers. Our application and database servers run inside a Virtual Private Cloud (VPC). Access to the VPC is limited to Smylor team members on a need-to-know basis. Data stores within the VPC are not directly exposed to the internet. Only systems with a direct technical need are exposed (e.g. frontend web servers, load balancers, and other systems, which directly serve customer traffic).

For exception-based logging, Smylor has designated sub-processors which are based outside of the EU. Smylor uses these designated sub-processors to provide reliable service to its users for infrastructure and application monitoring. The data they process is used solely by Smylor's engineering team to operate and improve the software's reliability. It is not queried or used for any other purposes. 

User privacy 

• Site users are assigned a unique user identifier, UUID, so that Smylor can keep track of returning users without relying on any personal information, such as the IP address.
• No end-user IP addresses are stored at rest.

IP Addresses can optionally be passed to Smylor as a User Attribute

In the case of IP addresses passed to Smylor that are stored, they are subject to the same privacy requirements as any other personal information passed to Smylor. This includes requiring user consent, and for you to have accepted our Data Processing Agreement.

Data collection and transmission 

• Firewalls are in place exposing only the necessary ports through the internet and between different servers.
• Threat Management including Intrusion Detection System (IDS) and Intrusion Protection System (IPS) support provides a second layer of security, which will block access as soon as any suspicious login activity is detected.
• Smylor transmits data from the user's browser to our system using HTTPS.
• The protocols and ciphers suite used to encrypt data in transit are available at the end of this article.

Data access and authentication 

Only Smylor engineers who require such access to perform their job efficiently are given this type of access. Different engineers are given different access rights on different system components as well depending on what their job requires. Engineers who do have access, have their own credentials and these are only valid when used from specific IPs.

Data collected through Smylor is exclusively reserved for use by our users and customers. Smylor does not make use of the data collected in any form or way unless consent is officially given by an admin of the Smylor account, clearly outlining what the data will be used for.

Data access and backup 

At Smylor we use Database replication to keep your data safe in the case of system failure. Full database backups are taken every day and kept for seven days as an electronic copy. In case two or more database nodes would fail concurrently we would have to revert to a backup.

Compliances, Certificates, and Audits 

Smylor utilizes certified data centers where our client data resides. Certifications are as follows:

• ISO-27001 Certification for Telemaxx https://www.telemaxx.de/rechenzentrum/sicherheit/zertifizierungen
• ISO-9001 & ISO-27001 for DataSource AG https://www.datasource.ch

Smylor manages payments by fully outsourcing all cardholder data functions to our PCI-DSS compliant third-party vendor, Stripe, with no electronic storage, processing or transmission of any cardholder data on Smylors infrastructure. https://stripe.com/docs/security/guide

Smylor Architecture & Security 

Data in transit is encrypted using the following protocols and ciphers:

SSL Protocols
TLSv1.2

SSL Ciphers

TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256

TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384

TLS_RSA_WITH_AES_128_GCM_SHA256

TLS_RSA_WITH_AES_256_GCM_SHA384

TLS_RSA_WITH_AES_128_CBC_SHA256

TLS_RSA_WITH_AES_256_CBC_SHA256

Updating your Privacy Policy for use with Smylor 

As a company based in the European Union, our technology and processes adhere to the strictest legal privacy requirements. In fact, we engaged a specialized German law firm to assist us with the process of drafting a policy that is suitable for us, as well as for Smylor users around the world.

While we always recommend you seek legal advice within your territory, we suggest you review the provisions of our Privacy Policy and ensure your own policy mirrors the same principles we have included.