Skip to content

Technical and Organizational Security Measures (TOMs) at CQSE

Last updated: October 15th, 2022

Security of your data is CQSE's number one priority. To ensure this, CQSE maintains a information security management system (ISMS), covering all aspects of information security for Teamscale. This ISMS is regularly audited and certified according to TISAX AL3 (data with a very high need for protection). As part of the ISMS, the following measures are implemented at CQSE.

Policies and Processes

CQSE maintains an information security management system, including a business continuity plan, disaster recovery plans, incident management, etc. The relevant policies are controlled, reviewed, approved by management, and changes are communicated to all relevant employees.

We employ both an information security officer and a data protection officer.

Certification

TISAX logo

CQSE GmbH is a TISAX (Trusted Information Security Assessment Exchange) participant and TISAX-certified. We were evaluated at assessment level 3 (AL 3), meaning an evaluation took place against the assessment objectives required for data with a very high need for protection under the definition of TISAX, such as data classified as secret. TISAX is governed by the ENX Association on behalf of the German VDA (Verband der Automobilindustrie, the German Automobile Industry Association). It provides a single industry-specific security framework for assessing information security for the wide landscape of suppliers, OEMs, and partners that contribute to the automobile supply chain.

TISAX Assessments are conducted by accredited audit providers that demonstrate their qualification at regular intervals. TISAX and TISAX results are not intended for the general public. The result is exclusively retrievable over the ENX Portal. The scope ID and assessment ID for CQSE GmbH are SHYVZ2 and AWC924-3, respectively.

Employee Selection and Training

The selection of our employees includes a background check and an aptitude assessment based on the job role. All employees complete regular trainings on information security and data privacy.

Access Management

Access to customer data and cloud infrastructure is granted based on job roles and is limited to authorized personnel. All permissions are updated are part of internal processes and are reviewed regularly.

Software Development

All development efforts follow our secure coding guidelines, which besides others contain reviews of all code changes for Teamscale. To protect from vulnerabilities in third-party components, we regularly update those components and actively monitor relevant CVE entries.

Penetration Tests and Audits

We run yearly penetration tests of both Teamscale and the server infrastructure used for hosting the cloud instances. The test scopes include the OWASP Top 10 as well as our roles and permission model.

Additionally, we run regular audits, both for our policies and processes, and for the configuration of our infrastructure.

Supplier Management

All our suppliers and third-party vendors are run through a security review before starting a business relationship.

Availability

CQSE has business continuity and disaster recovery plans in place. Monitoring systems help to detect problems early and allow for timely reactions. All data is regularly backed up and backups are distributed across multiple data centers.

IT Security

CQSE follows common security best practices, which are materialized in our security guideline. This guideline is regularly updated and all employees receive a regular training. Besides this guideline, our cornerstones for IT security include the following points.

Anti Malware

All servers and clients are provided with malware protection. Incoming and outgoing e-mails are centrally checked for computer viruses.

Patch Management for Clients and Server

We actively monitor clients and servers for known vulnerabilities and missing updates. Patches are applied at regular intervals, or, in case of high associated risks, immediately.

Centralized Log Collection and Evaluation

All server logs are collected in a central unmodifiable location and checked regularly for anomalies.

Incident Management

CQSE implements a process for incident management, based on urgency and impact of the event. Internal escalation paths are established.

Secure Deployment and Hosting of Teamscale

We make available extensive documentation of our Teamscale Security Measures when deploying and hosting Teamscale. The article also includes documentation on how we securely deploy Teamscale in the cloud. We recommend to also implement those measures in your environment when using Teamscale on-premise.