# Technical and Organizational Security Measures (TOMs) for Teamscale Cloud

Last updated: October 15th, 2022

Security of your data is CQSE's number one priority. To ensure this, CQSE maintains a information security management system (ISMS), covering all aspects of information security for Teamscale. This ISMS is regularly audited and certified according to TISAX AL3 (data with a very high need for protection). As part of the ISMS, the following measures are implemented at CQSE.

# Policies and Processes

CQSE maintains an information security management system, including a business continuity plan, disaster recovery plans, incident management, etc. The relevant policies are controlled, reviewed, approved by management, and changes are communicated to all relevant employees.

We employ both an information security officer and a data protection officer.

# Employee Selection and Training

The selection of our employees includes a background check and an aptitude assessment based on the job role. All employees complete regular trainings on information security and data privacy.

# Access Management

Access to customer data and cloud infrastructure is granted based on job roles and is limited to authorized personell. All permissions are updated are part of internal processes and are reviewed regularly.

# Software Development

The development of Teamscale follows our secure coding guidelines, which besides others contain reviews of all code changes for Teamscale. To protect from vulnerabilities in third-party components, we regularly update those components and actively monitor relevant CVE entries.

# Penetration Tests and Audits

We run yearly penetration tests of both Teamscale and the server infrastructure used for hosting the cloud instances. The test scopes include the OWASP Top 10 as well as our roles and permission model.

Additionally, we run regular audits, both for our policies and processes, and for the configuration of our infrastructure.

# Certification

TISAX logo

TISAX (Trusted Information Security Assessment Exchange), governed by the ENX Association (opens new window) on behalf of the German VDA (opens new window) (Verband der Automobilindustrie, the German Automobile Industry Association), provides a single industry-specific security framework for assessing information security for the wide landscape of suppliers, OEMs, and partners that contribute to the automobile supply chain.

CQSE GmbH is a TISAX participant and was assessed at assessment level 3 (AL 3), meaning we were assessed against the assessment objectives required for data with a very high need for protection under the definition of TISAX, such as data classified as secret. TISAX Assessments are conducted by accredited audit providers that demonstrate their qualification at regular intervals. TISAX and TISAX results are not intended for the general public. The result is exclusively retrievable over the ENX Portal (opens new window).

The scope ID and assessment ID for CQSE GmbH are ST21M5 and ACKPRT-2, respectively.

# Supplier Management

All our suppliers and third-party vendors are run through a security review before starting a business relationship.

# IT Security

CQSE follows common security best practices, which are materialized in our security guideline. This guideline is regularly updated and all employees receive a regular training. Besides this guideline, our cornerstones for IT security include the following points.

# Anti Malware

All servers and clients are provided with malware protection. Incoming and outgoing e-mails are centrally checked for computer viruses.

# Patch Management for Clients and Server

We actively monitor clients and servers for known vulnerabilities and missing updates. Patches are applies at regular intervals, or, in case of high associated risks, immediately.

# Centralized Log Collection and Evaluation

All server logs are collected in a central unmodifiable location and checked regularly for anomalies.

# Incident Management

CQSE implements a process for incident management, based on urgency and impact of the event. Internal escalation paths are established.

# Secure Hosting for Teamscale Cloud

The following points apply to the Teamscale instances we host in the cloud. When using Teamscale on-premise, we recommend to also implement those measures in your environment. Please also see our documentation of Teamscale Security Measures for more details.

# Virtual Machines for Data Separation

Teamscale is hosted on virtual servers and runs inside a container solution. Teamscale instances of other tenants are separated using individual virtual servers.

# Encryption at Rest and in Transit

All data is encrypted both at rest and in transit using strong state-of-the-art encryption algorithms. Network connections are protected using TLS and all disks are encrypted as well.

# Availability

CQSE has business continuity and disaster recovery plans in place. Monitoring systems help to detect problems early and allow for timely reactions. All data is regularly backed up and backups are distributed across multiple data centers.