FAQ - Data Security

Do you have a documented Disaster Recovery (DR) plan and how often is it tested? 

Yes, and it is tested yearly.

What measures do you take to protect user data?

Click the link to read about all of Safeture’s Data Protection Measures:

Who is the controller and processor of the data?

Data Controller

If you have received the service through your employer then the employer is the data controller. If you have purchased the service as a consumer directly from Safeture then Safeture is the data controller. 

Data Processor

The data processor is Safeture AB and the processing of data is conducted in Sweden. 

How do you encrypt data?

All data sent to or from Safeture is encrypted in transit using HTTPS/TLS1.2+. Our API and application endpoints are minimum TLS1.2 and score an “A+” rating on Qualys SSL Labs‘ tests. This ensures we only use strong and correct cipher suites and have features such as HSTS and Perfect Forward Secrecy fully enabled. We also encrypt data at rest using an industry-standard AES-256 encryption algorithm.

Do you have two-factor authentication?

Yes, two-factor authentication is enabled by default and is enforced on Administrators unless Single Sign-on (SSO) is enabled. The 2FA-code can be provided to the Safeture Mobile Application through push notifications, by e-mail and/or by SMS (default).

How do you protect access to the Safeture Platform?

We have SAML Single Sign-on (SSO), 2-factor authentication (2FA), and strong password policies on all hosting services to ensure protected access.

Safeture uses the PBKDF2 (Password-Based Key Derivation Function 2) function to generate password hashes and enforces a complex password standard (minimum 10 letters, at least one capital letter, at least one lower case letter, and at least one number). This only applies to clients who do not have SSO enabled. Password hashes are not stored in the Safeture database for customers that use SSO.

Two-factor authentication is enabled by default and is enforced on Administrators unless SSO is enabled. The 2FA-code can be provided to the Safeture Mobile Application through push notifications, by e-mail and/or by SMS (default).

For how long is the data kept in your platform? (Data retention policy)

Data is deleted after 3, 6, 12, and 18 months, depending on the sensitivity of the data.

  • 3 months: Alerts sent
  • 6 months: Logs, access logs, etc.
  • 12 months: SMS data
  • 18 months: Location data, Personal data

Where is your data stored?

Safeture uses Fortlax and AddPro data centers, both of which are ISO/IEC 27001:2013 certified. The data and services are hosted in Sweden and are not subject to the US Cloud Act.

What standards do you follow regarding data security?

Safeture has built its Information Security Management System based on the ISO/IEC 27002:2013 controls to ensure the best practice protection controls are implemented based on industry standards and we are compliant with applicable local, federal and state regulations, as well as industry standards.These policies are updated frequently and communicated to all employees.

  • All employees must also sign a non-disclosure agreement (NDA) and an ethics policy that governs the code of conduct.
  • Safeture’s hosting data centers are both ISO/IEC 27001:2013 certified.
  • Safeture is fully GDPR and CCPA compliant.

Do you perform any penetration tests?

Yes. Twice a year we engage alternating independent third-party security experts to perform detailed penetration tests on the Safeture Platform and network, and full source code reviews. Customers are also encouraged to perform their own independent penetration tests.