Data encryption
End-to-end encryption of data at rest with the Advanced Encryption Standard (AES 256) and secure end-to-end encryption for data in transit (TLS 1.2)
All data within the Eplan Cloud is encrypted end-to-end and thus protected from unauthorized access. Data is encrypted at rest in accordance with the "Advanced Encryption Standard" with a key length of 256 bits (AES 256). When transferring data, e.g. during an upload or download, secure end-to-end encryption is implemented in accordance with the TLS 1.2 security standard (e.g. via an HTTPS connection). This means that your data is protected from unauthorized access in all areas of the Eplan Cloud.
Access security (Identity and Access Management)
Secure identity and access management with strong password requirements (in acc. with the BSI standard), combined with a two-factor authentication and a well-thought-out access and role concept
Eplan has set up a clear concept of roles and access to data for administrators of the Eplan Cloud (role-based access control). Time-limited access to the data within the Eplan Cloud is granted only if necessary (e.g. for support requests or necessary maintenance work). Access rights are assigned in accordance with a minimum rights principle and for a limited period. Regular rights review procedures ensure that access rights are always granted appropriately for each role. Access to data is always logged.
As a matter of principle, Eplan administrators must follow very strict password requirements in combination with a mandatory multi-factor authentication method (MFA). This ensures that a simple login with just one password, for example, is not possible. For Eplan Cloud customers, MFA is optional and can be activated in the user profile.
Cloud monitoring
Automated 24/7 anomaly monitoring in real time as well as organized and fast action in case of occurring incidents by trained experts of the internal Security & Operations team
The Eplan Cloud is continuously monitored 24/7 in real time by extensive logging and monitoring functions. For example, this involves checking whether the front-end systems of the Eplan Cloud and back-end systems running in the background are always available and operate with sufficient performance. A dedicated team of experts is automatically informed should any deviations or malfunctions occur. Extensively tested procedures also ensure that, in the event of deviations from normal conditions, the affected systems can be restored to the desired target state as quickly as possible.
Backup and recovery procedures
Comprehensive backup and recovery concept for emergency situations, including a rolling backup strategy
Eplan backs up the Eplan Cloud data in regular cycles and retains backups in accordance with specified periods. The implementation of the backup procedure is based on the specifications of ISO 27001. Backups are always fully encrypted and protected from unauthorized access. The key for decrypting backups is strictly protected and securely stored. It is only used in emergency situations and after a defined release procedure. The integrity of the backups is tested, which ensures availability and functionality when needed.
Agile software development in accordance with the DevSecOps principle
Agile software development as part of an organized software development life cycle with automated function and security tests as well as code reviews
The quality and procedures for internal software development processes at Eplan are certified in accordance with ISO 9001. This ensures a consistently structured and organized procedure for creating the software of the Eplan Cloud products: from the initial concept design to the delivery of finished software products. Eplan develops software by using agile methods and integrating security measures in accordance with the DevSecOps principle. For example, automated test procedures, code reviews and controlled acceptance procedures are used. All phases of the software development life cycle are controlled and monitored to ensure the implementation of proven security techniques. Modern REST APIs with integrated strong authentication methods are used to exchange data. The principle of separating the development, test and production environments is, of course, strictly enforced and adhered to.
Vulnerability analyses (Threat Intelligence)
Extensive analyses for automatic detection of threats and vulnerabilities, including regular penetration tests and independent third-party security audits
Eplan uses internal and external resources to gather information on emerging threats. Automated tools and internal security experts analyze the information received. In this way, sensible strategies and effective defensive action plans are identified and implemented swiftly. Specific measures include, for example, regularly conducted internal and external penetration tests for proactive detection of potential vulnerabilities or automated patch management for timely implementation of necessary security updates. Eplan’s highly qualified security experts regularly participate in specialized training programs. This is how Eplan ensures that the necessary know-how of their internal security experts is always up to date.