1. Scope of the ISMS

Seibert Group GmbH

Software development, support, license trading, consulting, training, other services, and supporting processes in the area of collaboration/improvement of cooperation.

Seibert Products GmbH

Software development, support, consulting, training, and other services in the area of collaboration/improving cooperation.

Seibert Solutions GmbH & Seibert Solutions Austria GmbH

Support, Lizenzhandel, Beratung, Schulung, Managed Service, Sales, Marketing, sonstige Dienstleistungen und unterstützende Prozesse im Bereich Kollaboration / Verbesserung der Zusammenarbeit.

2. The Importance of Information Security

Information processing plays a key role in fulfilling our tasks. All essential strategic and operational functions and tasks are significantly supported by information technology (IT). It must be possible to compensate for any failure of IT systems at short notice. Even in sub-areas, our business must not be allowed to collapse.

Information security is particularly important for us as a company that not only produces software but also offers hosting and cloud services.

3. Security Objectives

All activities aimed at maintaining and improving information security are designed to ensure the fundamental values of confidentiality, integrity, and availability of information—especially our customer data.

The specific security measures must be economically reasonable in relation to the protection requirements of the processed data. As a core activity for maintaining and improving information security, risks to information security are continuously identified, assessed, and addressed. Various legal, regulatory, and contractual requirements are imposed on information security, which are continuously identified and taken into account for information security.

Based on our corporate goals and the current status of our information security level, we have set ourselves the following objectives:

Intensification of efforts to increase information security awareness among all employees

The aim is to continuously expand the range of information and training available in the field of IT security and to measure its effectiveness.

Ensuring that individual, contractual customer IT security requirements are fulfilled

Contractual customer requirements for IT security that go beyond the standard of our own contract templates should be uniformly reviewed and approved, centrally recorded, transparently documented, communicated internally, and compliance should be regularly monitored.

Improving the security of our software products

As a software development company and cloud provider, the continuous improvement of the IT security of our products is very important to us.

The goal is to systematically strengthen IT security knowledge within the development teams and to establish a cross-team group of experts who provide internal advice on the secure implementation of new features and regularly perform security tests (penetration tests) on our software products or have them performed by third parties.

Continuous improvement of the ISMS

The purpose of establishing the ISMS is to maintain processes and improve the effectiveness of the system.

These objectives are reviewed and evaluated as part of the management review.

4. Security Organization

A company-wide information security management system (ISMS) was introduced to achieve the information security objectives. Strategic and operational control is the responsibility of a dedicated ISMS team. To ensure clear responsibilities and continuity of processes, specific individuals and their deputies have been appointed within this team for all important ISMS processes. This team model distributes responsibility among several subject matter experts, ensuring a broader knowledge base and greater resilience.

Overall responsibility for information security remains with the management (top circle), to which the ISMS team reports directly and on a regular basis. The company management ensures that the team has sufficient resources and training opportunities at its disposal. In order to perform its tasks effectively, the ISMS team is vested with extensive powers. These include, among other things, the right to review and audit security policies, the right to make proposals during budget planning, and the authority to order necessary immediate measures in consultation with the top management in the event of acute dangers.

The members of the ISMS team must be involved at an early stage in IT security-related projects (e.g., new products/services, site development, major IT infrastructure adjustments) as part of the internal strategy process in order to take security-related aspects into account as early as the planning phase.

A data protection officer has been appointed. The data protection officer was carefully selected and has the necessary expertise. It is ensured that the data protection officer is involved in all relevant issues in a timely and early manner. This is ensured by the internal data protection coordinator. The coordinator also serves as the first point of contact for all data protection issues and is responsible for all topics related to the data protection management system.

5. Security Measures

A responsible person is appointed for all core business processes, information, IT applications, and IT systems, who determines the respective protection requirements.

Access permissions are assigned as needed and managed centrally.

Substitutes must be appointed for all responsible functions. Instruction and adequate documentation must ensure that substitutes are able to perform their duties. In agile teams that are structured in such a way that, in principle, every member can take on all tasks, this requirement is considered to be fulfilled due to the shared responsibility within the team.

Buildings and premises are protected by adequate access controls. Access to IT systems is protected by appropriate access controls and access to data is protected by a restrictive authorization concept.

Malware protection programs are used wherever appropriate, particularly on mail servers, document storage locations, and company PCs with administrative access to customer systems. All Internet access is secured by appropriate technical filters and protection mechanisms. Remote maintenance access to all internal systems and customer servers is protected by VPN connections. A comprehensive monitoring system detects any compromises to the security objectives of the IT infrastructure and applications, which are then quickly remedied by trained employees. Furthermore, IT users support these security measures by working in a security-conscious manner and informing the appropriate departments in the event of any anomalies.

Data loss can never be completely ruled out. Comprehensive data backup therefore ensures that IT operations can be resumed at short notice if parts of the operational data stock are lost or are obviously faulty. Information is labeled uniformly and stored in such a way that it can be found quickly.

In order to limit and prevent major damage as a result of emergencies, security incidents must be responded to quickly and consistently. Measures for emergencies are compiled in a separate emergency preparedness plan. Our goal is to maintain critical business processes even in the event of a system failure and to restore the availability of the failed systems within a tolerable period of time.

IT users regularly participate in training courses on the correct use of IT services and the associated security measures. The company management supports needs-based further training.

6. Improving Security

The ISMS is regularly reviewed to ensure that it is up to date and effective. In addition, the measures are also regularly examined to determine whether they are known to the employees concerned, whether they are feasible and whether they can be integrated into operational processes. The ISMS team is responsible for monitoring this review.

Employees are encouraged to report any potential improvements or weaknesses to the appropriate departments.

Continuous revision of the regulations and compliance with them ensures that the desired level of security and data protection is maintained. Deviations are analyzed with the aim of improving the security situation and keeping it constantly up to date with the latest IT security technology.

7. Central Guiding Principles

7.1 Data Classification

We distinguish between data that we collect and store ourselves as part of our daily work (our own data) and data that is stored on dedicated customer systems as part of the provision of services (operation of Atlassian applications) but with which we do not otherwise work (customer data). All our own information about customers stored in CRM, ERP, booking, and billing systems or in emails, chats, wikis, or task software is, in a broader sense, also data that contains customer information. Nevertheless, it is processed together with purely internal data and is therefore classified as “our own data.”

Since we classify customer data as requiring a higher level of protection, the security level is also higher when customers share information with us in dedicated customer systems than when it is processed in our systems (e.g., emails, extranet, Jira task management). We make the difference as clear and transparent as possible for customers and respect it when customers ask us to work on customer systems, even if this entails restrictions for us. Depending on the situation, team, and composition, certain information may need to be stored on our systems to ensure smooth operation. We announce these situations in advance and explain the reasons behind them.

7.2 Usability vs. Security

We understand that usability (ease of use for users) and IT security (confidentiality, integrity, and availability of data and services) are often at odds with each other. Especially when working in customer environments, we often find that high security requirements mean that we are more concerned with gaining access to information than with working on creating value for the customer. That is why we always strive to consider usability and, in case of doubt, weigh up what are the appropriate solutions in each individual case (What data is involved? What is its security classification?). We find sensible solutions through team discussions and discourse and by means of documentation in our central systems that is transparent for all employees. When handling our own data, we tend toward usability. This tendency is based on our corporate values and our trust in our employees.

7.3 Customer Data is Given Exceptional Protection

The security of customer data is the basis of our integrity and trust in long-term cooperation. We exclude all forms of processing customer data outside the contractually agreed framework (in particular order processing). Changes in processing are made solely on the instructions of or in consultation with the customer.

In case of doubt, our customers’ data is always kept more secure rather than simpler. Security takes precedence over usability.

7.4 Digital Before Analog

We are convinced that we want to store all data digitally, as this is the only way we can meaningfully ensure the IT security of this information. Whenever possible, we try to store digital data and information within the company. When we use paper, it is to speed up our work processes. Paper then serves as a temporary tool to increase visibility, presence, or interaction. We actively work to digitize information recorded on paper and, where possible, do not retain paper unless required by law. Paper is disposed of properly in accordance with the protection class of the information it contains.

8. Duty to Cooperate

Management is committed to supporting the information security objectives described in this policy and encourages all employees to contribute to maintaining and improving information security.

This guideline applies to all employees without exception. There is no justification for deviations. As a company, we ensure that employees read and understand this guideline and document their agreement. We announce changes internally and explain them.