Table of Contents

Questions about security & data protection

Sven Frauen Updated by Sven Frauen

Questions about security & data protection

All data in Sweap is processed on servers within the European Union, primarily in Germany. We place the highest value on data protection and data security. Details on this can also be found in our order processing agreement (AVV) and our technical and organisational measures (TOMs) as an appendix to our GTC here.

Where is my data stored?

Your data is stored in our secure IBM Deutschland GmbH data centres in Frankfurt am Main (Germany).

General security information about the IBM Cloud

The IBM Cloud offers an open and secure public cloud for enterprises, with extensive compliance and security certifications to protect clients' data and applications. The IBM Cloud platform is based on secure engineering practices and offers multi-layered security controls across the network and infrastructure. In addition, IBM is committed to complying with European regulatory requirements regarding the protection of its clients' data and applications.

Certifications include international standards for data security (ISO 27001) and data protection (ISO 27018 and 27701), detailed written documentation of internal controls (SOC 1-3), specific cloud security certifications (CSA STAR) and, of course, GDPR compliance. For more information on compliance and security certifications, please see the IBM Cloud Compliance Programme Overview.

What is IBM's position on the CLOUD Act?

What does the CLOUD Act say?

It obliges US IT providers to grant US authorities access to customer data outside the US under certain circumstances.

What does it not contain?

  • fundamental change in the legal situation from the point of view of the IBM public cloud
  • Actual relaxation of requirements for US authorities before they gain access

IBM Public Cloud policy and practice for such disclosure requests is based on the fact that client data belongs to the client, and is only released by the client, i.e.

How does IBM relate to Privacy Shield

What happened?

In its judgment of 16 July 2020 (Case C 311/18 - "Schrems II"), the ECJ declared this Privacy Shield Implementing Decision invalid.

What does that mean?

  • EU-US Privacy Shield no longer valid for data exports from the EU to the US
  • IBM Public Cloud uses EU standard contractual clauses (EUMCs)
  • EUMCs explicitly not invalidated by Schrems-II
  • Data exporters and importers must ensure that the EUMCs are supported by "supplementary measures to ensure an essentially equivalent level of protection".

Supplementary measures:

Further comprehensive information on IBM's obligation to protect international data transfers can be found here.

What security measures does Sweap take?

The technical and organisational measures for the protection of your data can be found here in Annex 2 of our AV contract. Furthermore, we ensure the protection of your data on the IBM Cloud by, among other things, the following:

Is my data backed up should an emergency occur?

All data is hosted on very secure and highly available servers in the IBM Cloud. Data is backed up daily in encrypted form and stored in a redundant and distributed manner. In the event of an unforeseen event and system-wide emergencies, we can perform a full backup restore.

Where are my emails sent?

The emails in Sweap are sent via our email provider Mailjet using the secure Google Cloud Platform data centres in Frankfurt am Main (Germany) and Saint-Ghislain (Belgium).

General security information of the provider Mailjet.

Mailjet is ISO 27001 certified and DSGVO compliant. EU customer data is stored exclusively on EU servers. All data is subject to SCCs (Standard Contractual Clauses) and is encrypted. Access to data outside the EU is very limited and data is minimized, encrypted and SCC compliant.

For more information about Mailjet's security & privacy, click here.

For more information on the processing of data (AVV) by Mailjet, please click here.

Is Sweap compatible with the GDPR?

Yes, Sweap meets all the requirements of the EU General Data Protection Regulation and is data protection compliant as an organisation as well as software according to EU-DSGVO. To this end, as part of the preparations for the EU GDPR, we have checked our product for the essential legal requirements and made the corresponding adjustments, as you can read here.

Has a data protection officer been appointed?

Yes, for advice on data protection issues and support as company data protection officer, we rely on Proliance GmbH /

www.datenschutzexperte.de:

Proliance GmbH, Leopoldstr. 21, 80802 München.

You can find out more about the official data protection seal from Datenschutzexperte.de here.

Datenschutzsiegel

If you have any questions about data protection at Sweap, please contact us at privacy@sweap.io.

How can I ensure that my data protection rights are guaranteed?

We have processes in place to ensure your right to erasure, rectification, portability, access and to be forgotten or restricted. Details can also be found here in our data protection concept.

Does tracking take place in Sweap?

In general, Sweap applies the principle of data avoidance and data economy. We therefore try to collect only the necessary data. When it comes to tracking, we distinguish between guests (participants) at your event and Sweap users of the Sweap application.

Guests and websites

When a guest (the participant of an event) calls up the standard registration page, no tracking cookies are used and no data is tracked for further purposes (e.g. marketing). Sweap does not use Google Analytics or similar web trackers on the websites.

Only a technically mandatory essential cookie is set, for which no cookie consent is required. This is the cookie with the name INGRESSCOOKIE:

Name

INGRESSCOOKIE

Purpose

Registers which server cluster is serving the visitor. This is needed in the context of load balancing to optimize the user experience.

Cookie Duration

Only temporary for the session

However, Sweap users can integrate their own web trackers, e.g. via JavaScript. Furthermore, it is possible to voluntarily integrate Google Maps or other third-party services (e.g. YouTube when embedding a video). For the use of these services, an IP address must be transmitted. What happens to this IP address is then again the responsibility of the third-party service provider (Google, YouTube, etc.).

Tracking cookies are also used by the service when integrating YouTube videos, for example. This service can be used to check whether cookies are present on the website: https://www.cookiemetrix.com/ 

Guests and e-mails

By default, no tracking takes place for the e-mails. Only the bounce rates (incorrect transmissions) and the correct transmission of the e-mails are saved. Optionally, the Sweap user can also track the opening rates of the e-mails. This is done with the help of an invisible tracking pixel which is used by our e-mail provider Mailjet. However, this option can be freely activated or deactivated by the Sweap user. By default, this function is deactivated and must be activated. Sweap does not evaluate this data further.

Sweap users

We analyse the usage behaviour of our customers, the users of the Sweap application (Sweap web application and Sweap guest list iOS app), anonymously with the help of Microsoft Clarity, error reporting and support tools in order to offer you an optimal software experience and to continuously improve it. This only affects users of the Sweap system who log into our software. In addition to session cookies for the technical functionality of the site, tracking cookies are also used. Please see our privacy policy for more details.

How did we do?

Privacy policy and GDPR

Sweap AI - Questions about security & data protection

Contact