Swiss standard security.
Directly integrated.

Our data centers are located exclusively in Switzerland and are subject to the strictest data protection laws in the world. Switzerland's political stability and neutrality guarantee long-term security for your business-critical data.

• Data centers according to Tier III targets of the Uptime Institute
• 24/7 monitoring and access control
• Redundant power supply and climate control
• Data processing in accordance with Swiss FADP and EU GDPR

Our security controls are aligned with PCI DSS v4.0 to protect cardholder data. We conduct quarterly external vulnerability scans by an Approved Scanning Vendor (ASV) and re-audit after corrections or significant changes. Our security program includes encryption in transit, system hardening, access controls and continuous monitoring to meet PCI requirements.

• Quarterly ASV scans with confirmation
• Re-scans after corrections and significant changes
• Principle of minimal rights assignment & MFA for administrative access

We are certified to ISO 27001:2022 - the latest international standard for information security management systems. This certification underlines our commitment to state-of-the-art security standards and continuous improvement.

‍

• Annual accredited surveillance audits and recertification every three years
• Implementation of all requirements of the 2022 standard
• Comprehensive risk management documentation
• Regular internal and external audits
• Implementation of the extended controls of the 2022 audit

‍

You can find more information about our certifications here.

We protect login data from the ground up with strong hashing algorithms, encrypted secrets and traceable admin workflows.

• Passwords: stored hashed (Argon2id or bcrypt) with individual salts per user; no plain text storage; regular checking and adjustment of hashing parameters.
• Application Secrets & Tokens: Encrypted at rest (e.g., AES-256) with strict key management, rotation and access controls; short-lived tokens are preferred with revocation on logout or risk scenarios.
• Administrative access: Commit-signed changes, protected branches and four-eyes approvals for sensitive credential workflows.

We design for high availability with active redundancy, fast failover and transparent status communication.

• Redundant design with automatic failover for critical services
• Target availability: up to 99.99%
• No single point of failure in critical paths
• Ziel: automatisches Failover < 30 Sekunden für ausgewählte Komponenten
• Public status dashboard: https://securesafe.site24x7statusiq.com/

We implement least privilege principles with finely graduated, policy-based access controls that adapt to the context.

• Role-based access control (RBAC) with minimum necessary rights
• Time-based/automatic sequence rules in the event of inactivity
• Delegate Administration for Key Accounts
• Step-up/MFA for sensitive operations (guideline-controlled)

We develop our systems for continuous operation and validate this through synthetic monitoring, automatic failover and practiced disaster recovery (DR) scenarios to meet tested RTOs/RPOs.

• Goals & scope: Protecting people first, clear decision-making processes and restoring essential services within defined time frames.
• Monitoring & detection: Zabbix (internal) and Site24x7 (external) with end-to-end synthetics; automatic component failover via load balancer/application firewall; database failover is controlled to maintain consistency.
• Recovery targets (by scenario):
  • Data center failure:
    • RTO ≈ 2 hours + detection time (DNS switch to secondary site or rebuild at primary site).
    • RPO: Point-in-time recovery within the last 10 days (database WAL); weekly statuses for 3 months; monthly statuses for 1 year. File layer with mirrored copies and delayed deletion in DR to undo accidental deletions.
  • Failure of a main component:
    • RTO ≈ 30 minutes + detection time (load balancer to hot standby)
    • RPO: 0 hours
  • Human error (data loss):
    • RTO ≈ 2 hours + detection time (restore from backup).
    • RPO: up to 0 hours, if detected within backup/storage window.
• Tests & exercises: Regular full backup-restore tests (~every 1-2 months) as part of release tests; at least annual DR exercises; periodic production switchovers for major upgrades; exercises on DNS failover processes.
• Architecture highlights: Multi-site design with active/active application clusters, hot standby database replication, configuration and transaction mirroring, and backup/write mirroring to DR

We offer tamper-proof audit trails with real-time detection, controlled retention and SIEM-enabled integrations.

• Integrity-protected, append-only audit logs
• Real-time monitoring and alerting in the event of critical incidents
• Long-term storage in accordance with guidelines and regulatory requirements
• SIEM export/integrations available for enterprise customers

We guarantee reliable recovery through automated, geo-redundant backups in Switzerland with regular checks of the recovery processes.

• Automated, frequent backups with geographically distributed replicas within Switzerland
• Integrity protection for backups (immutability & restrictive access)
• Regular restore tests and validation of the restore procedures

We strengthen access protection with tiered, adaptive authentication - including MFA as standard, standards-based SSO, biometric factors and risk-based step-up authentication for sensitive actions.

• Multi-factor authentication (MFA) available by default; company policies can enforce MFA for users/roles
• Single Sign-On (SSO) for companies (SAML 2.0 / OpenID Connect)
• Compatible with device biometrics (e.g. Face ID/Touch ID) as a second factor
• Risk-based step-up authentication for sensitive actions (if activated)

We protect your data with strong encryption - both during transmission and at rest.

• Server-side encryption for content (zero-knowledge architecture)
• AES-256 for stored data and encrypted content
• TLS 1.3 with Perfect Forward Secrecy for all network traffic
• Managed key lifecycle (generation, rotation, revocation)
• Regular cryptographic checks and updates in accordance with current best practices

We regularly commission independent security experts to check our systems for vulnerabilities. This proactive approach guarantees the highest security standards.

• Regular penetration tests by third parties
• Simulation of realistic attack scenarios
• Remediation according to priority of criticality
• Transparent communication of critical results
• Executive Summaries available for corporate clients under NDA

We use server-side encryption with industry-standard algorithms and strict key management. Decryption takes place exclusively within a secure, monitored service environment and only to fulfill your request. Keys are protected via an HSM-based KMS (Key Management Service) and only exist in plain text during active operations - with immediate decryption, strict access controls and comprehensive logging. This architecture enables critical features - digital estate management, enterprise performance and universal device compatibility - without compromising security.

• Server-side encryption with controlled, internal decryption
• HSM-supported key management; just-in-time key access and fast memory reduction
• No universal "master key" or undocumented access options
• Defense-in-Depth, regular independent audits and an ISO/IEC 27001:2022-certified ISMS
• Protection against internal and external threats

At DSwiss, security is not an add-on - it is a fundamental part of our architecture. Every component has been developed according to the "security first" principle.

• Defense-in-depth strategy with multiple layers of security
• Automatic security updates without service interruption
• Redundant systems for maximum reliability
• Geographically distributed backup locations in Switzerland - including a former military bunker deep in the Swiss Alps

We maintain a strict separation between development, staging and production to reduce risks and prevent cross-contamination.

• Separate accounts/clients and network segmentation per environment
• No production data in test or development environments
• Different access controls and least privilege roles per environment
• Automated, auditable deployment pipelines with approval processes

We have established comprehensive quality assurance processes to ensure that every release meets our safety and reliability standards.

• High automated test coverage (unit, integration and end-to-end tests) with CI quality controls
• CI/CD pipelines with build and deployment time checks
• Regular penetration tests by third parties; security assessments before releases with significant changes
• Infrastructure and service vulnerability scans with Nessus; consolidated reporting via Scanmeter
• Software Composition Analysis (SCA) and container image scanning with JFrog Xray; policy check of dependencies in CI

We rely on mandatory peer reviews so that every code change is subjected to a security check before deployment.

• Two-person (four-eye) principle with protected branches
• Branch protection rules: required status checks, code owners, linear history and no force push on main branches
• Cryptographically signed commits on protected branches (e.g. GPG) are mandatory
• Automated SAST/DAST checks, Software Composition Analysis (SCA), and secrets scanning
• Continuous scanning of third-party dependencies and containers
• Security champions anchored in every development team

Our Development Security Process
We integrate security into every phase of the lifecycle, from design through operation.

• Threat modeling and abuse-case reviews during design
• Documented security requirements and secure coding standards (e.g., OWASP guidance)
• SBOM generation (e.g., SPDX/CycloneDX) for each build; inventories retained and monitored
• Artifact signing and provenance: build artifacts are cryptographically signed and verified at deployment; provenance attestation recorded
• Regular secure-coding training for developers
• DevSecOps practices with security gates in CI/CD

We invest in comprehensive safety training so that every team member understands safety standards and applies best practices.

• At least annual security awareness training and ongoing refresher courses
• Role-specific safety training
• Support with professional safety certifications

We have established a comprehensive set of security guidelines that govern key aspects of our processes and data processing.

• ISMS policy framework in accordance with ISO/IEC 27001:2022
• Regular, risk-based review and updating of the guidelines
• Documented and regularly practiced incident response procedures
• Binding standards for data classification and processing

We have implemented strict confidentiality controls and agreements to protect all sensitive information entrusted to us.

• Mandatory NDAs for all employees and partners
• Strict need-to-know access
• Encrypted channels for confidential communication
• Regular confidentiality audits