Security & Compliance at Stormtec GmbH

Effective date: December 30, 2025

Protecting customer confidential information and company data is a core part of how we deliver AI services, cybersecurity, and managed IT services. Our ISMS scope covers information security for the design, delivery, and operation of these services, including customer data handling and supporting internal systems across Swiss and remote operations.

We align with recognized security and privacy expectations

We design our controls to meet customer, regulatory, and contractual requirements—commonly including Swiss data protection (revDSG/DSV) and, where applicable, GDPR obligations. We also map controls to widely used security standards (e.g., ISO/IEC 27001-aligned practices) based on customer needs and risk level.

Encryption and secure communication by default

  • Encryption in transit: TLS for service and administrative access
  • Encryption at rest: encryption for stored data wherever supported by the underlying platform/provider
  • Secrets management: credentials/keys managed through approved secret management processes and tools

Access control and identity security

  • Least privilege access with role-based control
  • MFA for administrative access and sensitive systems
  • Joiner/Mover/Leaver process to ensure timely access provisioning and removal
  • Device assignment: company devices are assigned per employee and managed through corporate controls (e.g., Entra ID / Intune) where applicable

Secure engineering and delivery

We embed security in delivery and operations through:

 

  • Secure SDLC practices and peer review
  • Vulnerability management and timely patching
  • Security testing appropriate to the solution (e.g., SAST/DAST where used)
  • Logging and audit trails for relevant systems and environments

Monitoring, incident response, and continuous improvement

Security is treated as an ongoing cycle of prevention, detection, response, and improvement:

  • Centralized logging and alerting for critical systems (where applicable)
  • Documented incident handling and escalation process
  • Post-incident reviews to improve controls and resilience

Supplier and cloud/partner security

Where we rely on third-party platforms (cloud, hosting, SaaS tools, partners), we manage risk through:

  • Supplier onboarding and security expectations
  • Contractual controls (confidentiality, access, sub-processing where applicable)
  • Regular review of vendor assurances aligned to service criticality

Data retention and deletion

Data retention is defined by contract, legal requirements, and business needs. Upon contract termination, customer data handling follows agreed retention and secure deletion procedures.

Responsible disclosure

If you believe you found a vulnerability affecting Stormtec services, please contact:

security@stormtec.ch (include a clear description and proof of concept, and avoid testing on data you don’t own).

Information Security Policy (high-level)

Stormtec’s information security program is designed to:

  • Protect confidentiality, integrity, and availability of information
  • Prevent unauthorized access through strict access control
  • Maintain secure operations and resilient service delivery
  • Promote security awareness and accountability for all employees
  • Encourage reporting of suspected security concerns without retaliation (unless illegal or grossly negligent)

Report suspected incidents: security@stormtec.ch