Data security is not a marketing promise
ISO/IEC 27001 certified. Hosted in Switzerland. Secure by design. Audited, documented, verifiable — because personnel data is too valuable to rely on good intentions.
- ISO/IEC 27001 certified
- Swiss data location · revFADP-compliant
- Six-monthly penetration tests
The four pillars of our Trust Center
ISO/IEC 27001 certified
ZeugnisPilot is operated within the ISO/IEC 27001-certified information security management system (ISMS) of rhyno solutions AG — audited by an accredited Swiss body. The certification covers all processes around development, operations, data processing and incident management.
Hosted in Switzerland
All data — personal master data, reference drafts, AI processing — stays in Switzerland. We use exclusively Swiss data centres with ISO 27001 and FINMA-compliant standards. No data transfer into EU or US data spaces.
Secure by design
Security is not bolted on afterwards: threat modelling before each feature release, mandatory code review, dependency scans in CI, pen tests by an external provider every six months. Security assumptions are documented in the code and made verifiable.
Data protection under FADP & GDPR
Full conformity with the Swiss Federal Act on Data Protection (revFADP) and the EU GDPR. Data Processing Agreement (DPA) on request. Data protection impact assessment documented per module. No profiling, no transfer to third parties without explicit consent.
Why ISO 27001 is mandatory today
Personnel data is the most sensitive category of data outside health and financial data. A work reference contains assessments of people, their career development, strengths and development areas — content that, in the wrong context, can have professional and personal consequences. Anyone working as an HR-software vendor with such data who cannot demonstrate at least ISO 27001 should no longer be awarded a contract today.
ISO/IEC 27001 is the international standard for information security management. Certification means: an independent auditor has reviewed and confirmed that the company runs a systematic, documented, lived security management — from risk analysis through access control to incident handling. It is not a logo you stick on a website: it is an audit report with named auditors, scope and a re-audit obligation.
For you as a customer that means: when the next IT audit, data protection impact assessment or supplier due diligence of your group parent comes up, you have solid evidence instead of vague marketing statements.
Concrete technical measures
Encryption in transit
TLS 1.3 with modern cipher suites (HSTS enforced, mixed content blocked). Forward secrecy active. SSL Labs A+ rating.
Encryption at rest
All data at rest is AES-256 encrypted. Sensitive fields (API secrets) are additionally AES-256-GCM encrypted at the application level with a per-tenant key.
Content fingerprint (SHA-256)
Every issued reference receives a cryptographic hash. Manipulation becomes immediately visible via the public verification page.
Audit trail
Who performed which action and when — fully logged (append-only). Cross-tenant access is technically excluded.
Zero-trust sessions
Sessions are short-lived (8 h), httpOnly cookies, sameSite=lax, SECURE flag in production. Token refresh without browser round trip.
Least-privilege architecture
Each component has exactly the permissions it needs — no more. Backend service accounts are read-only or write-restricted, depending on function.
Penetration tests
Six-monthly pen tests by an independent Swiss security firm (OWASP Top 10, auth flows, business logic). Findings are documented publicly and traceably with severity class and remediation date.
Dependency scans
Automatic CVE scans on every build. Critical vulnerabilities cause the build to abort. Weekly Dependabot and Snyk reviews.
Backup & restore
Daily, encrypted backups in a geographically separate Swiss data centre. Restore drills quarterly — tested, not assumed.
Swiss data location — and why it matters
"Hosted in Switzerland" is a term that is often used inflationarily. With us, it means: backend, database, backups, verification service and AI processing run exclusively on infrastructure in Swiss data centres with contractual partners subject to Swiss operators. We publish the locations (Cloud Run europe-west6 in Zurich, backups in a second Swiss data centre) and the sub-processor list (see below) transparently.
Even when a sub-processor (e.g. Anthropic for AI processing) is based outside Switzerland, we protect the transfer with additional measures: data minimisation (only what is necessary), no storage at the sub-processor, EU standard contractual clauses and supplementary technical measures in line with the FDPIC guidelines.
Concretely: your employees' master data and reference drafts do not leave Switzerland. The AI sees only the professional content (role, tasks, assessment) — never salary level, date of birth or private address.
Sub-processor list
A complete list of all third parties that process personal data on behalf of ZeugnisPilot. Changes are announced 30 days in advance.
| Provider | Purpose | Region | DPA |
|---|---|---|---|
| Anthropic (Claude API) | AI-supported draft generation | EU/US — data is transferred without customer names, no storage at the provider | DPA in place |
| Firebase Authentication (Google) | End-user and admin login | EU (europe-west) | EU standard contractual clauses + DPA |
| bexio AG | OAuth interface for master data | Switzerland | Data flow exclusively on customer initiative |
| Cloud Run europe-west6 (Google) | Backend hosting | Switzerland (Zurich) | EU standard contractual clauses + DPA, Swiss data centre |
| Firebase Hosting | Static frontend | CDN global, origin in Switzerland | DPA in place |
| Twilio SendGrid | Transactional email delivery (verification links, workflow notifications) | US — DPF-certified (EU-US Data Privacy Framework) | DPA via SendGrid Terms; transferred are recipient email, employee name and company name (no reference content) |
When something does happen
No one can completely rule out incidents. What you can expect, however: a clearly defined process, fast and honest communication, full investigation with documented measures.
1. Detection
24/7 monitoring with alarm thresholds for unusual auth patterns, rate limits, error rates and API latency. SIEM integration in preparation.
2. Containment
Within 30 minutes of confirmation: affected system isolated, access blocked, forensic logging activated.
3. Communication
We inform affected customers within 72 hours of becoming aware — even if the incident has not yet been fully analysed (FADP reporting obligation).
4. Remediation & lessons learned
Root-cause analysis, remediation, technical and procedural measures. Full post-mortem report for affected customers.
Compliance overview
Frequently asked questions
Are you actually ISO 27001 certified or merely "compliant with ISO 27001"?
Where exactly does my data reside?
Is employee data sent to the AI (Anthropic)?
What happens in the event of a data protection incident?
How fast are critical security updates?
Who reviews your security independently?
Who has access to my data internally?
Can I export or delete my data?
Do you offer 2FA / MFA?
What is your disaster-recovery time?
Documents on request
- ISO/IEC 27001 certificate with scope
- Data Processing Agreement (DPA) under revFADP and GDPR
- Data Protection Impact Assessment (DPIA) for processing in the generator
- Penetration test report (executive summary, detailed report under NDA)
- Sub-processor list with contract documentation
- Security architecture document for your IT department
Send your request to hello@zeugnispilot.ch — usually answered within one business day.
All issued references carry the Fair Reference Standard — verified fairness, traceable criteria, certified method (FZS 1000).
Trust is earned — we are happy to earn yours.
Start with the company registration. Within 5 minutes you have an account, full access to the generator and can request the security documentation if needed.