Security Statement

Privacy, terms of service and legal information for using the Kopexa platform.

Security Statement

Effective since January 1, 2026

This Security Statement documents the core principles and measures of Kopexa GmbH in the area of information security. It is part of our Information Security Management System (ISMS) and is regularly reviewed to ensure that our security measures address current threats and regulatory requirements.

Responsibility & Governance

Responsibility for information security lies with the executive management. Operational implementation is carried out by the Security & Compliance Team, which reports directly to the executive management.

  • A designated Information Security Officer (CISO) has been appointed.
  • The ISMS is regularly assessed through internal audits and, where required, external reviews.
  • Management Reviews take place at least once a year.
  • All employees are required to comply with the information security policies.

Policies & Standards

Kopexa follows recognized standards and legal frameworks, including:

  • ISO/IEC 27001
  • BSI IT-Grundschutz
  • SOC 2 (Trust Services Criteria)
  • GDPR (General Data Protection Regulation)

The ISMS is supported by internal policies, including:

  • Access Control Policy
  • Incident Response Policy
  • Change Management Policy
  • Acceptable Use Policy
  • Data Classification & Handling Policy

Security by Design & Architecture

Our platform was developed following security-by-design and security-first principles.

  • Tenant isolation: Data is strictly separated between tenants.
  • Granular access controls: Role and permission management following the principle of least privilege.
  • Production and development environments are separated.
  • Changes are made exclusively through a controlled change management process.

Authentication & Access Control

  • Multi-factor authentication (MFA) is mandatory for all accounts.
  • Single sign-on (SSO) via SAML/OIDC is available by default.
  • Access rights are regularly recertified.
  • Protocols for onboarding and offboarding ensure that access is provisioned or revoked promptly.

Data Encryption & Data Protection

  • Data at rest is encrypted with AES-256.
  • Data in transit is transported exclusively via TLS 1.2 or higher.
  • Customer data is processed exclusively within the EU.
  • Backup data is encrypted, created at least once daily and stored geo-redundantly.

Monitoring, Logging & Incident Response

  • A central Security Information & Event Management (SIEM) solution monitors relevant systems.
  • All administrative access and changes are recorded in audit logs.
  • A defined incident response process with escalation levels and response times is in place.
  • Security incidents are handled in accordance with notification obligations (e.g., GDPR Art. 33/34).

Vulnerability Management & Security Testing

  • Regular vulnerability scans and patch management processes are established.
  • Penetration tests are conducted at least once a year by independent third parties.
  • Results are documented, assessed and resolved promptly through a remediation process.
  • A responsible disclosure program allows vulnerabilities to be reported securely.

Business Continuity & Disaster Recovery

  • A documented Business Continuity Plan (BCP) and Disaster Recovery Plan (DRP) are in place.
  • Backups are regularly tested to ensure recoverability.
  • Emergency exercises (e.g., simulation of system failures or ransomware attacks) are conducted at least annually.

Supply Chain & Third-Party Security

  • A risk and compliance assessment is performed before engaging sub-processors.
  • Contracts include security and data protection clauses as well as audit rights.
  • A vendor management process monitors compliance with agreed standards.

Employee Training & Awareness

  • All employees complete mandatory security awareness training upon joining and at least annually.
  • Specialized training is provided for roles with elevated privileges (e.g., admins, developers).
  • Regular phishing simulations are conducted for awareness purposes.

Continuous Improvement

The ISMS follows the principle of continuous improvement (PDCA cycle):

  1. Plan – Risk analyses and definition of measures.
  2. Do – Implementation of measures in business processes.
  3. Check – Review through internal audits and metrics.
  4. Act – Adjustments and improvements based on results.

Reporting Security Incidents

If you discover a vulnerability or security incident, please contact us directly at:

security@kopexa.com

Please include in your report:

  • Your name and contact details
  • A description of the vulnerability or incident
  • Where possible, steps to reproduce the issue

We will acknowledge receipt of every report and inform you of the next steps.