“We have been convinced once again that the BKMS® System ensures the safety and confidentiality of personal data by means of an extraordinarily high level of data security and highly differentiated access rights. This award confirms that the stand-alone application meets the world's highest certifiable data protection standard.“
"With the BKMS® System, Business Keeper has succeeded in developing an intelligent whistleblowing solution that conforms to data protection laws and takes into consideration the data protection interests of all involved parties. This was already confirmed when the system was awarded EuroPriSe certification. Seeing more companies display the engagement and energy that Business Keeper does when it comes to pro-actively committing themselves to data protection would be a delight."
„In our opinion, the data protection measures in the BKMS® System really put this whistleblower system ahead of the pack.“
"Business Keeper has been exemplary in implementing transparency in data handling processes, technical and organisational measures, and in protecting the whistleblowers, using a data protection function and comprehensive, trust-building information."
"The fact that the BKMS® System was awarded the European Privacy Seal is a clear sign to our clients and to the whistleblowers themselves that we take data protection very seriously when it comes to such a sensitive topic as reporting on grievances and cases of corruption. The EuroPriSe Seal, which takes into consideration legal aspects of data protection, is an excellent addition to the technical security certificates already awarded to the BKMS® System.“
Data protection and information security
Data protection and information security are the foundations of the BKMS® Compliance System.
Protection of the data and users of the BKMS® Compliance System is our highest priority. Accordingly, we never at any time have access to the report and case data of our customers and their whistleblowers. This is regularly verified on a voluntary basis through external audits by independent bodies. In addition to designing the BKMS® Compliance System to be amenable to the implementation of data protection requirements, we also support our customers with best practice information on how to use the whistleblowing system in compliance with the principles of data protection.
The following certifications confirm the outstanding data protection and information security level of the BKMS® Compliance System. These symbolically represent the high standards that we place on our company and the BKMS® Compliance System.
The European Privacy Seal (EuroPriSe) certifies conformity with European data protection law. In a multi-stage evaluation and certification process by independent IT and legal experts, the data protection conformity of the BKMS® System was compared against the applicable, publicly viewable criteria based on the EU General Data Protection Regulation (EU GDPR).
Within the scope of the certification process, the technical and organisational measures for data security and data protection were deemed to have exceeded legal requirements.
The seal is valid for two years and includes regular monitoring at intervals of eight months. Since the initial certification in 2013, the BKMS® System has been successfully recertified every two years. This included evaluation of new developments in the BKMS® System by the independent IT and legal experts as well as the EuroPriSe certification body. The BKMS® System is the first whistleblowing system in the world to be certified according to the strict EuroPriSe criteria.
The Seal of Approval from the Independent Regional Centre for Data Protection, Schleswig-Holstein (ULD) confirmed, in a formal process, that the BKMS® System is compatible with the regulations for data protection and data security. On this basis, use of the product by public authorities in Schleswig-Holstein is recommended by the ULD. Other German states also recommend the use of products with the official Data Protection Seal of Approval.
Upon completing the multi-stage assessment according to the Data Protection Seal Ordinance (DSGSVO), the ULD awarded the BKMS® System a certification attesting that the system commendably meets all criteria relating to data avoidance, data economy and observing the rights of data subjects. The results of the initial certification from 2013 were confirmed by the successful recertifications in the years 2015 and 2017. Since the implementation of GDPR, the ULD is now unfortunately only able to issue certifications for companies and public agencies located in Schleswig-Holstein.
The information security management system (ISMS) of Business Keeper AG has been certified according to ISO 27001. The scope of the certification covers the secure operation of the BKMS® Compliance System. Special attention was paid here to the secure software development as well as high availability in the operation of the BKMS® Compliance System. The BKMS® Compliance System therefore verifiably satisfies higher standards for data security than systems of other providers, which generally only obtain certification according to ISO 27001 for the ISMS of the high-security data centre.
The internationally established standard ISO 27001 specifies requirements for a comprehensive information security management system in organisations that is intended to ensure the availability, integrity and confidentiality of information. The process begins with an analysis of potential threats to IT systems and information. This is followed by the definition and implementation of the necessary technical and organisational security measures. The established security measures for maintaining and continually improving the IT security of the organisation are regularly evaluated and updated.
The BKMS® System’s security module is regularly certified by an independent, publicly appointed and sworn-in expert. The inspection takes the form of comprehensive physical and software analyses which verify the effectiveness of the encryption employed in the system.
The detailed report with certificate (G16 0601 1) confirms that:
- the anonymity of the whistleblower is protected;
- neither third parties nor Business Keeper AG itself is able to decrypt or interpret the reports on the system.
Only authorised examiners working for the customer may decrypt reports intended for them by means of a multi-stage authentication process utilising secure passwords.
For quality assurance, penetration tests are regularly performed by external and internationally known security service providers. These tests confirm that there are no known security weaknesses in the BKMS® Compliance System. A current confirmation of the regular testing is open to public inspection at all times.
Other security measures in the BKMS® Compliance System
High-security data centre
The BKMS® Compliance System is operated on closed servers in a tier 3+ high-security data centre which offers above-average physical security. The data centre is certified according to ISO 27001:2013. The administration and maintenance of the BKMS® servers is solely the responsibility of the internal IT experts of Business Keeper AG.
The BKMS® server features an extended server validation certificate that clearly and securely verifies their legitimacy. This ensures that all reports and correspondence take place over a clearly indicated TLS connection. TLS secures the communication between the browser of the customer or whistleblower and the BKMS® server by means of standardised cryptographic mechanisms.
Secure data transmission and data retention
The security-critical data transmission between whistleblowers or report examiners and the BKMS® system is protected by an https connection. The whistleblower and examiner area are strictly separated on the server; the data processing of the systems operated for customers is separate. The strong encryption in the BKMS® Compliance System intensifies this separation, making wrongful amalgamation of the data impossible.
Logging and cookies
The BKMS® System does not log IP address data, time stamps or metadata relating to its use by whistleblowers.
During use of the BKMS® System, the server is not capable of uniquely identifying the client (the user’s computer). In order to be able to clearly identify the client during a session, the application transmits a session cookie to the user’s computer. This session cookie is only used for the current connection and only has an identification number for the session in progress. This cookie is deleted once the browser is closed. This session number bears no relation to the whistleblower or the data being submitted and is only necessary for technical reasons.
Contract data processing for our customers
Although we do not have access to the reports of our customers, including any file attachments, we are a processor in the sense defined by Art. 28 of the EU GDPR. We therefore fulfil all technical and organisational measures required of controllers and processors according to Art. 32 EU GDPR for secure processing. Our data protection and IT security team supports customers in meeting the data protection requirements arising from the contract-based processing.
With us, your data is safe
BKMS® Compliance System