Security at amber
amber protects customer data with a documented security program covering technical and organizational measures — from certified governance and secure cloud infrastructure to access control and data deletion on request.
Certified, audited, and EU-regulated
Independent certifications and EU regulations that govern how amber handles your data and AI.
ISO 27001 certified
amber operates a documented ISMS that is audited according to the ISO 27001 standard. Furthermore, amber is developed in accordance with the SOC-2 standard. TOMs are documented in our DPA documents.
EU data protection compliant
Privacy by Design & Default (GDPR Art. 25), deletion on request, and breach reporting under GDPR Art. 33/34, with our DPO involved in relevant cases.
Trustworthy AI by design
amber is designed to meet the obligations of the EU AI Act, including transparency, accountability, and human oversight across the product.
European software supply chain
Built by a European team with subprocessors contractually bound to equivalent EU data protection obligations.
How we protect your data
A defense-in-depth approach combining certified standards, strict access controls, isolated infrastructure, continuous patching, full audit logging, and privacy-by-design principles.
Certified information security
- ISO 27001 certified
- Continuously maintained ISMS
- TOMs documented in AVV/DPA materials
Access control & authentication
- Role-based permissions, least privilege
- 2FA and strong password policies
- SAML 2.0 & LDAP/AD for enterprise
- Access rights revoked on departure
Infrastructure & network
- Hosted on T Cloud
- Per-customer virtual network isolation
- Production firewalls
- Encrypted remote access via VPN
Vulnerability & patch management
- Dependency review and control
- Regular container vulnerability scans
- Prioritized patches & hotfixes
- Antivirus and malware protection
Logging & accountability
- Data accesses and changes are logged
- Actions traceable to user accounts
- Documented permission concept
Privacy by design
- Privacy by Design & Default (GDPR Art. 25)
- Need-to-know access for all staff
- Employee privacy training
Built to protect. Designed to recover.
Robust safeguards and proven processes to protect your data and ensure business continuity.
Deletion on request
Sensitive data can be deleted on request and fully removed from all amber servers. Deletion metadata is logged.
Backup & disaster recovery
Full backups are created by default for disaster recovery, using documented DR capabilities of the hosting environment.
Incident handling
Incidents are handled through a structured, severity-based process. Breach reporting follows GDPR Art. 33/34. The DPO is involved in relevant cases.
Third parties & subprocessors
Third-party components are reviewed before use. Subprocessors are contractually bound to equivalent data protection obligations.
Your data. Our responsibility.
We combine strong technical measures with clear processes to keep your data secure and your business resilient.