Trust is our foundation

ISO/IEC 27001 Certification 

PTV Group is certified to the internationally recognized ISO/IEC 27001:2022 standard, demonstrating our commitment to establishing, implementing, maintaining, and continually improving a robust Information Security Management System (ISMS). This certification assures our customers that we proactively manage information security risks and adhere to best practices for protecting sensitive data and business processes. 

ESG (Environmental, Social, and Governance) 

We integrate ESG principles into our corporate governance framework, ensuring that our security and privacy practices align with broader commitments to ethical business conduct, sustainability, and social responsibility. 

Third-Party Audit Reports 

PTV Group engages independent security experts to conduct regular penetration tests and security assessments. Summaries of these third-party audit findings are made available to customers to demonstrate our ongoing commitment to identifying and mitigating vulnerabilities in our products and infrastructure. (request access link) 

GDPR Compliance

PTV Group fully complies with the European Union’s General Data Protection Regulation (GDPR). We act as a responsible data processor and controller, ensuring personal data is handled lawfully, transparently, and securely. Our privacy practices include data minimization, user consent management, and robust technical and organizational safeguards.

Country of data processing

For customers located within the European Economic Area (EEA), our cloud services are hosted within the European Union. For customers based in the United States, hosting of all applications is provided within the USA. Further information can be found in our Data Privacy Statement (English, German).

Technical and Organisational Measurements

PTV Group implements comprehensive technical and organizational measures (TOMs) in accordance with Article 32 of the GDPR (English, German).

Privacy by Design and by Default

We integrate privacy considerations into every stage of product development and business processes. Default configurations prioritize data protection by minimizing data collection and providing users with clear, accessible privacy controls.

Data Processing Agreement

To support our customers in meeting their data protection obligations, the PTV Group offers a Data Processing Agreement (DPA) for all applicable products and services (English, German). This DPA forms an integral part of our standard contractual terms.

Code of Conduct

PTV Group maintains a strict Code of Conduct that governs ethical behavior and compliance with laws and regulations by all employees, contractors, and partners. This code supports a culture of integrity and accountability (Englisch, German).

Whistleblower Policy

PTV Group adheres to strict ethical standards, ensuring transparency, accountability, and compliance with all applicable laws. Legal breaches and mishandling of whistleblowing reports are not tolerated.

Business partners can report potential violations anonymously via the Speaking Up service at https://ptvgroup.share-a-hint.com, which enables anonymous reporting and communication.

Supplier and Third-Party Risk Management

We maintain a rigorous third-party risk management program to ensure that suppliers and partners meet our security, privacy, and compliance standards, minimizing risks throughout our supply chain.

Data Classification and Handling

We implement a comprehensive data classification framework to identify and manage information according to its sensitivity and business impact. All data is categorized (e.g., public, internal, confidential) and handled with appropriate controls to ensure its protection throughout its lifecycle.

Encryption in Transit (TLS 1.2/1.3, HTTPS)

Data transmitted between systems, users, and our services is secured using strong encryption protocols, including TLS 1.2/1.3 and HTTPS. This ensures the confidentiality and integrity of information as it moves across networks.

Secure Backup and Data Recovery

We maintain encrypted backups of critical data, stored in geographically diverse locations. Regular testing of backup and recovery procedures ensures data availability and integrity in the event of accidental loss or disaster.

Data Isolation

Data belonging to different customers or business units is logically separated within our systems. This isolation prevents unauthorized access and ensures that each customer’s data remains private and secure.

Encryption at Rest (AES-256, Disk Encryption)

All sensitive data is encrypted at rest using industry-standard algorithms such as AES-256. Disk-level encryption is enforced across our infrastructure, ensuring that stored information remains protected against unauthorized access.

Secure Key Storage and Rotation

Encryption keys are managed using dedicated key management systems, with strict access controls and regular rotation policies. Keys are stored securely, and their lifecycle is governed by best practices to minimize risk.

Data Retention and Deletion Policies 

Clear data retention policies define how long information is stored and when it is securely deleted. Automated processes ensure timely removal of data that is no longer required, in compliance with legal and contractual obligations.

Security Governance

Our security governance framework establishes clear roles, responsibilities, and oversight for information security. A dedicated team oversees policy development, risk management, and compliance activities, ensuring alignment with organizational objectives. 

Security Awareness Training for Employees

All employees receive mandatory security awareness training tailored to their roles. Training covers topics such as phishing, social engineering, and secure data handling, empowering staff to recognize and respond to security risks.

Security Policies and Procedures

A comprehensive set of security policies and procedures guides all aspects of our operations. These documents are regularly reviewed and updated to reflect evolving threats, regulatory requirements, and industry best practices.

Security Incident Management

We maintain a robust incident management process to detect, respond to, and recover from security events. Incidents are thoroughly investigated, and lessons learned are used to strengthen our defences and prevent recurrence.

Security Culture

We foster a strong security culture through ongoing education, leadership commitment, and employee engagement. Security is integrated into our daily operations, encouraging proactive risk management and responsible behavior at all levels.

Business Continuity Management

Our business continuity program ensures that critical operations can continue during and after disruptive events. Plans are regularly tested and updated, covering disaster recovery, crisis communication, and resource availability.

Security Risk Assessments

Regular risk assessments are conducted to identify and evaluate potential threats to our information assets. Findings drive the implementation of targeted controls and continuous improvement of our security posture.

Secure Software Development Lifecycle (SDLC) 

Security is embedded throughout our SDLC, from initial design to deployment and maintenance. We apply secure coding standards, conduct regular reviews, and integrate security testing into every development phase.

Code Review and Static Code Analysis

All code undergoes rigorous review and static analysis to identify vulnerabilities and ensure adherence to security standards. Automated tools and peer reviews help maintain code quality and reduce risk.

Penetration Testing

Regular penetration tests are conducted by independent experts to identify and address vulnerabilities in our applications and infrastructure. Findings are prioritized and remediated promptly to maintain a strong security posture.

Patch and Vulnerability Management

Critical systems are regularly updated with security patches to address emerging threats. Our patch management process ensures that vulnerabilities are promptly identified and resolved, minimizing exposure to potential attacks.

SAFe Methodology for Software Development

We leverage the Scaled Agile Framework (SAFe) to align development teams and processes with security objectives. This approach ensures that security requirements are addressed early and consistently across all projects.

Threat Modeling

Threat modeling is performed during the design phase to anticipate potential attack vectors and implement effective countermeasures. This proactive approach helps us build resilient systems from the ground up.

Vulnerability Management and Remediation

We operate a continuous vulnerability management program, leveraging automated scanning and manual assessments. Identified issues are tracked, prioritized, and remediated according to risk, ensuring timely mitigation.

High Availability and Redundancy

Our infrastructure is architected for high availability, leveraging redundant systems and failover mechanisms to minimize downtime. Continuous monitoring and automated recovery processes ensure that our services remain accessible and reliable, even during unexpected events.

System Hardening and Baseline Configuration

We apply rigorous system hardening measures to all infrastructure components, removing unnecessary services and applying secure configuration baselines. Regular reviews and automated compliance checks ensure that systems remain resilient against emerging threats and adhere to industry best practices.

Endpoint Protection and Antivirus

All endpoints are protected by advanced security solutions, including antivirus, anti-malware, and endpoint detection and response (EDR) tools. Regular updates and real-time monitoring help prevent, detect, and respond to threats targeting user devices and servers.

Backup and Disaster Recovery Planning

Robust backup strategies are in place to safeguard critical data, with encrypted backups stored in geographically diverse locations. Our disaster recovery plans are regularly tested to ensure rapid restoration of services and data integrity in the event of system failures or disasters.

Security Policies and Procedures

A comprehensive suite of security policies and procedures governs all aspects of our operations. These documents are regularly reviewed and updated to reflect changes in the threat landscape, regulatory requirements, and organizational priorities.

Incident Response Policy

A formal Incident Response Policy defines the procedures for detecting, reporting, and responding to security incidents. The policy ensures a coordinated and effective response to minimize impact and support continuous improvement.

Least Privilege Principle

Access to systems and data is granted strictly on a need-to-know basis. The least privilege principle is enforced across all roles and environments, minimizing the potential impact of compromised accounts or insider threats.

Acceptable Use Policy

Our Acceptable Use Policy outlines the appropriate and prohibited uses of company resources, ensuring that all users understand their responsibilities and the consequences of policy violations.

Whistleblower Policy

We foster a culture of transparency and accountability through our Whistleblower Policy, which provides secure and confidential channels for reporting unethical or illegal activities without fear of retaliation.(some link?) 

Password Policies and Management

We enforce strong password policies, including complexity requirements, regular rotation, and secure storage. Password management tools and multi-factor authentication are used to further strengthen account security and reduce the risk of unauthorized access.

Identity Lifecycle Management 

We maintain strict controls over the entire identity lifecycle, from onboarding to offboarding. Automated processes ensure timely provisioning and deprovisioning of access, reducing the risk of orphaned accounts and unauthorized access. 

Segregation of Duties

Critical functions are separated among different individuals or teams to prevent conflicts of interest and reduce the risk of fraud or error. Segregation of duties is enforced through technical controls and regular audits.

Periodic Access Reviews

Regular access reviews are conducted to validate that permissions remain appropriate for each user’s role. Any unnecessary or excessive privileges are promptly revoked, ensuring continuous alignment with security and compliance requirements.