We are a German-based startup and committed to providing secure, reliable, and innovative SaaS solutions for our customers. As a company dedicated to protecting customer data and maintaining robust cybersecurity, we understand the importance of transparency in communicating our security practices. While we are a young company, we’ve developed stringent security measures designed to meet industry best practices and provide peace of mind to our clients.  

1 Purpose of this Overview:
This Information Security Overview aims to provide customers with a detailed view of our security practices and our commitment to data protection. Although we are not formally certified as a company, we work with industry-leading third-party providers, who maintain ISO 27001 certification for secure data hosting. Our approach includes robust access controls, continuous monitoring, data encryption, and a strong focus on incident response and data integrity.
‍
We recognize the significance of ongoing improvements and regularly assess and adapt our security protocols to align with the latest standards and customer needs. This document is intended to outline our security practices, covering topics such as access management, network security, data retention, and incident response protocols.  

1.1 Scope of Security Measures  
Our cybersecurity practices extend across all environments involved in our service provision (e.g. production environment, pre-production environment and development environment) .  As a company, we focus on building resilient systems and processes to ensure the safety, integrity, and availability of customer data across all operational layers.  

1.2 Commitment to Transparency and Compliance  
We prioritize transparent communication regarding our security and data protection policies. Our infrastructure, hosted with certified providers in the EU, operates under strict security policies that are informed by industry standards.  

1.3 Contents
This document will cover the following sections in detail:  
a. Governance and Compliance Practices
b. Data Protection Policies, including Access Control and Encryption
c. Network and System Security Measures
d. Application Security and Development Practices
e. Incident Management and Response
f.  Physical and Environmental Security
g. Employee Security and Training Programs
h. Data Retention and Disposal Policies  

This overview provides insight into our proactive measures for safeguarding customer data, establishing a secure SaaS environment, and ensuring compliance with applicable data protection laws, including the GDPR.

2 Governance and Compliance  

2.1 Commitment to Security Standards  
3D Spark is dedicated to upholding high standards of data protection and security. We align our security practices with industry-recognized frameworks to safeguard customer data effectively. By following these standards, we ensure that our security practices are rigorous, comprehensive, and adaptable to evolving industry needs.  

2.2 Certified Infrastructure and GDPR Compliance  
Our infrastructure is hosted on dedicated servers managed by Hetzner Online GmbH, an ISO 27001-certified provider. This provides strong security and data management practices in place at the physical and environmental level. By using secure data centers based in the EU, we adhere to GDPR requirements, giving our customers assurance that their data is handled in compliance with European data protection laws.  

2.3 Data Protection Principles  
3D Spark incorporates GDPR’s core principles in our data processing and security practices:  
a. Transparency and Lawfulness: We process personal data transparently, with clear purposes and consent where required.
b. Data Minimization: We collect and retain only the data needed to fulfill specific purposes, ensuring efficient and secure data handling.  c. Integrity and Confidentiality: Our encryption protocols, access controls, and monitoring practices protect personal data against unauthorized access and potential data loss.
d. Accountability: We continuously document and review our data handling practices to ensure they meet the latest standards and regulations.  

2.4 Privacy by Design
Our SaaS platform is designed with privacy at its core. We integrate data protection into the architecture and functionality of our services, implementing access controls, encryption, and privacy-focused features from the beginning of development. This ensures that our customers’ data is protected by default and that any enhancements to the platform are evaluated for privacy and security.  

2.5 Policy Updates and Regulatory Monitoring  
To keep pace with regulatory developments and industry best practices, we actively monitor changes in data protection laws and adapt our policies as needed. Significant updates to our security and compliance practices are shared with customers proactively.  

2.6 Internal Governance and Oversight  
a. Security Policies and Procedures: We maintain detailed internal policies on data handling, access control, incident response, and employee training, which are reviewed regularly to align with the latest standards.
b. Employee Security Awareness: All employees receive regular training on security best practices and data protection, fostering a strong internal culture of security and compliance.  

Commitment to Continuous Improvement As we grow, we remain committed to enhancing our security framework and exploring further compliance opportunities. Our approach combines best practices, continuous adaptation, and the use of secure, certified infrastructure to provide customers with a reliable and secure SaaS experience.

3 Data Protection Policies  
At 3D Spark, protecting our customers' data is central to our mission. Our data protection policies focus on ensuring the confidentiality, integrity, and availability of data through secure access controls, encryption, data retention, and deletion practices.  

3.1 Access Control
We implement strict access controls to ensure that only authorized personnel and users can access sensitive data:  
a. Role-Based Access: Both internal and customer-facing access is managed through role-based access controls that ensure users have only the permissions necessary for their roles.
b. Secure Authentication: Administrative and (optionally) customer access is protected by multi-factor authentication (MFA) and single sign-on (SSO) protocols, enhancing security for all access points.
c. Regular Audits: Access permissions are reviewed regularly to maintain the principle of least privilege and to promptly remove access when no longer required.  

3.2 Customer Data Access and Privacy
Our platform ensures that customers can access only their own data, with robust authorization checks on every interaction to prevent unauthorized access across accounts.
a. Privacy by Design: We incorporate privacy-focused access controls at every level of the platform. Customer data is managed with strict access controls to ensure organizational boundaries are respected.
b. Optional Multi-Factor Authentication (MFA): Customers have the option to enable MFA for additional security when accessing their accounts.  

3.3 Data Encryption
We protect data both in transit and at rest using industry-standard encryption methods:
a. Data in Transit: All data transmitted to and from our SaaS platform is encrypted using secure protocols, ensuring that data remains protected throughout its journey.
b. Data at Rest: Sensitive customer data is encrypted as soon as it leaves our production server and is backed up to add an additional layer of protection for stored information.  

3.4 Data Retention
We manage data retention to align with operational, legal, and regulatory needs:
a. Backups: Regular encrypted backups are maintained to support service continuity and data recovery in the event of an incident.
b. Log and Monitoring Data: Logs of user- and system-activity, server-state and -performance are retained as necessary to support troubleshooting, auditing, security- and system-health-monitoring.
c. Data Minimization and Retention Policy: We retain customer data only as long as required to provide services or meet legal requirements, after which it is securely deleted.  

3.5 Data Deletion and Disposal
When data is no longer required, we follow strict protocols for secure deletion:
a. End of Contract Data Deletion: Customer data is retained for a short period after contract termination to facilitate secure data retrieval if needed. After this period, data is securely deleted from our systems.
b. Hardware Disposal: Hardware containing customer data is securely erased and disposed of following industry best practices, ensuring that no residual data remains.

4 Network and System Security  
At 3D Spark, we take network and system security seriously to protect our customers’ data and ensure the reliability of our services. We employ a range of security measures across our hosting infrastructure, system monitoring, and network configuration to maintain a secure and resilient environment.  

4.1 Secure Hosting Environment
Our SaaS platform is hosted on dedicated servers provided by Hetzner Online GmbH, a trusted data center provider with ISO 27001 certification. This partnership ensures that our physical hosting environment meets rigorous standards for information security, data protection, and reliability. All data is hosted within the EU, ensuring compliance with GDPR and related data protection regulations.

4.2 Network Security
Our network security practices are designed to prevent unauthorized access, protect data in transit, and ensure continuity of service.
a. Firewalls and Access Controls: We use robust firewall configurations to control network access, restricting traffic to only necessary ports and services. Non-essential ports are closed, and access is tightly controlled to minimize the risk of unauthorized entry. For administrative access we use separate non-public networks.
b. Encrypted Connections: All data transmissions are secured using HTTPS with up-to-date TLS protocols, ensuring that data exchanged between users and our platform remains confidential and protected against interception.  

4.3 System Monitoring and Threat Detection
To ensure continuous security and system integrity, we implement comprehensive monitoring and threat detection across all environments.
a. Continuous Monitoring: We monitor our servers and critical infrastructure for signs of potential threats or unusual activity. Our monitoring system provides real-time alerts, enabling rapid response to security incidents.
b. Vulnerability Scanning and Patch Management: We regularly perform vulnerability scans, assess the impact and apply security patches promptly to address any potential risks. This proactive approach ensures that our systems are protected against known vulnerabilities and remain resilient.
c. Automated Incident Response: We use automated response scripts for certain threat scenarios, such as brute-force attacks, to reduce response time and enhance protection. Our system alerts our security team to potential issues, allowing us to take corrective actions quickly.  

4.4 Employee Device Security
3D Spark is committed to maintaining secure practices for employee devices, especially those used in development and administration.
 a. Device Encryption and Security Controls: All employee laptops are fully encrypted to prevent unauthorized access to sensitive data. We employ advanced security software to monitor device health and ensure compliance with internal security policies.
b. Strict Access Management: Employees use strong, unique passwords stored securely in a company-provided password manager, with multi-factor authentication (MFA) required for all administrative and sensitive access. Access is restricted on a need-to-know basis, and permissions are promptly revoked upon termination.  

4.5 Segregation of Environments
To protect data integrity and reduce risk, we segregate our production, pre-production, and development environments.
a. Environment Isolation: Production, pre-production, and development environments are hosted on separate systems, with unique access controls and restricted data sharing. Production data is never used in development or testing environments, ensuring that customer data remains secure.
b. Access Control Consistency: Each environment has tailored access controls aligned with its operational requirements. Our production environment maintains the highest level of security, with access strictly limited to essential personnel.

5 Application Security  
3D Spark follows rigorous application security practices to ensure that our SaaS platform is resilient, reliable, and built to protect customer data by embedding security into every stage of the development.  

5.1 Secure Development Lifecycle
We follow a secure development lifecycle that integrates security measures throughout the development, testing, and deployment stages. Our approach is grounded in secure coding principles and designed to ensure application integrity.
a. Code Reviews and Peer Verification: All new code undergoes peer review to identify potential security vulnerabilities and to ensure adherence to secure coding standards. This review process helps prevent errors and strengthens code reliability.
b. Automated Testing: We implement automated unit and integration testing for all code changes. We verify that code changes meet quality and security standards before they are merged into the production environment.  

5.2 Vulnerability Testing and Assessment
To safeguard our applications from evolving threats, we conduct regular vulnerability assessments and utilize tools for security testing.
a. Automated Vulnerability Scanning: We use industry-standard tools to scan our application for known vulnerabilities, allowing us to identify and address risks proactively. These scans are part of our regular maintenance and update cycle.
b. Penetration Testing: Periodic penetration testing is conducted to evaluate the security of our application and infrastructure, helping us detect and mitigate potential vulnerabilities.
c. OWASP Compliance: Our development practices are aligned with the Open Web Application Security Project (OWASP) guidelines, which are widely recognized as a standard for secure application development. This includes addressing the OWASP Top 10 vulnerabilities to reduce the risk of common threats.  

5.3 Access Control and Authentication
Access to our application and its resources is carefully managed to prevent unauthorized access.
a. Role-Based Access Control (RBAC): We employ role-based access control, where permissions are granted based on the user’s role and responsibilities. This ensures that users have access only to the resources they need to perform their functions.
b. Multi-Factor Authentication (MFA): We support multi-factor authentication (MFA) to add an extra layer of security for administrative and customer accounts. MFA is optional for customers but strongly encouraged for enhancing account protection.
c. Strong Password-Policy: We enforce strong passwords throughout our application and services.  

5.4 API Security
Our platform relies on secure, authenticated API endpoints to facilitate interactions with our services.
a. Token-Based Authentication: All API interactions are protected using OAuth 2.0 and OpenID Connect (OIDC), with secure bearer tokens for authorization. This ensures that only authenticated users and applications can interact with our APIs.
b. Rate Limiting and Monitoring: To prevent misuse, our APIs are protected by rate limiting and continuous monitoring. We track API usage patterns to detect and respond to potential security incidents quickly.  

5.5 Continuous Improvement and Security Updates
To maintain the highest standards of security, 3D Spark regularly updates and improves its application in response to new threats and customer needs.
a. Frequent Updates and Patching: Our applications are frequently updated to address security vulnerabilities and implement new features. We follow a two-week deployment cycle, ensuring that updates and patches are applied regularly.
b. Secure Release Management: All updates undergo thorough testing in our pre-production environment before deployment to ensure stability and security. This minimizes the risk of introducing vulnerabilities to the production environment.  
By integrating security best practices throughout our application lifecycle, 3D Spark delivers a platform that customers can rely on for secure and protected data handling.

6 Incident Management  
3D Spark has a dedicated incident management process to quickly detect, investigate, and respond to potential security incidents. We prioritize rapid response and transparent communication to protect customer data and minimize service disruptions in the event of an incident.  

6.1 Incident Detection and Monitoring
We continuously monitor our systems for any indicators of compromise or unusual activity that could signify a security incident. Our monitoring systems are configured to detect and alert our security team to suspicious behaviour, enabling swift investigation.
a. Continuous System Monitoring: Our servers and applications are monitored 24/7 using automated tools to detect anomalies, such as unauthorized access attempts or unusual data patterns.
b. Threat Detection and Alerts: We use an advanced alerting system to notify our security team of high-risk events. Alerts are prioritized by severity, allowing us to respond promptly to critical incidents.  

6.2 Incident Response Process
In the event of a confirmed security incident, our incident response process is designed to contain the threat, mitigate risks, and restore normal operations as quickly as possible.
a. Immediate Containment: Upon identifying an incident, our team works to isolate affected systems and prevent further spread. This may involve disabling user access, applying firewall rules, or temporarily taking services offline if necessary.
b. Investigation and Root Cause Analysis: Our security team performs an in-depth analysis to determine the nature and scope of the incident. This includes identifying affected systems, compromised data, and the origin of the breach.
c. Corrective Actions: Based on the findings, we take corrective actions to mitigate vulnerabilities and prevent similar incidents from occurring in the future. This may involve patching software, updating configurations, or reinforcing access controls.  

6.3 Incident Notification and Communication
We are committed to maintaining transparent communication with our customers in the event of a security incident affecting their data.
a. Customer Notification: If an incident involves customer data, we will notify affected customers promptly, typically within 72 hours of confirming the incident, in accordance with GDPR requirements. Depending on the criticality of the incident this will happen within the hour of discovery. Our notifications include details about the nature of the incident, affected data, and steps taken to mitigate the impact.
b. Status Updates: For significant incidents, we provide regular status updates to affected customers until the issue is fully resolved. This ensures that our customers are informed of progress and any actions they may need to take.
c. Internal Communication: We maintain a structured communication plan internally to ensure all relevant team members are informed of ongoing incidents, and response actions are coordinated effectively.

6.4 Post-Incident Review and Documentation
After resolving an incident, we conduct a thorough review to assess our response, learn from the event, and enhance our security practices.
a. Post-Incident Analysis: Our team analyzes the incident’s root causes, response actions, and overall effectiveness. This review helps us identify any gaps in our processes and implement improvements.
b. Incident Documentation: We document all incidents, response steps, and corrective actions in an internal report. These reports are retained for future reference and to support continuous improvement.
c. Process Improvements: Insights gained from post-incident reviews are used to refine our incident response procedures, update policies, and strengthen our security controls.

6.5 Proactive Measures for Incident Prevention
Our incident management strategy includes proactive measures designed to prevent incidents before they occur.
a. Regular Security Audits: We conduct routine audits of our systems and applications to identify and address potential security vulnerabilities.
b. Employee Training and Awareness: Our employees receive regular training on security best practices and incident response protocols to ensure preparedness in the event of an incident.
c. Automated Threat Prevention: We leverage automated security tools to detect and respond to common threats before they can escalate into significant incidents.  

7 Physical and Environmental Security  
Our primary hosting infrastructure is located in data centers managed by Hetzner Online GmbH, a reputable provider known for its robust security practices. Hetzner's data centers are designed to meet high standards of physical security and have achieved ISO 27001 certification, demonstrating compliance with internationally recognized information security management standards.  

7.1 Secure Data Center Facilities

7.1.1 Key features of our hosting partner’s data center facilities include:
a. Access Control Systems: Strict access controls are enforced at all entry points. Access to the facilities is limited to authorized personnel only, verified through multi-factor authentication methods such as key cards, biometric scanners, and security tokens.
b. 24/7 On-Site Security: The data centers are monitored around the clock by trained security personnel who oversee all security systems and respond promptly to any incidents.
c. Surveillance and Monitoring: Comprehensive surveillance systems, including CCTV cameras and motion detectors, are deployed throughout the facilities to monitor and record all activities.
d. Environmental Controls: The data centers are equipped with advanced environmental controls to maintain optimal conditions for hardware operation, including climate control systems for temperature and humidity regulation.

7.1.2 Protection Against Environmental Risks
To ensure the resilience and availability of our services, the data center facilities incorporate measures to protect against various environmental risks:
a. Fire Detection and Suppression: Early warning fire detection systems are in place, along with automated fire suppression systems that use inert gas or other safe extinguishing agents to protect equipment without harming personnel or data.
b. Redundant Power Systems: Uninterruptible power supplies (UPS) and backup generators ensure continuous power availability, protecting against outages and electrical disturbances.

7.1.3 Hardware Security and Maintenance
Physical security extends to the hardware that supports our services. Measures are in place to protect equipment from tampering, theft, or failure:
a. Secured Hardware Installations: Servers and networking equipment are housed in locked racks or cages, accessible only to authorized personnel with a legitimate business need.
b. Regular Maintenance and Inspection: Routine maintenance schedules are followed to ensure hardware operates efficiently and to identify potential issues before they lead to failures.
c. Asset Management: An inventory of all hardware assets is maintained, with tracking procedures to monitor the location and status of equipment throughout its lifecycle.

7.1.4 Data Disposal and Media Handling
Proper disposal of data-bearing devices is critical to preventing unauthorized access to sensitive information:
a. Secure Data Erasure: Before any storage media is decommissioned or repurposed, data is securely erased using methods that prevent data recovery, in accordance with industry best practices.
b. Certified Destruction: When hardware reaches the end of its useful life, it is destroyed securely by our data center provider, following strict protocols that include shredding or degaussing, and providing certificates of destruction as proof of compliance.
c. Controlled Media Handling: Movement of storage media within the facilities is strictly controlled, with documented procedures to prevent unauthorized access or loss.  

7.1.5 Employee and Visitor Access Management
While 3D Spark personnel do not typically require physical access to the data center facilities, strict protocols govern any potential access:
a. Access Authorization: Any physical access requests by our employees are subject to rigorous approval processes, ensuring that only essential visits are permitted.
b. Visitor Management: All visitors to the data centers, including contractors or auditors, must follow established security procedures, including identity verification, escorting by authorized personnel, and adherence to facility policies.  

7.1.6 Compliance and Oversight
We rely on the certifications and compliance efforts of our data center provider to ensure that physical and environmental security measures meet industry standards:
a. Regular Audits and Assessments: Hetzner conducts regular audits to verify compliance with ISO 27001 and other relevant standards, ensuring that security controls remain effective and up-to-date.
b. Reporting and Transparency: We maintain open communication with our data center provider to stay informed about any changes to physical security measures or incidents that could affect our infrastructure.
‍
8 Employee Security and Training Programs  
At 3D Spark, we recognize that employees play a vital role in maintaining the security and integrity of our services. We are committed to fostering a security-conscious culture by implementing strict access controls, continuous training, and secure work practices. This approach helps ensure that all employees understand their responsibilities in protecting customer data and upholding our security standards.  

8.1 Security Awareness and Training
All employees undergo comprehensive security training to ensure they are well-versed in best practices for handling sensitive data and responding to potential threats. Our training programs are designed to equip employees with the knowledge and skills they need to contribute to a secure work environment.
a. Onboarding Security Training: New employees receive training on security policies, data protection practices, and compliance requirements as part of their onboarding process. This foundational training covers essential topics, including secure data handling, access controls, and incident response.
b. Ongoing Security Education: We conduct regular security training sessions to keep employees up-to-date with the latest security best practices and emerging threats. Topics include phishing awareness, secure software development, and data protection principles aligned with GDPR.  

8.2 Access Management and Least Privilege
We enforce strict access controls across all systems and applications to limit exposure of customer data and sensitive information. Our access management policy is based on the principle of least privilege, ensuring that employees only have access to the information necessary to perform their roles.

8.3 Device Security and Endpoint Protection
Employee devices are secured to prevent unauthorized access to company resources and customer data. We have implemented endpoint protection measures to secure workstations, laptops, and mobile devices used for company operations.
a. Full Disk Encryption: All employee laptops and workstations are fully encrypted to protect data in the event of loss or theft. Encryption ensures that data stored on devices remains inaccessible without proper authentication.
b. Endpoint Protection Software: We deploy advanced endpoint protection software on all company devices, which includes antivirus, anti-malware, and intrusion prevention systems. This software is configured to provide real-time protection and automated threat detection.
c. Secure Password Management: Employees are encouraged to use complex, unique passwords and are provided with a password manager to securely store and manage their credentials. For roles that require access to critical systems, employees use a secure password and key manager to safeguard access credentials.  

8.4 Secure Remote Work Practices
3D Spark supports flexible and remote work arrangements, and we have established secure practices to protect data and maintain a secure network environment when employees work off-site.
a. VPN Access: Employees connect to company resources via a secure, self-hosted VPN when working remotely, ensuring that all communications remain encrypted and secure.
b. Secure Wi-Fi Usage: Employees are instructed to avoid using public Wi-Fi for work-related tasks. If public networks must be used, employees are required to connect through the company VPN to prevent unauthorized access.
c. Regular Security Reminders: Employees receive periodic reminders on best practices for secure remote work, including instructions on updating software, avoiding phishing attacks, and securely storing work devices.  

8.5 Offboarding and Access Revocation
Our offboarding process includes secure and prompt revocation of access for employees leaving the company to protect customer data and prevent unauthorized access.
a. Immediate Access Revocation: When an employee departs, we immediately revoke all access to company systems, data, and resources to prevent potential misuse.
b. Asset Return and Data Deletion: Departing employees are required to return any company-owned devices. Devices are then securely wiped and reset to remove any sensitive information before they are redeployed or decommissioned.
c. Audit and Review: Following each offboarding process, we conduct an audit to verify that all access has been removed and that no data remains on devices or in company systems.  

8.6 Continuous Improvement and Accountability
3D Spark is committed to continuous improvement of our employee security practices to adapt to changing security threats and industry standards.
a. Policy Updates: We regularly review and update our security policies to reflect new risks, technologies, and regulatory requirements. All employees are notified of significant updates and provided with training when necessary.

9 Data Retention Policy  
Our data retention policy outlines how long various types of data are retained, ensuring that customer data is only kept as long as needed for operational, legal, or compliance purposes.
a. Customer Data: Customer data is retained for the duration of the service contract. Upon termination, data is retained for a period of up to 30 days, allowing customers to retrieve their information. After this period, all customer data is securely deleted, unless an extension is requested and agreed upon.
b. Backup Data: Incremental backups of production data are created daily to ensure data availability and support disaster recovery efforts. These backups are retained for up to 45 days, after which they are automatically purged.
c. Log Data: User activity logs, which track meaningful interactions within our platform, are retained for one year for auditing and troubleshooting purposes. Authentication logs, stored in our identity management system, are retained for 90 days to support security monitoring.
d. System Monitoring Data: Server and infrastructure monitoring data, collected to assess performance and detect anomalies, is retained for up to one year. This data supports system health analysis and capacity planning.