- 01 75 43 77 01
- info@ediware.net
- Free account : 1000 e-mails per month
Hosting your contact lists on an emailing platform means entrusting personal data to a third party. We know this, and it’s a responsibility we’ve carried since 2002. Dedicated servers in France, end-to-end encryption, quarterly pentests, certified external DPO, Alliance Digitale label. At Ediware, security isn’t a sales pitch that you put on a page and then forget about. It’s an infrastructure, documented procedures and a team that applies them on a daily basis.
The question that always comes up during the qualification phase is: “Where is my data stored?” Short answer: in France, on physical servers reserved exclusively for us, in an ISO 27001-certified datacenter.
Our production infrastructure is hosted by Celeste, in the Equinix datacenter in Saint-Denis. Celeste is ISO 27001 certified. Biometric access control, 24-hour surveillance, electrical and climatic redundancy. We only use dedicated servers. In other words, your data is not stored on the same machines as that of other companies. This is a point that many B-to-B customers check first, and rightly so.
The contact data hosted on the platform remains in France. Production, backups, long-term archiving: everything is localized in France. No transfers to third countries. In practice, this also simplifies your obligations as a data controller vis-à-vis the RGPD.
A password and an SSL certificate are not enough to secure a platform that processes contact databases. Ediware’s architecture is based on the principle of defense in depth. Each layer protects the next, and it takes several layers to reach the databases.
Database servers are not exposed directly to the Internet. They are isolated in a private network, a VLAN, accessible only via an encrypted VPN. Between the Internet and your data, there’s a firewall, a WAF, a NGINX reverse proxy, and then the application servers. An attacker who managed to penetrate one layer would find himself facing the next. This is the very principle of defense in depth.
At rest, data is encrypted on the disks using AES-256. In transit, communications use TLS 1.3. External backups are also encrypted. For file exchanges containing personal data, only FTPS and SFTP protocols are authorized. Everything between your browser and the platform is end-to-end encrypted.
It’s safe to say that our platform is secure. But it needs to be checked regularly. Automated white-box and authenticated gray-box pentests are performed every three months. A manual penetration test is carried out every year by a PASSI-certified service provider. Critical vulnerabilities are corrected within 48 hours, high-level vulnerabilities within 7 days. The results are reviewed by a quarterly security committee to make any necessary adjustments.
Risk doesn’t always come from the outside. Controlling internal access is just as important as protecting against attacks. Ediware applies the principle of least privilege at all levels of the organization.
Our developers work on fictitious data sets. No access to production data. Technical support only accesses pseudonymized data. Campaign managers see only the information strictly necessary for their work. Administrator access is limited to four identified employees, with mandatory two-factor authentication.
Access to the information system is via an encrypted VPN. Servers are accessible only by private SSH key via a bastion. Unique identifier for each employee. Passwords of at least 12 characters, stored in a dedicated manager, rotated every 90 days for privileged accounts. An annual review of rights covers the entire perimeter.
What’s more, access is also secure on the customer side. SSL is mandatory, two-factor authentication is available, and all actions are logged. You can check who did what and when on your account.
A server that fails, a datacenter that suffers a disaster. These are scenarios we’ve anticipated, not theoretical hypotheses. Our backup strategy goes beyond the classic 3-2-1 rule.
Databases are replicated in real time on secondary servers. If the main server goes down, the system switches over immediately. At the same time, daily backups are performed by the hosting provider and outsourced, encrypted, to two remote sites in France. Long-term archiving completes the system.
BCP and DRP are tested every year. Not just written, tested. In the event of a server failure, service resumes in less than an hour thanks to replication. In the event of a complete loss of the main datacenter, the backup infrastructure can be activated in less than 12 hours. These times are measured during annual exercises, not estimated on paper.
The availability rate of the emailing platform is monitored on a monthly basis. The objective: to remain above 99.9%, which represents less than 8 hours 48 minutes of downtime per year. Celeste’s infrastructure is constantly monitored by their facilities management team.
Many publishers display “RGPD compliant” on their site without anything behind it. At Ediware, compliance is based on comprehensive documentation, a certified external DPO and a professional label issued by Alliance Digitale. Verifiable elements, not declarations.
The position of Data Protection Officer is entrusted to a specialized outsourcing firm. The DPO is CIPM certified by the IAPP, with over ten years’ experience in personal data protection. She intervenes every quarter to train the Ediware team on a specific aspect of the RGPD. The latest session focused on the IT charter.
An impact analysis, the so-called PIA, has been carried out by a specialized firm. The data processing register is kept up to date. A DPA governs the relationship between Ediware and each of its customers. Retention periods, processing purposes, security measures: everything is specified in documents available on request.
Ediware has been awarded the Privacy Protection Pact label by Alliance Digitale since 2019. This label verifies the effective compliance of practices: data protection policy, people’s rights, traceability of consent, cookie management, information systems security. Renewal involves updating responses and periodic verification.
Zero risk does not exist. No platform can claim otherwise. What counts is the speed with which a problem is detected, transparency with the customers concerned and the ability to contain the damage quickly.
Incidents are classified into four levels of criticality. A critical incident, such as a server compromise or data leak, triggers an immediate response. System isolation, suspension of suspicious accesses, mobilization of the CTO, DPO and facilities management team. Affected customers are informed within the hour. If the breach concerns personal data, the CNIL is notified within 72 hours.
The team follows CERT-FR and ANSSI security bulletins for each component of our technical stack. Critical patches are applied within 72 hours. In the event of a zero-day vulnerability, a documented emergency procedure makes it possible to assess exposure within two hours and implement mitigation within four. It’s best to have the procedure in place before the problem occurs.
In France, in a datacenter in France, on dedicated servers hosted by Celeste, certified ISO 27001. Backups are also located in France, on separate sites. No data is transferred outside the European Union.
Our hosting provider Celeste is ISO 27001 certified. Ediware does not hold this certification itself, but has a documented Information Systems Security Policy and Security Assurance Plan, with quarterly pentests and an annual intrusion test by a PASSI-certified service provider.
Access is restricted according to the principle of least privilege. Four identified administrators have full access with exhaustive traceability. Technical support only sees pseudonymized data. Developers have no access to production data; they work on data sets created from scratch.
The procedure includes immediate isolation of the compromised system, suspension of access, correction of the flaw and password reset. Customers are notified within an hour. If personal data is involved, the CNIL is notified within 72 hours, in compliance with the RGPD.
Yes, the position is entrusted to a specialized outsourcing firm, CIPM certified by the IAPP, with over ten years’ experience. The DPO reports to General Management and trains the team on a quarterly basis. Her appointment is registered with the CNIL.
Real-time database replication, daily backups outsourced to two separate sites in France, AES-256 encrypted. Restoration is tested monthly on a pre-production environment. In the event of server failure, service resumes in less than an hour.
Yes, Ediware has been awarded the label since 2019. The label is issued by Alliance Digitale and covers data protection, people’s rights, traceability of consent and system security. Its renewal involves an update of responses and periodic verification by the organization.
Yes, our contracts provide for the possibility of audits or controls. Recent pentest reports are available on request under confidentiality agreement. The PSSI, DPA and PAS are available to customers and prospective customers who wish to assess our level of security before committing themselves.
At rest on disks in AES-256, in transit between your browser and the platform in TLS 1.3, and in external backups in AES-256. Files containing personal data are exchanged exclusively via FTPS or SFTP.
