GDPR, hacking attacks, third country transfer ... Do these terms make your head spin and you'd therefor rather stay away from collaboration tools in the cloud? Security and data protection are extremely important issues, especially in industries that work with sensitive data. However, they should not be the reason to stick to outdated (analogue) processes and working methods. It is crucial to rule out potential security risks from the tool right from the selection stage. How can you do this? Our checklist will help you find the most secure cloud-based collaboration tool.
What do I need to protect my data from?
Data can be of interest to third parties for various reasons. First and foremost, personal and company-related data must be protected from cyber criminals. This is essential, especially in sectors with sensitive data such as public authorities, banks or law firms. Cyberattacks must not have any chance of success due to security gaps such as weak passwords.
But it's not just cyber criminals who want your data. Your user behaviour is also of interest to Google & Co. Data is collected via tracking and retargeting, evaluated and used for personalised advertising purposes, for example. Therefore, look out for providers that do not use external tracking tools such as Google Analytics.
Collaboration tools whose providers are based in the USA represent a special case. Here, US authorities can oblige providers to hand over personal and company-related data. This is made possible by the so-called Cloud Act (Clarifying Lawful Overseas Use of Data Act). It allows the authorities to access all company and customer data from cloud and communications providers if the company is based in the USA or is subject to US law. This also applies to subsidiaries of US providers based in Germany, for example. The obligation to disclose data therefore also applies to data stored outside the USA. The law is thus in stark contrast to the European legal interpretation, regulated in the General Data Protection Regulation (GDPR).
Checklist for selecting a secure collaboration tool
To prevent this from happening to you, pay attention to the following checkpoints when making your selection. If you can't find any information on relevant points on the provider's website, it's best to ask specifically!
✅ Registered office of the provider
The provider's registered office is an essential checkpoint. European providers must comply with the GDPR. The protection of your personal and company-related data is therefore subject to high security standards. Unlike in the USA, state institutions do not have access to the data.
✅ Location of the servers
The company headquarters of the provider is an essential checkpoint. Although all providers that process the data of EU citizens must comply with the GDPR, there are no legal provisions such as the Patriot Act or the Cloud Act in the EU.
✅ Order processing
You should always retain control over the processing of your data. It is therefore advisable to make clear agreements with the processors. Also take a look at the providers' subcontractors who are used for hosting or sending emails, for example. They should also be based in the EU so that no control can be exercised from outside the EU.
Important: Make sure that the parent company of the processor is headquartered in the EU so that legal regulations from outside of the EU are not applicable.
✅ Tracking and retargeting
Collecting and evaluating user data allows companies to place personalised advertising. A popular tool for tracking is Google Analytics, for example. If you do not want your data to be used for advertising purposes, look out for providers that do not use external tracking tools.
✅ Encryption of the data
To protect user data from cyber criminals, it must be encrypted using highly secure technologies. Ideally, the data is transmitted securely between the end device and the servers using TSL encryption.
The provider itself should also not be able to view your data. Genuine end-to-end encryption ensures that only you and the (authorised) recipient have access to the content.
✅ User authentication
A secure password is essential. Therefore, make sure that the provider specifies precise rules for password strength and the change interval.
To protect your account and your team's accounts even better against unauthorised access, the tool should offer two-factor authentication. This creates a second layer of security in the account. When logging in, a time-based security code, e.g. from an app, must be entered in addition to the password. User accounts are also protected if passwords are lost or stolen.
✅ Back-ups
Regular offsite backups prevent data loss in exceptional cases such as theft or hardware failure. This means that there is always a (relatively) up-to-date copy on a secure server.
✅ Integrations
Extensive integration options sound great at first, but if they have inadequate security standards, they can harbour security risks. As a rule of thumb, the fewer tools you integrate or have to integrate, the lower the risk. An all-in-one tool such as Stackfield, which combines all the important functions, is preferable to a stand-alone solution. Tool hopping or countless integrations are then not necessary.
✅ User and rights management
It is advisable to protect data not only from external third parties. The platform itself should also have the option of only releasing information for certain users. The assignment of roles and rights as well as guest access for external users should be included in the functional scope of the collaboration tool.
How can I check the providers' security claims?
You should not rely solely on nice-sounding phrases on websites such as "data storage in accordance with the highest security standards" or "your data is safe with us" when making your choice. It is therefore better to check whether the statements can be substantiated. The most important "evidence" for this are certificates. ISO 27001 and the ISO 27017 and 27018 certifications, which are based on the ISO 27001, are relevant for cloud providers.
Information on conformity with the GDPR is also a good benchmark for compliance with (legally binding) security standards. In contrast to ISO certificates, however, GDPR compliance has only been certifiable for a very short time and so far only by one provider.
Which collaboration tools are really secure?
Quite a lot of points to consider when choosing a secure collaboration tool... What seems like a lot at first glance is quickly sorted. For example, start with the biggest exclusion criterion. You do not want your (company) data to be disclosed to third parties, e.g. US authorities? Then remove all providers with company headquarters, data storage and subcontractors outside the EU from your list of potential tools. This eliminates well-known providers such as Asana, Microsoft, Monday.com, ClickUp or Trello.
If you also place importance on the fact that your user behaviour is not tracked, that the tool offers genuine end-to-end encryption and that it is an all-in-one solution, German providers such as Awork, Meistertask or Factro are no longer an option. As you can see, the choice has already narrowed considerably. What's left on your list is ... Stackfield. Because security and data protection really are our top priority. This is reflected in the many well thought out functions that contribute to the security of your data and the ISO certifications 27001, 27017 and 27018.
Almost finished...Please click the link in the email and confirm your email adress to complete the subscription process.
Never miss a post. Get awesome insights in your inbox.