Security & Data Protection


Mindbreeze is part of the Fabasoft Group and uses Fabasoft Cloud Services. Data protection and data security have the utmost priority for Fabasoft as a software manufacturer and cloud provider.

Fabasoft Security Guideline:

Fabasoft has made a binding commitment to data protection and information security with the adoption of the Fabasoft Security Guideline as part of the overall Fabasoft strategy. The Security Guideline communicates the significance of information security, Fabasoft’s information security targets, the organisation of its information security management as well as the security measures taken and its efforts to ensure continuous improvement in the field of information security.

The Fabasoft Security Guideline is available for Download (PDF): Fabasoft Security Guideline

Mindbreeze Privacy Statement:

Due to the nature of the business, data protection is of particularly high importance to the Fabasoft Group. Fabasoft plc and its subsidiary companies have dedicated themselves to the protection of data and, in particular, of personal data. Exactly how Fabasoft uses and protects personal data, such as first and surnames, email addresses or telephone numbers, will be outlined in more detail in our privacy statement.

The Mindbreeze Privacy Statement is available for Download (PDF): Mindbreeze Privacy Statement.

If you need more information about our certifications and attestations, please send your request to:

Certified security and reliability

ISO 9001
ISO 9001 - Quality Management

Since 2005 the entire Fabasoft company has been ISO 9001 certified.Once a year our quality management is audited and certified by a leading certification body. The aims of the audit are to examine the conformity with demand models and the identifying of potential for the further development of the quality management system. Fabasoft was successfully recertified in accordance with ISO 9001:2015 by TÜV AUSTRIA CERT GMBH in October 2020.

Continuous Improvement

The quality management system at Fabasoft is a living system. This means that work methods, processes and their corresponding documentation are continuously adapted to the new data and constantly undergoing improvements. All Fabasoft business-relevant processes are depicted in the form of graphic process diagrams in the process landscape in the internal system. The further development, checking and approval of these processes is the responsibility of the process owner and is defined for every process.

Focus on Customer Orientation

A strategic aim of Fabasoft lies in a strong customer orientation of the quality management system. At Fabasoft customer satisfaction is of the highest importance. Fabasoft customers have the opportunity to share their opinions and improvement suggestions with us. In regular meetings (User Group) customers can give their feedback directly to the Fabasoft employee in charge. The results and evaluations of customer surveys are analyzed and integrated into the improvement processes to ensure that the customer demands are met.


Development and sales of own software produces, cloud services, Software-as-a-Service applications, appliances and provision of related services.

ISO 2000
ISO 20000-1 - IT Service Management

In May 2011 Fabasoft received the ISO 20000 certificate for the IT services Folio Cloud (today: Fabasoft Cloud) and Folio SaaS for the first time. The scope was subsequently expanded to include Mindbreeze InSpire SaaS. The ISO 20000-1 standard is an internationally recognized standard for IT service management systems which documents the requirements for professional IT service management.

Implementation of International Standards

With this certification, Fabasoft underlines its strategy of implementing international standards. ISO 20000-1 serves as a measurable quality standard for IT Service Management (ITSM). The aim of ISO 20000 is to deliver a higher quality of IT services to customers. Alignment according to the needs and requirements of customers plays a primary role.

ITIL orientation in IT Service Management

The standard also serves as an instrument to model processes in an optimized management system as they are described in the Office Government Commerce (OGC)’s IT Infrastructure Library (ITIL). This encompasses such core processes as change, release, incident, problem and security management. The certification brings with it many advantages. Alongside the targeted improvement of processes through regulated structures, service level maintenance, customer satisfaction and availability of services are more easily measurable by means of key performance indicators.

Fabasoft was successfully re-certified in accordance with ISO 20000-1:2018 by TÜV Austria HELLAS in October 2020.


The IT Service Management System of Fabasoft supporting the provision of Fabasoft Cloud, Fabasoft Folio SaaS and Mindbreeze InSpire SaaS to internal and external customers.

ISO 27001
ISO 27001 & ISO 27018 - Information Security and Protection of personal data

In June 2008 Fabasoft received the ISO 27001 certificate for the first time. The standard is a globally recognized standard for the assessment of the security of IT environments. In July 2015 Fabasoft was audited successfully and gained also certification under ISO 27018. This international standard was published in 2014 and specifies data protection requirements for cloud service providers.

Clearly Defined Standards

The certification’s range of validity specifies the requirements for fully comprehensive information security management concerning all IT and business processes as well as all confidential company information. For customers, the ISO 27001 certification means compliance with clearly defined technical and security based standards and thereby defined service levels for the Fabasoft data centers.

The international standard ISO 27018 defines data protection requirements for cloud service providers. They have to undertake major obligations regarding notification, information, transparency and burden of proof in order to build trust with clients and public institutions concerning the processing of personal data within the cloud.

Continual Adaptation

Periodical internal controlling of the processes and provisions detailed in the ISO 27001 incl. the ISO 27018 is the basis for the further development of internal IT security standards and the continual adaptation according to changing frameworks and tasks.

Fabasoft was successfully recertified in accordance with ISO 27001 incl. audit according to ISO 27018 by TÜV AUSTRIA Deutschland GmbH in October 2020.


Development and sales of own software produces, cloud services, Software-as-a-Service applications, appliances and provision of related services.

BSI C5 Logo
C5 Attestation

Mindbreeze receives attestation for its Mindbreeze InSpire SaaS service according to the specifications of the C5 catalogue of requirements (Cloud Computing Compliance Controls Catalogue, abbreviated C5), published by the German Federal Office for Information Security (BSI). The Mindbreeze InSpire SaaS service is professionally operated in Mindbreeze data centers on behalf of the customers. The attestation was issued by KPMG Alpen-Treuhand GmbH Wirtschaftsprüfungs- und Steuerberatungsgesellschaft.

“The number of cloud services in the field of data analysis is growing steadily. This makes it all the more essential for customers to take a closer look at the choice of suppliers. C5 provides the regulatorily defined IT security level, which is comparable to the IT basic protection level that is increased by cloud controls,” explains Klaus Schatz, Managing Director of KPMG Advisory GmbH.

C5 attestation (ISAE 3000 Report Type 2) is a recognized and authoritative verification for all customers who use Mindbreeze in the cloud (Mindbreeze InSpire SaaS), demonstrating the high level of information security in a verifiable way.

The BSI Cloud Computing Compliance Controls Catalogue stipulates the minimum requirements that cloud service providers must fulfill. The defined general parameters constitute a distinguishing feature of the BSI C5 and guarantee transparency with regard to the system description, jurisdiction, and locations of data storage, data processing, and data security, disclosure and investigatory powers, as well as certifications.

ISAE 3000 SOC2 Typ 1
ISAE 3000 SOC2 Typ 1

Mindbreeze has concluded the SOC2 Type 1 audit of its Mindbreeze InSpire SaaS service. The audit report was issued by the auditing and consulting company KPMG.

In the context of the auditing process, KPMG examined whether the Trust Services Criteria (TSC) for security – issued by the American Institute of Certified Public Accountants (AICPA) – are observed. This involved inspecting and documenting the existing internal control mechanisms for the services offered, such as those relating to risk minimization, access controls, monitoring measures, and communication. The audit took the form of an ISAE 3000 Type 1 audit (testing the design and the implementation for a specific deadline) and was conducted over a period of roughly four weeks. Mindbreeze received the final test results as an ISAE 3000 SOC2 Type 1 Report.

ISAE 3402 Type 2
ISAE 3402 Type 2

The International Standard on Assurance Engagements (ISAE 3402) is the international testing standard that assesses the effectiveness of internal control systems (IKS) of service providing organizations. The standard was created by the International Auditing and Assurance Standards Board (IAASB) as a successor to the SAS 70 Standard. Up until 2011 Fabasoft was tested according to the AICPA’s reporting standard SAS 70 Type 2, afterwards according to ISAE.

ISAE 3402 aims to extensively test an organization’s internal control system and to rate its effectiveness in detail. The testing takes place over a six month period. The ISAE 3402 test report contains the opinion of an external test company on the control procedure at the service provider, a description of the control points, the test methods and controls, information about the test period and a statement about the effectiveness of the controls.

ISAE 3402 Type 2

Equal opportunities for people with disabilities and their integration into society and work require the accessible use of software, which is also defined by law. Mindbreeze InSpire is offering accessibility for almost all kinds of disabilities.

Mindbreeze InSpire is the first enterprise search and big data solution to be evaluated by Pfennigparade. The standard recognized benchmark for the evaluation of Internet offerings is the BITV-Test, which was supplemented by a usability test to cover the full range of test criteria. Mindbreeze InSpire (search appliance) received a total BITV test score of 98.75 points. The component was given a rating of “very accessible”.

ISAE 3402 Type 2
TÜV Rheinland

TTÜV Rheinland i-sec GmbH certification body certifies that Fabasoft R&D GmbH has achieved the following objectives for the Fabasoft Cloud, Fabasoft Folio SaaS, HeadsUp! User Engagement, and Mindbreeze InSite services for the cloud infrastructure and cloud application:

  • Effectiveness in selecting the data location
  • Secure hosting of data
  • Secure data transmission
  • Secure operation of business-critical applications
  • Quality and availability of service provision – high service continuity, high on-demand scalability
  • Security and quality of data access and data storage – secure login procedure, andauthorization systems to control data access at network level
  • State-of-the-art protection against attacks

Proof was provided on site in the form of random external and internal security analyses as well as an audit of the technical, physical as well as organizational security measures, and business processes. The test report 63007063-01 forms part of this certificate.

TÜV Rheinland i-sec GmbH tests the effectiveness of the assessed process through annual monitoring audits.

ISAE 3402 Type 2
Audit-proof Archiving

The vision of a paper-free office is as old as the first IBM PC that fitted onto a regular desk - but we're still chasing that dream. The rules and regulations governing the storage of business records, invoices, contracts, documentation for accounts and financial records are partly to blame for this. Time limits legally required for storage vary from a few years to eternity and beyond.

Fabasoft Folio is a huge step forward, as audit-proof electronic storage eliminates the costs and space requirements needed for hard-copy storage.

Verified Quality

The PricewaterhouseCoopers auditors worked according to a checklist. Some of the most important points, which were naturally found to be without faults, were:

  • Data access. Already in the course of the ISAE 3402 Type 2 test, virtual and physical access restrictions were thoroughly checked and found to be sufficient. Client data is safe from prying eyes.
  • Data cannot be amended retrospectively.
  • Relevant documents cannot be deleted before the time limit expires - not even by Fabasoft administrators.
  • The trail from paper to electronic storage is sufficently secured.
  • All legal requirements are met.

National and European data protection laws

As a European company we are subject to the strictest data protection laws.

European Union

  • Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
  • Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications).




Data security: Security of customer data

Customer data lies in Fabasoft's own servers within its own protected networks to which only a small number of selected members of the operations management team have access. Even operations management employees do not have authorization to access customer data. These mechanisms are regularly checked via external audits. But in short, customer data cannot be viewed by employees.