Without data and information, travellers would not be able to enjoy the benefits of using the convenient and easy FAIRTIQ app to access the simplest public transport ticket around. FAIRTIQ takes data privacy and security extremely seriously. Many of the measures it implements go above and beyond what the law requires. Respecting users' privacy, handling their information securely and responsibly, and offering the best possible protection from unauthorised third-party access have always been top of our agenda and the success of our business model depends on them. To ensure that our systems and processes can effectively respond to evolving cyber risks and threats, we are continually optimising them in line with the latest technological and regulatory developments.
Compliance with current legal provisions underpins all of FAIRTIQ's data privacy and security efforts. These include the revised Data Protection Act (FADP) in Switzerland, which came into effect in 2023, the EU's General Data Protection Regulation (GDPR), as well as other national and supranational regulations.
The FAIRTIQ app is hosted on a cloud-based platform. This is also where the data are processed but it is important to point out that FAIRTIQ retains full control over the data that are required to deliver the app's core services: user registration, journey calculations and fraud management. In recent months, we have built our own virtual infrastructure to offer our users and partners even tighter security.
An important element in this process was shifting from the previous Platform-as-a-Service model (PaaS) to an Infrastructure-as-a-Service model (IaaS). In a PaaS model, the provider offers developers everything they need to build the software. Under the IaaS model, however, the provider offers only the technical infrastructure and the user – in this case FAIRTIQ – constructs its own bespoke development framework. This lets the user implement additional security measures and precisely define who is authorised to access data, when they can access it, as well as the scope of their access rights. In other words, data sovereignty is entirely in FAIRTIQ's hands.
The core services of the FAIRTIQ app are hosted on services owned and run by Amazon Web Services (AWS). As these servers are located in Ireland, they are subject to the European Union's GDPR, which is one of the toughest privacy and security laws in the world. FAIRTIQ users and partners therefore can be sure that their data are collected, transferred and processed in accordance with the highest standards of protection.
AWS uses a powerful and scalable Nitro system to encrypt the data. AWS Nitro has several advantages over conventional systems, including improved security, better performance, greater reliability and more flexibility. It also allows users to develop and deliver new functions more quickly. Technically, the system is designed to make it impossible, even for AWS personnel, to access customer data. An independent audit by the NCC Group, an internationally recognised cyber security expert, confirmed that AWS Nitro is very secure.
FAIRTIQ alone oversees the critical work of updating and optimising its mobile app. It used specialised services and tools to support and operate the software. We also conclude data processing agreements (DPAs) to ensure that all personal data is handled in accordance with the legal requirements and only for the purposes stipulated by FAIRTIQ.
We have also introduced additional measures to prevent unauthorised third-party access to our data. These include the encryption of data at rest and in transit. Internal access is also restricted and our processing procedures are documented and audited.
FAIRTIQ has been certified in accordance with the internationally recognised ISO/IEC 27001 standard since October 2023. As part of the audit, TÜV Rheinland, an independent testing body, confirmed that the interaction between FAIRTIQ's technology, processes and employees is highly effective and enables the company to minimise security risks to its data and information.
In addition, an ISAE 3000 audit by BDO, an independent auditor with offices around the globe, confirmed FAIRTIQ's compliance with EU GDPR requirements. The resulting 'Type 1' report concluded that FAIRTIQ has all the necessary controls and procedures in place to meet European data protection requirements. The GDPR is considered the gold standard when it comes to data privacy and served as a key point of reference for the revision of Switzerland's Data Protection Act.
ISO/IEC 27001 certification and the positive conclusions of the ISAE 3000 audit show that FAIRTIQ has correctly focussed on data privacy and security and its protective framework has reached a high level of maturity. Because both audits are performed repeatedly and at regular intervals, they help safeguard and improve existing protections.
Data privacy and security are not a state but a process. Optimising our cloud infrastructure and switching from a PaaS model to an IaaS one has allowed us to push this process forward. We implement protective and security measures at multiple levels in accordance with the 'defence in depth ' security principle. As a result, if one of our security mechanisms is circumvented, the other mechanisms we have put in place kick in, thereby preventing unauthorised access and data leaks. We continue to build on the already high level of protection and security we have already achieved and systematically upgrade and improve our methods and processes. Our unwavering commitment means that users and partners are able to avail of our services, safe in the knowledge that we are doing everything in our power to keep their data as private and secure as possible.
written by Andrin Huber, Legal Lead at FAIRTIQ & Manuel Jeckelmann, Head of Security