Legal basis and Technical Guideline

The IT Security Label is issued on the basis of §9c BSI Act.

Services in the e-mail services category are issued the IT Security Label if the provider declares the service's conformity with the Technical Guideline for Secure E-mail Transport BSI TR-03108 . The manufacturer declaration for the e-mail services product category can be found here.

The following listing provides a simplified overview of some declared security functionalities. Detailed descriptions of the necessary and recommended requirements can be found in the Technical Guideline and the related test specification.

Information on the required and recommended service properties

1. Transparency

The service provider assures to provide transparent information regarding its service security.

This concerns in particular:

• Information on interface security and a valid IT security concept. An IT security concept should ensure the availability, integrity and confidentiality of company and customer data as well as operations on an ongoing basis. This includes an analysis of possible attack scenarios as well as guidelines for prevention and instructions for action in the event of damage.
• Actively informs users in the event of security incidents.
• Provides security instructions for safe use of the service.

2. State of the art

The service provider assures to update its security concept continuously and to implement it permanently.

This includes among others:

• The closing of known vulnerabilities.
• The systems match the state of the art. This means that no systems or components (such as encryption techniques) are in use that are outdated and considered insecure according to current knowledge.

3. Secure interfaces

The service provider assures to protect the interfaces of the service according to the state of the art. A connection to the service shall be encrypted and integrity protected in this respect if this is also supported by the other party. The provider further declares to fully use the technologies required in the Technical Guideline in its entirety.

This concerns in particular:

• The interfaces for communication with other service  providers.
• The interfaces for communication with users.
• A protection against unauthorized reading by third parties.
• A protection against manipulation.

4. Data security

The service provider declares to ensure the security of user data by implementing its security concept. A security concept includes measures to ensure the basic values of information security (confidentiality, integrity and availability):

• Consideration of all components involved in the processing of data in the security concept (including user administration and data management).
• Protection of data from unauthorized access (confidentiality).
• Protection of data against manipulation (integrity).  The data is protected against loss (availability).
• The data is stored on secure servers.