Data security is on everyone's lips these days and the protection of sensitive data deserves special attention, especially in the digital space. For SeaTable, a high standard of data protection and security is more than just an empty phrase, it is an essential element behind the company's founding idea, you could even say it is part of the company's DNA. The founders recognized a need early on, as more and more European companies and institutions are looking for European alternatives to the large US providers. For this reason, all data in the cloud solution is consistently stored on German servers of a certified Swiss company. Further security measures include HTTPS encryption, secure cookie management, input validation and the principle of minimal authorizations, which ensures that each user only receives the necessary access rights.
As simple as a spreadsheet with the power of a database
SeaTable is the innovative no-code solution for efficient data management with a user-friendly app builder. This enables anyone to create digital solutions for their individual needs - even without programming knowledge. With SeaTable, companies can drive digital innovation and transformation while ensuring a high standard of data protection and data security.
Pentest confirms good protection against cyber attacks
In the first half of 2024, cyberattacks on companies increased by 40% compared to the same period in 2023 in the DACH region. In order not to lose out in the race against the constantly growing digital threats, companies must always be one step ahead of potential hacker attacks. For this reason, SeaTable 2024 commissioned SRC Security Research & Consulting GmbH to carry out a penetration test to identify and assess potential vulnerabilities. No high risks were identified during the pentest, which lasted several weeks. The security level of SeaTable was rated as "good".
As a next step, SeaTable GmH is aiming for "Accelerated Security Certification" (BSZ) from the German Federal Office for Information Security (BSI) in the second half of 2025. Ralf Dyllick-Brenzinger, CEO of SeaTable GmbH, talks about the result and the company's further plans in an interview.
Ralf Dyllick-Brenzinger, CEO of SeaTable GmbH
Data protection and IT security are important topics for SeaTable. How do you ensure a high level of data protection with your cloud solution?
RDB: Our servers are located exclusively in Germany. We work together with the Swiss provider Exoscale. Users of our cloud solution can therefore rest assured that their data is stored and processed in compliance with data protection regulations. If this is not enough for you, you can switch to the on-premises version and host SeaTable yourself. In order to have the security of our cloud solution independently verified, we commissioned a pentest this year.
SeaTable has existed since 2020. Why did you only have the pentest carried out now?
RDB: Our company and our software have grown steadily in recent years, with over 150,000 users in more than 50 countries - and of course the demands on our IT security environment have grown with it. In addition, we are now at an important milestone. More and more large companies and government institutions are showing interest in our services and we want to expand internationally. The pentest helps us to actively identify and eliminate potential vulnerabilities - an important prerequisite for the BSI certification we are aiming for - and is also a signal to our existing and potential customers that their trust in us is justified.
There are also a number of security scanners on the market that check the security of software and are sometimes free of charge. Why wasn't that an option?
RDB: The security of our customers' data is our top priority and we definitely wanted a reliable expert assessment. The tools currently available offer a certain amount of support and we also use them. However, most scanners are not sufficient for a real security assessment. They are based on standardized techniques but do not understand the logic of complex processes, e.g. when account creation requires two-factor authentication. Human pentesters are still required to consider how other, actually protected, subsequent steps can be carried out using targeted measures. And when an automated tool identifies vulnerabilities, it usually assesses how dangerous the vulnerability is for each discovery separately. Pentesters, on the other hand, can also assess whether various low vulnerabilities combined lead to a high security risk.
How exactly was the PenTest carried out?
RDB: Version 5.0 of SeaTable was tested. The system was installed by us according to the official instructions. The security settings were equivalent to those of our cloud system. The main focus was on the security of the API and the web application. We discussed the objectives of the test with SRC Security beforehand and agreed to simulate a cyber attack with insider knowledge, a so-called grey box approach. The attacker has limited information about the system.
What was the result?
RDB: The result was even better than we had expected. We had worked continuously in the past to protect our system from cyberattacks and had achieved a high level of protection, but we had expected that the pentesters would still identify vulnerabilities. As a result, two vulnerabilities were identified, but none with a high risk. Both vulnerabilities will be eliminated with one of the next updates.
You mentioned the BSI certification. What happens now?
RDB: SRC Security bases its pentests on the "Implementation Concept for Penetration Tests" of the German Federal Office for Information Security (BSI). Having successfully completed the test, we are therefore well prepared to apply for BSI certification next year and have the security of our software officially confirmed. Government institutions and many large companies attach great importance to such certification or even expect it. It is therefore an important competitive advantage, also internationally, as BSI certification is recognized in France, Great Britain, Canada, Spain, Israel and Turkey, among others.
SeaTable was developed by a Chinese company whose owners also have a stake in your company. Today, China connections are viewed critically, especially when it comes to the protection of sensitive data and intellectual property. How do you deal with this?
RDB: Our partnership with Seafile Ltd, the company that develops SeaTable, is no secret and can also be found on our website. We also proactively communicate this point in discussions with customers. We have known our partners for several years and have built up a trusting relationship. But as I said, we take the protection of our customers' data very seriously. The administration of our cloud service is carried out exclusively by our European admins. Seafile Ltd. and its employees have no access to the system. We do not transfer any data out of Europe and certainly not to China. This is not the case with a US service. And if you still have concerns, you can easily host SeaTable on your own servers.
Conclusion
The simulated cyberattack confirmed that SeaTable is an application with a high security standard. The specific use cases are almost unlimited - whether as a bug tracker, IT roadmap or ticketing system. Simply try it out without obligation and register for free.
"*" indicates required fields
