Annex to the General Terms & Conditions for Systemorph Cloud

Information Security Measures (ISM)

Version: 2022 November 22nd


Systemorph and Customer have concluded the Agreement in which Systemorph acts as service provider to the Customer regarding the SMC Service.

Based on the Agreement, Systemorph shall implement reasonable and appropriate measures as provided hereinafter designed to secure Customer Content, Account Data and Technical Information of Customer (hereinafter together: “Information”) against accidental or unlawful loss, access, or disclosure, based on the technical capabilities and protection mechanisms of the underlying systems, esp. Microsoft Azure.

This document re. Information Security Measures (hereinafter ISM) describes the measures and framework that Systemorph applies with regard to the Information security of the SMC Service.

The ISM is subject to change according to the terms and conditions in the Agreement.

General Information Security Measures

Systemorph shall take suitable technical, operational, and organizational measures to provide an appropriate level of information security to secure Information from accidental or unlawful destruction, loss, amendment or forwarding.

Systemorph shall take account of best practices, the implementation costs as well as the type, scope, circumstances, and purposes of the processing as well as the different probabilities of occurrence and the severity of the risk of information security.

The information security measures are subject to change particularly due to the technology and services of the subcontractors used, especially Microsoft Azure.

Information Security Roles and Responsibilities

Systemorph has established an appropriate information security organization, including the role and responsibilities of a Chief Information Security Officer (“CISO”), as well as the technical and operational means to establish, maintain, overlook, and review Systemorph’s information security management system (“ISMS”).

By using the SMC Service, the Customer agrees that certain information security responsibilities are shared, others are handled solely by the Customer or Systemorph.

The Customer owns the Information (data, identities, notebook code). The Customer is responsible for protecting the security of its data and identities, on-premises resources, and the SMC components it controls. The Customer always retains responsibility for data, identities, notebook code, endpoints, accounts, and access management.

Shared information security responsibilities between the Customer and Systemorph are in the identity and directory infrastructure and network controls.

Systemorph and its subcontractors (primarily Microsoft Azure) are responsible for information security concerning the underlying SMC platform, operating system, and physical components such as hosts, network, and data centers.

Identity and Access Management

The SMC Service offers a self-registration mechanism to each Customer. New Customers can create an account themselves and have to accept and enter into the Agreement in order to finalize account creation and get access to the SMC Service via the SMC Service Portal at

Enterprise Customers may integrate their own Microsoft Azure Active Directory (AAD) service so that they can manage their users directly outside of the SMC.

All Information is contained within the SMC Projects. Access to the Information can be controlled directly by the Customer inside the Project Settings page of the SMC Service Portal for each SMC Project. If the Customer has owner privileges to a SMC Project, the Customer can manage access to the given SMC Project and all Information contained therein on that settings page. The detailed description on what exactly can be controlled and how the settings page works is explained here.

Systemorph uses the Microsoft AAD service for the storage and management of the Customer’s authentication secrets. By using the SMC Service, the Customer accepts Microsoft AAD as the secret authentication information manager.


Information in transit over public networks between the Customer and Systemorph, or between Systemorph’s data centers, as well as data stored within the SMC Service is encrypted by default. We rely on Microsoft Azure’s encryption in all cases.

Operations Security

The SMC Service is operated on the Microsoft Azure Cloud. Systemorph makes use of the Azure services to secure and maintain all of the SMC Service. Systemorph is a certified Microsoft Gold partner with several staff members holding the highest certification levels in the usage of the MS Azure cloud services. The following services and controls are being used by Systemorph:

Systemorph applies strict access management to all critical SMC Service components by its administrative staff. Every critical SMC Service component is accessible only over a dedicated VPN network. Access to that network is tightly controlled and managed, access is only given to staff directly involved in the operations of the production infrastructure where Information is processed and stored. Access is reviewed on a regular basis to ensure compliance.

Inside a SMC Project, the Customer can control which resource type to use to execute the code. The Customer also has full control over what data is being uploaded and generated inside the SMC Project. Details on usage are shown here.

Systemorph collects detailed information on the usage of resources by the Customer on a per SMC Project basis. This information is presented in detail in every Project because this is how Customers are billed for the SMC Service. In the SMC Project’s billing details page, Customer can see exactly how much computational power was consumed on what type of resource by what notebook, started by whom and when, as well as relevant data storage and network traffic costs. This information is presented separately for each SMC Project. Details on usage are shown here.

Systemorph also collects usage information as Technical Information that is not exposed to the Customer. Technical Information collection and usage is described in the Agreement.

Systemorph provides capabilities that enable the Customer to implement their own monitoring inside an SMC Project. The SMC Projects are secured such that only authorized Customer Accounts can access the Information. Details on usage are shown here.

The SMC Service is potentially exposed to certain technical vulnerabilities, such as – but not limited to – attacks by external third parties, unintentional or intentional corruption by employees, or the failure by subcontractors to secure and protect their information systems. Systemorph applies a best practice ISMS, which is geared towards the prevention of technical vulnerabilities in its SMC Service.

System Acquisition, Development and Maintenance

Systemorph applies best practice information security measures for maintaining its ISMS, which is built on recognized industry standards.

Systemorph applies secure development procedures and practices, which are based on the Microsoft best practice development recommendations. Information security matters are an integral part of Systemorph’s secure development procedures and practices. This includes secure code repositories with controlled and regularly reviewed access, mandatory code reviews according to the 4-eye principle, segregation of development and testing environments from production.

Supplier Relationship

Systemorph undertakes and is responsible for the information security measures in accordance with this ISM. Other information security measures are in the responsibility of the Customer.

Information Security Incident Management

Customer is solely responsible for making an independent determination as to whether the technical, operational, and organizational measures for the SMC services meet Customer’s requirements, including any of its information security obligations. Customer acknowledges and agrees that (taking into account the state of the art, the costs of implementation, and the nature, scope, context and purposes of the processing of its Information) the information security practices and policies implemented and maintained by Systemorph provide a level of information security appropriate to the risk with respect to its Information. Customer is responsible for implementing and maintaining information security measures for components that Customer provides or controls.

If Systemorph becomes aware of a breach of information security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Information while processed by SMC services, Systemorph will promptly and without undue delay (1) notify Customer of the information security incident; (2) investigate the information security incident and provide Customer with detailed information about the information security incident; (3) take reasonable steps to mitigate the effects and to minimize any damage resulting from the information security incident.

Notification(s) of information security incidents will be delivered to Customer by any means Systemorph selects, including via email. It is Customer’s sole responsibility to ensure Customer maintains accurate contact information with Systemorph for the applicable SMC services. Customer is solely responsible for complying with its obligations under incident notification laws applicable to Customer and fulfilling any third-party notification obligations related to any information security incident.

If the Customer becomes aware of a breach of information security, notification(s) of information security incidents will be delivered to Systemorph to the respective contact information.

Systemorph shall make reasonable efforts to assist Customer in fulfilling Customer’s obligation under applicable law or regulation to notify the relevant supervisory authority about such information security incident.

Systemorph’s notification of or response to an information security incident under this section is not an acknowledgement by Systemorph of any fault or liability with respect to the information security incident. Customer must notify Systemorph promptly about any possible misuse of its accounts or authentication credentials or any information security incident related to the SMC services.

Systemorph maintains a record of information security incidents with a description of the incident, the time period, the consequences of the incident, the name of the reporter, and to whom the incident was reported, and the procedure for resolving the incident. Systemorph makes such records available as digital evidence to Customer on request.

For each information security incident, notification by Systemorph will be made without undue delay and, in any event, within 72 hours.

Protection of Technical Information

Technical Information collected on the usage of the SMC Service is stored in dedicated services, separately from Customer Content. Also, these services are only accessible over a secure VPN network. Access to this network is subject to the same controls as all other services. Technical Information is not backed up as it is not subject to changes (only new data is added). It is stored in a redundant manner to avoid data loss. Technical Information is used by Systemorph to be able to provide the SMC Service to the Customer as such and to gather information on how improve the SMC Service itself and how to provide better support to the Customer. Parts of the Technical Information is processed and made available to the Customer as usage and billing information.

Verification and Audit Rights

Systemorph will provide Customer upon request with information to document compliance with the duties set forth in this ISM by suitable means (e.g., certifications, attestations, independent audits).

The Parties agree that compliance with this obligation shall be evidenced by the fact that Systemorph has ISO 27001 certification or is able to provide further ISO certifications as the ISO 27017 and ISO 27018 certifications or an ISAE 3402 Type II attestation. In addition, Systemorph conducts penetration tests of its SMC environment on a regular basis. These audit reports are prepared by independent third parties or confirmations concerning certifications etc. that are specially referred to in the Agreement.

The above shall exclude any further audit rights of the Customer.

Systemorph makes the respective audit and review reports available to the Customers on request.