The heylogin production environment is in Nürnberg, the standby server is in Falkenstein, backups are stored separately in Frankfurt. All data centers are ISO-27001 certified.

Within a restart time of max. 30 minutes the standby server can be converted to a production environment. No data loss occurs in this case.

The heylogin production environment is monitored by a monitoring system every minute. In case of failures and anomalies, notifications are sent and logged.

There is always a staff member on standby to intervene in case of anomalies.

The architecture of heylogin is documented and available for all employees. We are working on a whitepaper which will publicly present our architecture in the future.

Errors in heylogin components are sent to a tracking system. The message contains only necessary diagnostic data and a pseudonymized ID, but never content data.

heylogin is secured by an automated test suite. This includes correctness and compatibility of code changes.

All data is end-to-end encrypted using the smartphone hardware and thus cannot be viewed by us as the operator. The implemented cryptographic algorithms are Curve25519, XSalsa20 and Poly1305.

All devices are authenticated 'out-of-band', either by a QR code that initiates a Diffie-Hellman key exchange, or by a hash-commitment protocol using Short Authentication Strings.

TLS 1.2 and 1.3 are used and enforced with HSTS.

Backups are encrypted with ChaCha20 and protected against modification with Poly1305.