SIMSme Powered by Deutsche Post

500 years of experience keeping postal correspondence private. SIMSme Business enforces the strictest security standards and data protection measures to ensure that your confidential corporate communication stays that way.

Strictest security standards

World-class end-to-end encryption

SIMSme encrypts all messages sent using the app through both AES-256 symmetric encryption and the SSL encryption process. Messages are thus protected along the entire communications chain, from the sender’s smartphone to the SIMSme server and on to the recipient’s device. To decrypt the message, the recipient needs the matching key, which as part of the RSA-2048 process is sent asymmetrically and individually encrypted to each recipient of the message.

This procedure uses a public key to encrypt and a private key to decrypt, whereby the private key never leaves the owner’s smartphone and is solely stored locally.

Because of this, messages can only be decrypted on the smartphone of the respective recipient, as it alone holds the required key. Other parties involved with the communications process, including for example us as the operators of SIMSme and attackers who might potentially intercept the AES key, would thus be unable to read the encrypted message.

More details and a diagram explaining encryption can be found here.

Strong encryption for smartphones

The SIMSme security concept doesn’t end with the transfer of the message onto the smartphone. Some other instant messaging programs encrypt the messages for transmission but leave the content of the messages themselves unprotected on the smartphone. SIMSme, by contrast, secures all chats and media using powerful encryption.

Each chat is individually protected using an AES-265 key. This AES key is encrypted using the recipient’s public key. An AES-256 key with an optional password is used to decrypt the private key. This ensures that messages are protected not just while in transit, but also on the smartphone itself.

For more information on SIMSme encryption, please click here.

Encryption technology based on the BSI's directives

SIMSme uses state-of-the-art cryptographic processes to ensure a strong degree of security and confidentiality. We confirm that the cryptographic algorithms and processes used in this software satisfy Technical Directive 02102-2 of the German Federal Office for Information Security (BSI) as updated on 2016–1 (including SHA2).*

*Android Clients < 4.4 conform with TR-02102-1 as updated on 01-2014

As an independent auditing agency, the BSI routinely publishes an evaluation of the security of selected cryptographic procedures, including an assessment as to whether the technology used within a given product is based on the latest standards.

Please click here for more information on BSI cryptographic procedures.

Audits and certifications

External security audits

We rely on routine independent security audits to confirm all security-relevant components of SIMSme Business — across the entire spectrum from the apps to the backend. The most recent audit was performed by the noted IT specialists at Cure53. They could not identify any critical flaws.

The following is an excerpt from the Pentest report:

„As a result, this evaluation managed to reach excellent test coverage and a high degree of confidence regarding the state of security at SIMSme. From the beginning of the tests it was almost instantaneously clear that the platform must have been subject to considerable scrutiny and numerous security tests in the past…

Instead, succeeding with attack efforts required much creativity on the testers’ part. Still, it remained impossible to unveil an issue that could be deemed “Critical” in scope and severity, which further illuminates the general good impression of the suite. Conclusively, security appears to be ingrained in many tiers and layers of security conscious and appropriately conceived designs. The maintainers of the SIMSme platform security have made a tremendously good decision when embarking on security investments as these have clearly paid off.“

External test of privacy protection

Because we at SIMSme stand for outstanding privacy protection and data security, we have these factors reviewed and confirmed by external specialists upon every update. MediaTest digital TüvIT tests compliance with data security standards and Germany’s privacy protection directives. SIMSme Business apps are routinely awarded the “Trusted App” recommendation.

Beyond this, data security checks such as SSL analyses have also determined that “Man-in-the-Middle-Attacks” are a potential issue for instant messaging solutions SIMSme Business, however, remains in the view of the latest test report perpetually “unproblematic” in this regard.

Please click here for more information on the mediaTest digital testing specification.

Trusted App Siegel TÜVIT mediaTest

ISO-zertifizierte Datenzentren

SIMSme data centers are located in Germany and have been certified by the German Federal Office for Information Security (BSI) as complying with the fundamental IT protection directives specified in ISO 27001. This certification is based on annual audits and is valid through April 2021. The availability level (SLA) for SIMSme Business is 99.9%.

These statistics cover both the “Colocation” and “Management Network” services used to provide the “hosting” services on behalf of Deutsche Post. The aforementioned systems and elements were tested by a certified auditor as part of an ISO 27001 audit, examining the fundamental IT protection in coordination with the IT certification scheme issued by the German Federal Agency for Information Security.

Sponsored hacker competition

The Deutsche Post IT-Security Cup of 2015 proved that SIMSme could stand up to even experienced hackers. While marginal vulnerabilities were identified in the external security systems, there was no documented penetration into the internal secure areas.

The hacking competition was part of a longer-term process of routinely allowing top IT security researchers to try to refute the proclaimed security level. Through competitions of this kind, Deutsche Post regularly sets new benchmarks: few providers go as far to demonstrate the reliability of their security mechanisms as objectively and impressively as Deutsche Post.

To read more about the Deutsche Post IT-Security Cup, please click here.

Comprehensive privacy protection

Conformity with privacy protection statutes

As a German undertaking Deutsche Post AG and its SIMSme product are subject to the strict requirements of the German Data Privacy Act. Our servers, all located in Germany, do not evaluate or pass on any meta-data, nor store any such data for an extended period. We pursue the “zero knowledge approach”.

  • The SIMSme app stores both the login data (including user name, phone number and password) and the user’s communication data locally and in encrypted form.
  • The mobile phone numbers are hashed on our servers, and the profile image and nickname are stored in encrypted form. To allow for contact to be established, an encrypted list of contact phone numbers is uploaded to the server and harmonized. Contact phone numbers for non-registered users are not stored.
  • Messages are encrypted end-to-end, and are only stored temporarily. Dispatched messages are stored in encrypted form on the servers until the recipient has received and opened it.
  • Messages opened by the recipient are deleted from our servers on the same day. Messages that cannot be delivered for 30 days are also deleted.
  • Users have the option to delete their user account, including all associated files, completely and irrevocably from our servers from within the profile settings.

More information about our privacy protection provisions can be found here.

Conformity with the German Telecommunications Act

Instant messenger services are viewed in the eyes of the German Telecommunications Act (TKG) as “Telecommunications Services” and are subject to the reporting requirements of § 6 (1.1) TKG.

Unlike many other instant messaging services, SIMSme from Deutsche Post AG is properly registered with Germany’s Federal Network Agency (registration number 94/208). As such, companies using SIMSme are considered to have performed their due diligence in selecting an instant messaging service.

Technical and organizational measures

SIMSme is notable for its extreme data economy. We record no data unless absolutely required for the system to function. We have established a variety of technical and organizational measures (TOMs) to satisfy the requirements for privacy protection and data security laid out in § 9 BDSG and the annex to § 9(1) BDSG.

As per the annex to § 9(1), these measures encompass:

1. Physical access control
2. Data access control
3. Data usage control
4. Control over forwarding of information
5. Input control
6. Order control
7. Availability control
8. Principle of isolation

The individual technical and organizational measures in SIMSme are discussed in depth here.

Compliance and user management

Management Cockpit

The SIMSme Management Cockpit provides a platform for simple and intuitive user management and configuration of the app, all designed to meet your Compliance requirements. The web interface makes it easy for IT administrators to distribute the app within a company and control it centrally. Administrators thus have access not only to app functions, but also the option to tailor the app’s design and send messages to a broad audience.

The innovative Management Cockpit also encompasses the following functions:

– reporting dashboard
– user and license admin
– channel and group management
– security and compliance settings

Please click here for more information about the Management Cockpit.

Mobile Device Management

SIMSme Business is compatible with Mobile Device Management (MDM) systems, meaning it is especially easy to distribute and administer within a company. The app can be adjusted centrally using the MDM to match your security requirements. This means you can be certain that the messenger app will comply with your specific guidelines.

SIMSme Business supports Android for Work (Android 5.0 and newer) and Managed App Configuration (iOS 8.0 and newer) as well as the MDM systems below.

Support documentation for use with “MobileIron” and “Airwatch” can be found here.

Security partnerships

Alliance for Cyber-Security

Through its work on SIMSme, Deutsche Post is engaged in the Alliance for Cyber-Security for secure communication in Germany. The insights and experience it gains regarding the communication of information flow directly into the development of the messenger platform.

The Alliance for Cyber-Security is an initiative from the German Federal Ministry for Information Security (BSI), in conjunction with German digital industry association BITKOM. As a joint project of all key players in the field of cyber-security in Germany, the Alliance has the goal of preparing current and valid information on threats to the cyber-space.

For more information on the Alliance for Cyber-Security, please click here.

Well-rated by the data protection of the churches

Thanks to the high security standards and German data protection, the Wirtschaftsgesellschaft der Kirchen in Deutschland mbH (WGKD) has decided to recommend SIMSme Business to its members. For this purpose, a corresponding framework agreement was concluded.

“The churches are in the middle of our society. Of course, employees chat in kindergartens, nursing homes or hospitals via messenger. With SIMSme Business we now offer all these people the opportunity to safely use Messenger for their work, “says Rainer Gritzka, Managing Director of WGKD.

More information on the use of SIMSme by the church can be found here.