Internationaler Sicherheitsstandard | 02/2026

Zentrum für Vertrauen und Sicherheit
LegallyMail

Unsere Infrastruktur ist streng nach dem NIST Cybersecurity Framework gehärtet.
Radikale Transparenz darüber, wie wir Ihre kritischsten Daten schützen.

Detaillierten Bericht anzeigen DPO kontaktieren
Status
100% Sicher
LegallyMail
E2E-Verschlüsselung
Aktiv
97.1%
Compliance-Rate

Ihrer Sicherheit verpflichtet

Bei LegallyMail richten wir unsere Sicherheitskontrollen am NIST Cybersecurity Framework (CSF) aus, dem internationalen Goldstandard für Cyber-Risikomanagement. Unser Versprechen ist der Schutz der Vertraulichkeit, Integrität und Verfügbarkeit Ihrer zertifizierten Kommunikation.

Implementierte Kontrollen: 100
Gesamtanzahl Kontrollen: 103
99.98%
Uptime (letztes Jahr) Prüfen
0
Sicherheitsvorfälle
100%
Daten E2E verschlüsselt
<48h
Incident Response

Warum NIST CSF statt ISO 27001?

Vergleich der beiden wichtigsten Cybersecurity-Frameworks

Merkmal
NIST CSF 2.0
ISO 27001
Verantwortliche Institution
US-Regierung
ISO und IEC
Fokus
Risikomanagement
Ergebnisorientiert
Prozess-Compliance Auditorientiert
Flexibilität
Hohe Anpassungsfähigkeit
Skalierbares Framework
Starre Struktur Vordefinierte Kontrollen
Letzte Aktualisierung
02/2024
Entwickelt sich mit Bedrohungen
2022 Revisionen alle 7 - 10 Jahre
Öffentliche Transparenz
100% Kostenlos und öffentlich
Für alle zugänglich
Erfordert bezahlte Zertifizierung Teure Audits
Integration mit anderen Frameworks
Direktes Mapping
Kompatibel mit DSGVO, PCI-DSS
Begrenzt Erfordert Anpassung
Nachweis der Implementierung
Transparente Selbsteinschätzung
Diese Seite ist der Beweis
Privates Audit Nur Zertifikat sichtbar
Implementierungskosten
Keine Lizenzkosten
Nur interne Ressourcen
15.000 € - 50.000 €/Jahr Zertifizierung + Wartung
Warum haben wir uns für NIST CSF entschieden?

Das NIST Cybersecurity Framework wurde vom National Institute of Standards and Technology der USA entwickelt und ist der Goldstandard für das Management von Cybersicherheitsrisiken. Im Gegensatz zu ISO 27001 konzentriert sich NIST CSF auf messbare Ergebnisse und ermöglicht volle Transparenz gegenüber unseren Nutzern, wie Sie auf dieser Seite sehen können.

Unsere Sicherheitsposition

Aufschlüsselung des NIST Cybersecurity Frameworks

🎯
Identifizieren
92% Implementiert

Entwicklung eines organisatorischen Verständnisses zum Management von Cybersicherheitsrisiken.

  • Asset Management
  • Business Environment
  • Governance
  • Risikoanalyse
  • Risikomanagementstrategie
🛡️
Schützen
97% Implementiert

Implementierung von Schutzmaßnahmen zur Gewährleistung der Erbringung kritischer Dienstleistungen.

  • Zugriffskontrolle
  • Bewusstsein und Schulung
  • Datensicherheit
  • Informationsschutzprozesse
  • Wartung
  • Schutztechnologie
🔍
Erkennen
100% Implementiert

Entwicklung von Aktivitäten zur Identifizierung des Auftretens eines Cybersicherheitsereignisses.

  • Anomalien und Ereignisse
  • Kontinuierliche Überwachung
  • Erkennungsprozesse
Reagieren
100% Implementiert

Maßnahmen in Bezug auf einen erkannten Cybersicherheitsvorfall ergreifen.

  • Reaktionsplanung
  • Kommunikation
  • Analyse
  • Eindämmung
  • Verbesserungen
♻️
Wiederherstellen
100% Implementiert

Aufrechterhaltung von Resilienzplänen und Wiederherstellung beeinträchtigter Fähigkeiten oder Dienste.

  • Wiederherstellungsplanung
  • Verbesserungen
  • Kommunikation

Implementierte Kontrollen

Detaillierte Transparenz über unsere aktiven Sicherheitskontrollen

Asset Management
ID.AM-1

Physical devices and systems within the organization are inventoried

Beweis:
Inventory And Asset Management.md), Hetzner Infrastructure Console, GitHub Asset Tracking.
ID.AM-2

Software platforms and applications are inventoried

Beweis:
Inventory And Asset Management.md), Hetzner Infrastructure Console, GitHub Asset Tracking.
ID.AM-3

Organizational communication and data flows are mapped

Beweis:
Inventory And Asset Management.md), Hetzner Infrastructure Console, GitHub Asset Tracking.
ID.AM-4

External information systems are catalogued

Beweis:
Third-party service documentation, integration records
ID.AM-5

Resources are prioritized based on their classification, criticality, and business value

Beweis:
Data Classification Policy.md), Database Encryption Architecture.
Business Environment
ID.BE-1

The organization's role in the supply chain is identified and communicated

Beweis:
Service provider documentation, TSA integration, Stripe payment processing
ID.BE-2

The organization's place in critical infrastructure is identified

Beweis:
Service architecture documentation, critical service monitoring
ID.BE-3

Priorities for organizational mission, objectives, and activities are established

Beweis:
NIST compliance framework, GDPR compliance, service SLAs
ID.BE-4

Dependencies and critical functions are established

Beweis:
Service dependency mapping, critical function documentation
ID.BE-5

Resilience requirements to support delivery of critical services are established

Beweis:
Service status dashboard, maintenance mode system, error handling framework
Governance
ID.GV-1

Organizational cybersecurity policy is established and communicated

Beweis:
Cybersecurity Policy.md), NIST CSF Compliance Dashboard, GDPR Compliance Documentation, Security Policies Library, Cybersecurity Leadership Designation Records
ID.GV-2

Cybersecurity roles and responsibilities are coordinated and aligned

Beweis:
Internal security coordination, admin role structure
ID.GV-3

Legal and regulatory requirements are understood and managed

ID.GV-4

Governance and risk management processes address cybersecurity risks

Beweis:
NIST compliance dashboard, risk assessment through compliance monitoring
Risikoanalyse
ID.RA-1

Asset vulnerabilities are identified and documented

Beweis:
Past audit with Cloude Sonnet 4.5 in January 2026
ID.RA-2

Cyber threat intelligence is received from information sharing forums

Beweis:
Composer security advisories, dependency monitoring
ID.RA-3

Threats, both internal and external, are identified and documented

Beweis:
Risk Management Framework.md), Risk Register, Security Advisory Monitoring.
ID.RA-5

Threats, vulnerabilities, likelihoods, and impacts are used to determine risk

Beweis:
Risk Management Framework.md), Risk Register, Security Advisory Monitoring.
ID.RA-6

Risk responses are identified and prioritized

Beweis:
Security improvements, vulnerability patching process
Risikomanagementstrategie
ID.RM-1

Risk management processes are established, managed, and agreed to

Beweis:
Risk Management Framework.md), Risk Register, Security Advisory Monitoring.
ID.RM-2

Organizational risk tolerance is determined and clearly expressed

Beweis:
NIST CSF compliance, GDPR compliance, security headers implementation
ID.RM-3

The organization's determination of risk tolerance is informed by its role

Beweis:
Risk Management Framework.md), Risk Register, Security Advisory Monitoring.

Zugriffskontrolle
PR.AC-1

Identities and credentials are issued, managed, verified, revoked, and audited

Beweis:
Identity Access Management Policy.md), SSH Configuration Files, Admin Dashboard RBAC.
PR.AC-2

Physical access to assets is managed and protected

Beweis:
Hetzner ISO 27001 certification, data center security documentation
PR.AC-3

Remote access is managed

Beweis:
Identity Access Management Policy.md), SSH Configuration Files, Admin Dashboard RBAC.
PR.AC-4

Access permissions and authorizations are managed

Beweis:
Identity Access Management Policy.md), SSH Configuration Files, Admin Dashboard RBAC.
PR.AC-5

Network integrity is protected (e.g., network segregation)

Beweis:
Network Security Protocol.md), SSL Labs A+ Report, Cloud Firewall Configuration.
PR.AC-6

Identities are proofed and bound to credentials

Beweis:
Email verification system, email_verified column in users table
PR.AC-7

Users, devices, and assets are authenticated

Bewusstsein und Schulung
PR.AT-1

All users are informed and trained on cybersecurity awareness

Beweis:
Privacy policy, terms of service, GDPR compliance documentation
PR.AT-2

Privileged users understand their roles and responsibilities

Beweis:
Admin dashboard with security controls, role-based access documentation
PR.AT-3

Third-party stakeholders understand their roles and responsibilities

Beweis:
Vendor agreements, partner documentation, API documentation
PR.AT-4

Senior executives understand their roles and responsibilities

PR.AT-5

Physical and cybersecurity personnel understand their roles

Beweis:
Admin role documentation, Hetzner security procedures
Datensicherheit
PR.DS-1

Data-at-rest is protected

Beweis:
By Google Cloud (external provider)
PR.DS-2

Data-in-transit is protected

PR.DS-3

Assets are formally managed throughout removal, transfers, and disposition

Beweis:
User data management, certified_emails retention, data export capabilities
PR.DS-4

Adequate capacity to ensure availability is maintained

Beweis:
Hetzner infrastructure monitoring, service status tracking
PR.DS-5

Protections against data leaks are implemented

Beweis:
HASH 256 AES bits in sensitive data
PR.DS-6

Integrity checking mechanisms verify software and information integrity

PR.DS-7

Development and testing environment(s) are separate from production

Beweis:
Secure Development Policy.md), Git Commit History, Isolated Production Environment.
PR.DS-8

Integrity checking mechanisms verify hardware integrity

Beweis:
Hetzner infrastructure security, ISO 27001 certification
Informationsschutzprozesse
PR.IP-1

A baseline configuration of systems is created and maintained

Beweis:
Secure Development Policy.md), Git Commit History, Isolated Production Environment.
PR.IP-2

A System Development Life Cycle to manage systems is implemented

Beweis:
Secure Development Policy.md), Git Commit History, Isolated Production Environment.
PR.IP-3

Configuration change control processes are in place

Beweis:
Git repository, .env file management, version control practices
PR.IP-4

Backups of information are conducted, maintained, and tested

Beweis:
Backup And Recovery Policy.md), Hetzner Backup Logs, Google Drive Forensic Archival Records.
PR.IP-5

Policy and regulations regarding the physical operating environment

Beweis:
Hetzner data center certifications, environmental controls documentation
PR.IP-6

Data is destroyed according to policy

Beweis:
Data Retention Disposal Policy.md), Hard Delete Database Functions, Backup Rotation Policy.
PR.IP-7

Protection processes are improved

Beweis:
NIST compliance dashboard, regular security updates, dependency updates
PR.IP-8

Effectiveness of protection technologies is shared

Beweis:
Internal security reviews, NIST compliance public page
PR.IP-9

Response and recovery plans are in place and managed

PR.IP-10

Response and recovery plans are tested

Beweis:
Backup And Recovery Policy.md), Hetzner Backup Logs, Google Drive Forensic Archival Records.
PR.IP-11

Cybersecurity is included in human resources practices

PR.IP-12

A vulnerability management plan is developed and implemented

Beweis:
Vulnerability Management Policy.md), Composer.lock Security Scan History.
Wartung
PR.MA-1

Maintenance and repair of assets are performed and logged

Beweis:
Maintenance Approval Process.md), Git Commit History With Detailed Logs, Hetzner Infrastructure Maintenance Logs, SSH Access Logs, Development Workflow Documentation
PR.MA-2

Remote maintenance of assets is approved, logged, and performed

Beweis:
Server access logs, admin activity monitoring
Schutztechnologie
PR.PT-1

Audit/log records are determined, documented, implemented, and reviewed

Beweis:
Logging Auditing Policy.md), MariaDB Binary Logs, Application Error Logs.
PR.PT-2

Removable media is protected and its use restricted

Beweis:
File upload validation, allowed file type restrictions
PR.PT-3

The principle of least functionality is incorporated

Beweis:
Secure Development Policy.md), Git Commit History, Isolated Production Environment.
PR.PT-5

Mechanisms are implemented to achieve resilience requirements

Beweis:
ErrorController, maintenance mode, service_status monitoring, Hetzner backups

Anomalien und Ereignisse
DE.AE-1

A baseline of network operations and expected data flows is established

Beweis:
Service status monitoring, normal operation baselines
DE.AE-2

Detected events are analyzed to understand attack targets and methods

Beweis:
Error logs, admin notification system, support ticket analysis
DE.AE-3

Event data are collected and correlated from multiple sources

Beweis:
Logging Auditing Policy.md), MariaDB Binary Logs, Application Error Logs.
DE.AE-4

Impact of events is determined

Beweis:
Service status levels, impact assessment in monitoring
DE.AE-5

Incident alert thresholds are established

Beweis:
PasswordResetLimiter.php, rate_limits table, API rate limiting
Kontinuierliche Überwachung
DE.CM-1

The network is monitored to detect potential cybersecurity events

Beweis:
Hetzner infrastructure monitoring, rate_limits table, authentication logs, service status dashboard, admin alerts for suspicious activity
DE.CM-2

The physical environment is monitored to detect cybersecurity events

Beweis:
Hetzner data center monitoring, environmental controls
DE.CM-3

Personnel activity is monitored to detect cybersecurity events

Beweis:
Login logs, session tracking, admin activity logs, rate_limits enforcement, email usage patterns, anomaly detection for bulk sending
DE.CM-4

Malicious code is detected

Beweis:
File upload validation, MIME type checking, input sanitization
DE.CM-5

Unauthorized mobile code is detected

Beweis:
Code Integrity Detection.md), Restrictive CSP Implementation In Init.php, File Upload MIME Validation Logic.
DE.CM-6

External service provider activity is monitored

Beweis:
Stripe webhook monitoring, email service status tracking
DE.CM-7

Monitoring for unauthorized personnel, connections, devices, and software

Beweis:
Session tracking, authentication logs, rate limiting system
DE.CM-8

Vulnerability scans are performed

Beweis:
Vulnerability Management Policy.md), Composer.lock Security Scan History.
Erkennungsprozesse
DE.DP-1

Roles and responsibilities for detection are well defined

Beweis:
Admin role system, automated monitoring, alert notifications
DE.DP-2

Detection activities comply with all applicable requirements

Beweis:
GDPR compliance, privacy policy, data protection measures
DE.DP-3

Detection processes are tested

Beweis:
Detection Testing Procedures.md), Security Testing Log (admin Records), Rate Limits Table History.
DE.DP-4

Event detection information is communicated

Beweis:
Admin email notifications, user notification system, service status dashboard (/service-status), error notification emails, automated monitoring alerts
DE.DP-5

Detection processes are continuously improved

Beweis:
NIST compliance dashboard, continuous improvement process

Reaktionsplanung
RS.RP-1

Response plan is executed during or after an incident

Beweis:
Incident Response Disaster Recovery.md), Hetzner Backup Logs.
Kommunikation
RS.CO-1

Personnel know their roles and order of operations

Beweis:
Cybersecurity personnel identified (ID.AM-6), admin role documentation, incident response procedures, escalation contacts
RS.CO-2

Incidents are reported consistent with established criteria

Beweis:
Support ticket system, admin alert mechanisms, service_status table, incident classification system, automated notification triggers
RS.CO-3

Information is shared consistent with response plans

Beweis:
Service status page, notification system, user communication channels
RS.CO-4

Coordination with stakeholders occurs

Beweis:
Support ticket system, admin dashboard, stakeholder communication
RS.CO-5

Voluntary information sharing occurs with external stakeholders

Beweis:
Internal incident communication, public status page
Analyse
RS.AN-1

Notifications from detection systems are investigated

Beweis:
Error logging system, admin monitoring dashboard, support ticket investigation
RS.AN-2

The impact of the incident is understood

Beweis:
Service status levels (operational/degraded/outage), impact tracking
RS.AN-3

Forensics are performed

Beweis:
Digital Forensics Protocol.md), Admin Activity Logs, Forensic Archival Records.
RS.AN-4

Incidents are categorized consistent with response plans

Beweis:
Service status categories, support ticket types, incident classification
RS.AN-5

Processes are established to receive, analyze and respond to vulnerabilities

Beweis:
Composer security advisories, dependency update workflow, security patch deployment, audit findings implementation, NIST compliance continuous improvement
Eindämmung
RS.MI-1

Incidents are contained

Beweis:
Maintenance mode, rate limiting system, authentication controls
RS.MI-2

Incidents are mitigated

Beweis:
ErrorController, automatic error recovery, admin tools
RS.MI-3

Newly identified vulnerabilities are mitigated or documented as accepted risks

Beweis:
Security update history, dependency version upgrades, code fix commits, NIST compliance status tracking, risk acceptance documentation in compliance notes
Verbesserungen
RS.IM-1

Response plans incorporate lessons learned

Beweis:
Post Incident Review Protocol.md), Internal Security Testing Logs.
RS.IM-2

Response strategies are updated

Beweis:
NIST compliance updates, continuous security enhancements

Wiederherstellungsplanung
RC.RP-1

Recovery plan is executed during or after a cybersecurity incident

Beweis:
Incident Response Disaster Recovery.md), Hetzner Backup Logs.
Verbesserungen
RC.IM-1

Recovery plans incorporate lessons learned

Beweis:
Post Incident Review Protocol.md), Internal Security Testing Logs.
RC.IM-2

Recovery strategies are updated

Beweis:
NIST compliance monitoring, recovery process updates
Kommunikation
RC.CO-1

Public relations are managed

Beweis:
Public status page at /status, user notification system
RC.CO-2

Reputation is repaired after an incident

Beweis:
Service Status), Automated Incident Notification Templates.
RC.CO-3

Recovery activities are communicated to stakeholders

Beweis:
Internal communication channels, user notification system, service_status table and dashboard, vendor contact procedures, stakeholder communication templates, public recovery announcements

Unser Versprechen für Sicherheit

Direkte Richtlinien und Kontakte für Ihre Sicherheit

Verantwortungsbewusste Offenlegung

Wenn Sie eine Sicherheitsschwachstelle entdecken, bitten wir Sie, uns diese verantwortungsbewusst zu melden:

Schwachstelle melden
Sicherheitsteam

Haben Sie Fragen zu unserer Sicherheit oder benötigen Sie Informationen für ein Audit?

  • DPO: Verfügbar für DSGVO-Anfragen
  • NDA: Wir unterzeichnen Vertraulichkeitsvereinbarungen
  • Audits: Wir teilen Berichte mit Enterprise-Kunden
Team kontaktieren

Haben Sie Fragen zu unserer Sicherheit?

Unser Sicherheits- und Compliance-Team steht Ihnen zur Beantwortung Ihrer Fragen zur Verfügung.

Sicherheitsteam kontaktieren
Echtzeit