EQS Trust Center

We would like to inform you about an upcoming migration to a new hosting platform affecting customers using Compliance Cockpit and BKMS System with private cloud hosting at T-Systems.

Schedule & Scope

Saturday, April 18, 10:00 – 12:00 (CEST)

Migration of Data Center and Integrity Line

Impact: During the maintenance window, users may experience short interruptions affecting login, web intake, and the Compliance Cockpit.

Sunday, April 19, 10:00 – 12:00 (CEST)

Migration of BKMS System

Impact: During the maintenance window, users may experience short interruptions affecting login, web intake, and the BKMS System.

Additional Information

We are working to minimise any disruption and ensure a smooth transition to the new hosting environment. Services will be fully restored once the maintenance windows are completed.

If you have any questions, please contact our support team.

Thank you for your understanding.

We’re excited to share that EQS Groups Denver location has successfully achieved TISAX® Assessment Level 3 (AL3) for the following objectives:

• Data protection (including special categories of personal data)
• Very high availability
• Strict confidentiality

This is the highest assessment level within the TISAX framework and confirms that our site meets very stringent information security requirements expected by partners in the automotive industry. The scope covers all relevant processes and resources related to the collection, storage, and processing of information.

The assessment is valid until September 23, 2028, reinforcing our long-term commitment to maintaining strong security standards and building trust with our customers and partners.
The TISAX decorative assessment document can be accessed here in our Trust Center at https://trust.eqs.com/product/eqsgroup/tisax

Popular projects from Zapier, ENS Domains, PostHog, and Postman were temporarily "trojanized" by threat actors, leading to GitHub repos populated with stolen victim data. Some of these packages are highly prevalent with several developers.

Newly compromised packages continue to surface. The number of identified compromised packages is steadily growing, currently at circa 700. The blast radius is already massive – 25,000+ malicious repos across circa 500 GitHub users. For more technical information, kindly see this post from Wiz: https://www.wiz.io/blog/shai-hulud-2-0-ongoing-supply-chain-attack

What has EQS done?

First, EQS does not use GitHub directly. EQS hosts its source code on private, internal repositories. Packages borrowed from public repositories are tightly scanned with multiple tools and vetted before inclusion and use.

To identify this potential threat, EQS has built a dedicated scanner which tries to identify known compromised packages and inspect dependencies against them. The scanner also parses all installation actions from packages, since exploitation happens during the installation. EQS has simulated how installation scripts work to identify signs of malicious traffic and exploitation.

Furthermore, potential secret exposures coming from the CI/CD pipeline has been assessed. All variables in the CI/CD pipelines has been inspected to detect cloud credentials, Kubernetes registry credentials, SSH keys, and so on.

Finally, we have used our CNAPP tool to scan for the presence of vulnerable packages directly on our hosting environments (both QA and production).

Results

EQS has detected no signs of compromise or vulnerability to this attack.

For further information, don't hesitate to contact infosec@eqs.com.

In May, EQS Group completed its ISO/IEC 27001/27017/27018 re-certification. After two successful onsite audits in Denver, Colorado, U.S.A., in September and Neuilly-sur-Seine (Paris), France, in October, EQS Group is delighted to announce that both locations are now part of the certification scope and listed in the certificate.

EQS Group maintains strict security measures as part of its Information Security Management System at all of its offices worldwide. By adding these two major offices to the certification scope and therefore subjecting them to regular external surveillance audits, EQS Group further enhances transparency and strengthens trust with customers internationally, reinforcing its pledge to secure and reliable handling of sensitive data for its 14,000+ customers.

Interested parties can reach the ISO/IEC certificate in English and German at this URL: https://trust.eqs.com/product/EQS+Group/iso27001

To reiterate its commitment to robust security practices and transparent assurance measures, EQS Group has successfully completed two SOC 2 Type II examinations for its compliance solutions. The examinations were performed in accordance with the attestation standards established by the American Institute of Certified Public Accountants (AICPA) and ISAE 3000, an international standard for assurance engagements issued by the International Auditing and Assurance Standards Board (IAASB).

EQS Group provides these SOC 2 Type II reports to support customers who must demonstrate strong due-diligence and supplier-assurance practices when working with cloud-based compliance tools that process sensitive information.

The System and Organization Controls (SOC) standards are attestation standards designed to assess the effectiveness of internal controls that support secure, reliable, and confidential processing of data. The SOC 2 examinations were performed by an independent, licensed CPA firm (Schellman), based on the applicable AICPA Trust Services Criteria, which outline core principles across security, availability, and confidentiality.

The examinations covered two EQS Group platforms over different review durations: five months for the EQS Compliance COCKPIT and twelve months for the Convercent platform. Both examinations included evidence provision and a three-day onsite assessment with extensive interviews at EQS Group headquarters in Munich.

Completing the SOC 2 Type II examinations for both platforms reinforces EQS Group’s commitment to operating services with clearly defined, tested, and continuously improved controls and to providing transparent assurance materials that support customer trust and informed decision-making.

To reach the SOC 2 reports, head to https://trust.eqs.com/product/EQS+Group/soc-2-type-2 (accessible to customers with a valid NDA).

For further questions, please contact infosec@eqs.com.
 

The EQS team