Information Security

Do you suspect a security leak in Citavi? 

If so, please let us know by sending an email to We will then get in touch.

How we keep Citavi safe 

Internal security at Swiss Academic Software 

Our security begins in-house.

As part of our long-term strategy we've moved all of our in-house services to the cloud (GitHub, Office 365, Azure, etc.). We no longer have an in-house server. By using the cloud services we are able to benefit from the high security standards that our cloud providers offer. As such, we indirectly fulfill many security requirements that we otherwise could not offer being a small company.

We do not run any virtual machines in the cloud, for which we would have to guarantee security and updates ourselveds. Instead we rely on software as a service (SaaS) solutions.

We make sure that our client computers are always up-to-date. In case of physical theft, our hard drives are password-protected. We also have strong measures in place to prevent access to our network.

All cloud services that we use are secured with two-factor authentication. This means that even if a hacker could steal user names and passwords from us, he or she would not be able to log into our systems.

Development team 

We provide security training for our developers and ensure that security is always one of their concerns. We also make sure to stay up-to-date with new developments (especially on OWASP) and make sure to use all best practices. These include:

External tests 

An external expert regularly tests our systems and services for weak areas in penetration tests.


For our web services we use Microsoft Azure Cloud. We run our server as WebApps (also known as platform-as-a-service). This means that Microsoft ensures the security of these servers at multiple levels.


All communication with our servers is always encrypted (https / TLS).


We use the industry standard OAuth2 Citavi Account registration. For the implementation we use Identity Server, a widely used, well kept up, and established standard component.

Our users' passwords are processed by this component and, after many Hash processes, are saved in our database. We never save unencrypted passwords at any time. It's also not possible to determine the original password from the hashed password.

Project Database

Cloud projects are saved in an SQL Azure database. We use multiple measures in our code and at the database level to ensure that a user can never see anyone else's project information – even if one of our developers would accidentally write a false SQL query.

SQL Azure simultaneously mirrors all data on three instances, so that no data is lost if there is a hardware failure. SQL Azure creates automatic backups every minute and saves these for 7 days. If an entire data center has an outage, the data will be continuously copied to another data center.

SQL Azure data is encrypted on a physical level, which makes it inaccessible for external attackers to access the storage systems of the database. The data are not encrypted for Swiss Academic Software – this is not possible for technical reasons. This means that a developer with administration access in the production environment can access users' Citavi project data and attachments. For this reason, we've limited the number of people who have administration access to the production environment to a very small number. These developers are strictly prohibited from viewing user data.