Information Security Policy
Principles of our Information Security Policy
- Our Information Security Management System (ISMS) comprises a framework of general and specific Information Security policies (our Information Security Policy Framework), which shall be known and applied depending on your role and/or relationship with our organization.
- Our ISMS shall include, consider and reflect both our internal information security requirements, as well as laws, regulations, and all relevant contractual obligations applicable to our different activities. We shall review these requirements regularly, at least once a year, to ensure continuous compliance.
- Also, in order to guarantee the effectiveness of our ISMS, our Information Security Policies (as well as the corresponding procedures, processes, objectives, and controls) shall be regularly reviewed, both at planned intervals and when significant changes occur, to ensure continuing suitability and adequacy. Thus, we shall check the relevant and applicable Information Security Policies regularly, to know and apply the corresponding information security responsibilities and ensure compliance at all times.
- Reviews of our ISMS regularly, at planned intervals, and when significant changes occur, shall be conducted both internally, as well as externally by independent auditors. These revisions shall help us analyze any effectiveness deviations to improve our ISMS and keep up-to-date with current information security best practices. However, on top of these revisions and as an organization, we all shall compromise to a continuous improvement of our ISMS on an everyday basis. We aim and are committed to promote a culture of awareness, adequacy, best practices and continuous improvement in information security.
- Our Management, our Chief Information Security Officer (CISO), the CISO-Office and those persons designated as Information Security Delegates shall regularly review the compliance of the information systems, policies, and procedures within their corresponding area of responsibility, to ensure that the appropriate security policies, procedures, controls and/or other information security requirements are in place.
- To facilitate compliance, we shall give appropriate training and education in the relevant and corresponding policies and procedures applicable to the corresponding role and/or relationship with our organization. However, training and education for third parties may be omitted if it is provided externally to the extent applicable in relation to the activities conducted for our organization. Our CISO, the CISO-Office and/or our Management will decide to which extent training and/or education is applicable in each case.
- We shall take the appropriate measures to detect, prevent, and, when necessary, recover from malware and any other kind of security incident. Additionally, to increase our resilience in these matters and depending on your role and/or relationship with our organization, we shall commit to increasing your awareness through the appropriate communications and information. Any person who identifies a Security Incident is urged to report it immediately by sending an email to security.incident@opinator.com.
- Depending on your role and/or relationship with our organization and considering the criticality of the information you may have access to, we shall require you to sign a confidentiality and/or Non-Disclosure Agreement. Confidentiality and Non-Disclosure Agreements shall identify the character of your relationship with our organization and determine what shall be regarded as Confidential Information, how it shall be protected, and the term of your obligations with regard to all these matters. All confidentiality and/or Non-Disclosure Agreements shall be reviewed regularly, at least once a year, to ensure that the above-mentioned requirements are met at all times and up to date.
- When possible, we shall prefer not to outsource core activities of our organization, such as system, software and/or technology development to third party vendors or suppliers. However, in case any core activity is outsourced, we shall supervise and monitor the outsourced activities based on the corresponding objectives, requirements and/or key indicators relevant for each outsourced activity.
- We shall protect both our information assets and the information assets from third parties which we may manage, focusing on a balanced protection of the confidentiality, integrity and availability of these information assets, by implementing an efficient ISMS that is adapted and regularly adjusted to the specific characteristics of our organization and its activities. In the multi-tenant platforms that we operate, each customer shall have a separate account, in order to guarantee that data is segregated and only accesible to the corresponding account.
All these principles have been defined and approved by our Management and are herewith published and communicated for compliance by each corresponding party.
Thank you for your collaboration.
Updated September 26, 2023
Last revision September 26, 2023