Information Security Policy

Overview

Actonic GmbH Information Security Policy was compiled in accordance with ISO27001 Information Security Management System standard. The Policy outlines a systemic approach to the process of managing sensitive third-party data and information in relation to the Actonic family of products.

Note that the term “data” is used in this document to indicate both data (plural and singular), as well as the information that data represents.

Objective

The objective of this Policy is to establish the process and procedures aimed at protecting sensitive third-party data.

Process

At a high level, Actonic GmbH will ensure that the following process is in place:

  • Identify, for each product, what sensitive data is being stored.

  • Clarify how sensitive the data is stored, breaking it down into as granular sections as required.

  • Actively avoid storing sensitive data wherever possible.

  • Where sensitive data must be stored, ensure it is stored in the most secure sections of our infrastructure and will not be transferred to less secure sections (unless under appropriate encryption during transit).

  • Where sensitive data is managed by a third-party, ensure those parties implement robust security policies and actively check those policies are updated and enforced.

  • Actively review internal code for security vulnerabilities and ensure understanding of the process to follow when any are found.

  • Actively review any external code used for security vulnerabilities and ensure the understanding of the process to follow when any are found.

Responsibility

The roles of senior staff in relation to sensitive data are:

  • Continuous review of the implementation of this policy - CEO

  • Risk identification and analysis - CTO

  • Instilling a culture of security awareness in the company - CEO

  • Communication and review following a breach - CEO

Reviews

  • Review of this Policy and its enforcement - Annually

  • Security Risk Review - Quarterly