Information Security Policy (ISP)
Effective Date: September 2, 2024
Last Updated: February 3, 2025
1. PURPOSE AND SCOPE
The purpose of this Policy is to establish the framework and principles for ensuring the security of all information processed at VeriSearch.AI Sp. z o.o., including personal data entrusted by clients. This Policy applies to all company operations, systems, employees, associates, and subcontractors.
2. DEFINITIONS
- Information: Data in any form (digital, paper, oral) that has value to the Company or its clients.
- Information Security: Ensuring the confidentiality, integrity, and availability of information.
- System: AI-based solutions operated by VeriSearch.
- GDPR: Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016.
3. INFORMATION SECURITY PRINCIPLES
- Confidentiality: Access to information is restricted to authorized individuals only.
- Integrity: Information is accurate, complete, and protected from unauthorized modification.
- Availability: Information is accessible to authorized users when required.
4. RESPONSIBILITY AND OVERSIGHT
The Management Board is responsible for the implementation and maintenance of this Policy.
Direct operational oversight is carried out by a designated Information Security Officer. The Company has conducted an internal analysis and determined that, at this stage of its operations, it does not meet the mandatory criteria for appointing a Data Protection Officer (DPO) in accordance with Art. 37 of the GDPR.
Every employee, contractor, and associate is obligated to comply with the principles of this ISP.
5. INFORMATION CLASSIFICATION
Information is classified as: Public, Internal, Confidential, and Personal Data. Appropriate security measures are applied to each class, as detailed in Annex 1 to this Policy (Information Security Measures Matrix).
6. TECHNICAL AND ORGANIZATIONAL MEASURES
The Company applies modern technical and organizational measures to protect information, including but not limited to: Role-Based Access Control (RBAC), Two-Factor Authentication (2FA), encryption of data in transit (TLS 1.2+) and at rest (AES-256), regular backups, Disaster Recovery Plans (DRP), network protection (WAF), and anti-malware protection.
7. INCIDENT MANAGEMENT
A procedure for reporting and managing security incidents has been implemented. An internal register of all incidents is maintained. The Company ensures the notification of the supervisory authority (UODO) of personal data breaches in accordance with the requirements of Art. 33 of the GDPR.
In the event of a breach likely to result in a high risk to the rights and freedoms of natural persons, the Company promptly informs the client (data controller) to enable them to fulfill their obligation to notify the data subjects in accordance with Art. 34 of the GDPR.
8. TRAINING AND AWARENESS
All employees and associates undergo mandatory training on GDPR and information security and regularly participate in awareness tests (e.g., phishing simulations).
9. VENDOR AND SUB-PROCESSOR MANAGEMENT
All subcontractors (sub-processors) processing personal data operate under a Data Processing Agreement (DPA). Each sub-processor is vetted for compliance with security and GDPR requirements. An up-to-date list of sub-processors is publicly available and forms part of the DPA.
The Company's priority is to use sub-processors that enable data processing exclusively within the European Economic Area (EEA). Any potential transfer of data outside the EEA is treated as an exception, requires client notification, and is carried out solely on the basis of appropriate legal mechanisms (e.g., SCCs).
10. PRIVACY BY DESIGN & BY DEFAULT
Systems are designed from the outset with the principles of data minimization, pseudonymization, and access control in mind, and their default settings ensure the highest level of privacy.
11. FULFILLMENT OF DATA SUBJECT RIGHTS
As a data processor, the Company provides the technical and organizational mechanisms to support its clients (data controllers) in fulfilling data subject rights requests (in accordance with Art. 15-22 of the GDPR).
12. DATA RETENTION AND DELETION POLICY
- Client data is stored for the period agreed upon in the contract. In the absence of a specific agreement, data is permanently deleted within 90 days of contract termination.
- System and application logs are stored for up to 30 days.
- Security and audit logs, necessary to ensure accountability, are stored for a period of 12 months.
- Production data backups are rotated in accordance with the backup policy, for no longer than 30 days.
13. CONTROL AND AUDIT POLICY
The client (data controller) has the right to conduct an audit of data processing compliance under the terms specified in the contract. The Company conducts regular internal audits at least once every 12 months.
14. POLICY UPDATES
This Policy is reviewed and updated at least annually, or more frequently in response to significant regulatory, organizational, or technological changes.
Annex 1 to the Information Security Policy
Title: Information Security Measures Matrix
1. Introduction
This matrix details the provisions of Section 5 of the Information Security Policy. It defines the minimum required technical and organizational measures applied to protect information based on its classification. If information falls into multiple categories (e.g., it is both Confidential and Personal Data), the more restrictive set of safeguards will always be applied.
2. Definitions of Information Classes
- Public: Information intended for public dissemination, the disclosure of which poses no risk to the Company (e.g., marketing materials, public blog posts).
- Internal: Information for use within the organization, not publicly available, the unauthorized disclosure of which could cause limited harm to the Company (e.g., internal procedures, meeting notes).
- Confidential: Key business and technical information, the unauthorized disclosure of which could cause serious harm to the Company, its clients, or partners (e.g., source code, financial data).
- Personal Data: Any information relating to an identified or identifiable natural person, processed by the Company on its own behalf or on behalf of its clients, subject to special protection under the GDPR.
3. Security Measures Matrix
| Security Measure / Principle | Public | Internal | Confidential | Personal Data |
|---|---|---|---|---|
| ACCESS CONTROL | ||||
| Access Restriction (Authentication) | – | ✓ | ✓ | ✓ |
| Role-Based Access Control (RBAC) | – | ✓ | ✓ | ✓ |
| Principle of Least Privilege | – | ✓ | ✓ | ✓ |
| Two-Factor Authentication (2FA/MFA) Requirement | – | ✓ | ✓ | ✓ |
| Access Logging and Monitoring | – | ✓ | ✓ | ✓ |
| ENCRYPTION | ||||
| Encryption in Transit (TLS 1.2+) | ✓ | ✓ | ✓ | ✓ |
| Encryption at Rest (AES-256) | – | ✓ | ✓ | ✓ |
| DATA LIFECYCLE MANAGEMENT | ||||
| Information Labeling/Tagging | – | ✓ | ✓ | ✓ |
| Restrictions on External Sharing | – | ✓ | ✓ | ✓ |
| Defined Retention Period | – | ✓ | ✓ | ✓ |
| Secure Deletion Procedure | – | ✓ | ✓ | ✓ |
| RESILIENCE & BUSINESS CONTINUITY | ||||
| Regular Backups | ✓ | ✓ | ✓ | ✓ |
| Disaster Recovery Plan (DRP) | – | ✓ | ✓ | ✓ |
| Network Security (WAF, Firewall) | ✓ | ✓ | ✓ | ✓ |
| Malware Protection | ✓ | ✓ | ✓ | ✓ |
| ORGANIZATIONAL & LEGAL MEASURES | ||||
| Staff Security Training | – | ✓ | ✓ | ✓ |
| Clean Desk and Clear Screen Policy | – | ✓ | ✓ | ✓ |
| Non-Disclosure Agreements (NDAs) | – | ✓ | ✓ | ✓ |
| Application of Privacy by Design Principles | – | – | – | ✓ |
| Data Processing Agreement (DPA) | – | – | – | ✓ |
| Support for GDPR Data Subject Rights | – | – | – | ✓ |
Legend:
✓ – Measure is required and applied.
– – Measure is not required or not applicable.
4. Final Provisions
This matrix defines the standard, minimum levels of security. The Information Security Officer, in consultation with the Management Board, may decide to apply additional or more restrictive security measures for specific information assets based on a risk analysis, contractual requirements, or applicable laws. This matrix is subject to regular review and updates along with the main Information Security Policy.