The business we have created is associated with the intensive use of personal data, so we recognize that data protection is paramount to business continuity and apply the highest standards to ensure it. We are committed to secure data management throughout its lifecycle.

Most of the information we create and use in our work is either for internal use only or will only be publicly disclosed at certain times and for a specific purpose. Confidential information can take many forms, including trade secrets, research and financial projections, and consumer data.

The trust of our customers and partners is critical to our business. Treating personal data with due care and respect is necessary to build trust, protect our company's reputation and achieve our strategic goals.

Cyber security

Cyber security

Our information security management system is a structure based on three pillars: people, processes and technology, in accordance with the ISO 27001 standard.

People

Attention from the company's top management and ongoing staff training allows the organization not only to comply with complex and changing data protection regulations, but also to help raise the awareness of internal and external stakeholders.

All employees of our company must:

  • keep confidential commercial and industrial secrets, as well as other information that has become available as a result of an employment relationship, including in relation to family members or friends. This applies to information about commercial partners and customers that is not publicly available. The obligation to maintain trade secrets remains in effect after the termination of the employment relationship.
  • protect company confidential information from inadvertent disclosure by never creating, accessing or using our confidential information in a public environment where it can be overheard or viewed.
  • protect confidential information from theft by using only company-provided tools and software, and create and store passwords in accordance with our policies and standards.
  • comply with our IT infrastructure and information security policies and standards as well as our policies regarding disclosure to social media or other channels.

Training and awareness campaigns for all employees ensure that a high level of personal data protection is maintained in all business processes.

A thorough background check of potential employees is an essential part of our company's recruitment process.

Processes

Any disclosure of confidential information outside the company and for some types of information even within the company is strictly controlled to best protect the interests of our company, partners, consumers and employees. It is imperative that information security best practices be followed to ensure that these interests are adequately protected. It is also crucial to remain vigilant against inadvertent disclosure of company confidential information, which can be as damaging to the company as intentional disclosure.

The processing of personal data in our company is automated, given the significant volumes of personal data that we process and the need for security, speed and reliability of their maintenance. In order to reduce the risk, customers' personal data is deleted after the processing of documents is completed.

We conduct regular IT audits to ensure the confidentiality, availability and integrity of information, as well as the compliance of the information security management system with laws, data protection standards and policy regarding the processing of personal data and identify weaknesses in information systems.

Technology

All the information we generate is stored digitally in our DMS system. Information security is the practice of protecting information by restricting any unauthorized or otherwise improperly obtained access to, disclosure, destruction, alteration or copying of such information.

We use advanced security practices to strengthen our protection against cyber attacks. Each of our branches has an encrypted VPN connection and is protected by firewalls. Personnel only have access to the applications for which they are responsible and also have limited access within the application. Each server is located in an ISO 27001 certified data center and has its own firewall and antivirus. All traffic in and out of our network is encrypted and constantly monitored, and if unusual behavior is detected, immediate action is taken.

To ensure information security, we have implemented and use a Defense in Depth (DiD) strategy, which includes a set of multi-layered and redundant procedures and means of physical and administrative control, as well as technical protection against various threats, such as:

  • Firewall. We use firewalls that focus on detecting and blocking malicious activity targeted at a specific application or the entire network.
  • Network segmentation. We have divided our networks into logical subnets based on our business processes. These networks are unable to interact directly with each other, providing protection of information even if part of the network is under attack.
  • Patch management. We monitor the status and perform regular updates of software, operating systems, and network equipment, to eliminate known vulnerabilities that can lead to unauthorized access to computer systems or networks.
  • IDS/IPS system. We have implemented and applied an intrusion detection and prevention system, which alerts when potentially malicious network traffic is detected and blocks malicious activity on the network or user desktop.
  • DLP system. Our company implements a data loss prevention system to prevent the transmission of confidential and sensitive information by end-users to unauthorized recipients outside the company.
  • Antivirus software is installed on all user computers in the company network, including laptops and mobile devices of users, and provides antivirus protection.
  • Privileged Access Management (PAM). Passwords are stored and distributed in a secure repository, regularly reviewed. We use multi-factor authentication wherever possible. In accordance with the Principle of Least Privilege (POLP), users, systems, and processes are granted access only to those resources that are absolutely necessary to accomplish their assigned purpose.
Data protection

Personal data protection

Our privacy management principles comply with the "gold standard" of the EU General Data Protection Regulation (GDPR). We consistently apply these principles around the world as a minimum standard for managing the information that our clients have entrusted to us, even if this is not required in specific countries.

Personal data is any information that directly or indirectly identifies and describes an individual. This personal information may relate to consumers, our work colleagues, our business partners or other third parties. Privacy is the right of individuals to know and influence how and why their personal information is collected and processed. In addition, almost everywhere we do business, there are privacy laws in place. Any failure to comply with these laws may result in fines, lawsuits or criminal prosecution against both the company and our individual employees.

All employees, including those in our subsidiaries, as well as contractors, consultants, partners, and any external entities acting on our behalf, must comply with this policy. To ensure compliance and maintain the highest standards of data protection, all individuals handling personal data are required to:

  • Process, disclose, or use protected personal data only for authorized purposes, strictly within job responsibilities and in compliance with legal and ethical standards. The duty to maintain confidentiality continues even after employment ends.
  • ensure that personal information is not disclosed to unauthorized internal or external parties.
  • when in doubt, ask your supervisor how to handle personal information.
  • report any known or suspected unauthorized use or disclosure of personal data immediately.

All our employees understand their responsibilities and are accountable for ensuring that their activities comply with the principles and laws on the personal data protection.

Our goals and objectives for data protection

Our goal is to establish a comprehensive, legally compliant, and resilient data protection framework that ensures the secure, ethical, and transparent handling of personal data. This framework is designed to safeguard the rights and privacy of employees, customers, business partners, and stakeholders, while maintaining operational efficiency and regulatory compliance.

Our privacy principles

To achieve our goals and objectives, we focus on the following key principles:
  1. Transparency: We inform customers about how we plan to use their personal data.
  2. Fair and lawful Use: We only use customer personal information in accordance with applicable law and only when we have a legitimate reason to do so.
  3. Purpose limitation: We use customer information only for specific purposes and in no other way.
  4. Data minimization: We do not retain any customer data for longer than is necessary to provide the requested service or to pursue our legitimate interests. No copies of applicants' data are made or stored, either digitally or physically.
  5. Privacy by design: We make sure that our services and technologies are designed with the privacy of our customers in mind.
  6. Data accuracy: We strive to maintain appropriate data quality standards.
  7. People's rights: We respect people's right to privacy.
  8. Data security: We maintain appropriate standards for protecting personal data and delete it as soon as it is no longer needed, in accordance with data protection laws.
  9. Data transfer: If we need to transfer customer information to a third party, we make sure that such transfer is secure and in accordance with the law. For example, paper documents are sent only by reliable courier services.
  10. Third parties: When we choose a third party service provider, we implement due diligence, monitoring, and security measures to ensure that our customers' information is adequately protected and legal requirements are met.
By integrating these principles into our daily operations, we ensure that personal data remains secure, compliant, and responsibly managed, reinforcing the trust that our employees, customers, and stakeholders place in us.

Measures to ensure the security of personal data:

  • Restrict and monitor access to sensitive data.
  • The online application form is stored in a secure, ISO 27001 certified data center, fully encrypted and has controlled access.
  • Physical media is securely guarded for access control purposes, and any electronic data is encrypted.
  • Data is transmitted securely only in encrypted form and only over encrypted transmission channels.
  • All data is deleted at the end of the order processing period. We delete all data after the statutory deadlines.
  • We conduct ongoing security audits to assess risks, compliance, and identify potential vulnerabilities.
  • All employees undergo mandatory training on data privacy and cybersecurity best practices.

In addition to ways of handling the data the company has direct obligations towards people to whom the data belongs. Specifically we must:

  • Let people know which of their data is collected
  • Inform people about how we'll process their data
  • Inform people about who has access to their information
  • Have provisions in cases of lost, corrupted or compromised data
  • Allow people to request that we modify, erase, reduce or correct data contained in our databases

Personal data protection governance

The personal data protection is monitored by the top management responsible for compliance with the requirements set forth in the laws and regulations on the data protection. In addition, the company's management ensures that our policy regarding the processing of personal data is consistent with our business strategy, ensuring the sustainable development of the business. We are deeply committed to ensuring the highest standards of information security and data privacy in all of our business processes.

As part of the Speak Up! policy, employees are encouraged to report data privacy incidents directly to senior management.

Data Protection Impact Assessments (DPIA)

To ensure that we proactively identify and mitigate potential risks to the rights and freedoms of individuals, we conduct Data Protection Impact Assessments (DPIAs) where required by law or when processing activities are likely to result in high risks to personal data.

Our DPIA process involves a structured risk assessment that includes:

  • Describing the nature, scope, context, and purposes of data processing
  • Assessing the necessity and proportionality of processing operations
  • Evaluating the potential risks to individuals' rights and freedoms
  • Identifying appropriate technical and organizational measures to mitigate risks

We carry out DPIAs as part of our standard procedure when introducing new technologies, systems, or processes that involve personal data. The results of DPIAs are reviewed and, if needed, submitted to supervisory authorities as required by GDPR Article 35.

By conducting DPIAs, we ensure that data protection is embedded in our decision-making processes and that our practices are aligned with both legal requirements and the expectations of our customers and stakeholders.

Consequences of non-compliance

Violating data protection laws and company policies may result in:

  • Internal Disciplinary Actions – Including formal warnings, job suspension, or termination.
  • Legal Consequences – Employees may face civil or criminal liability for severe breaches.
  • Company Sanctions – Regulatory fines, lawsuits, or reputational damage.

All employees are responsible for upholding these privacy and security standards to protect personal data and maintain the trust of our customers, partners, and stakeholders.

Business continuity and disaster recovery for ensuring business resilience

Business continuity and disaster recovery for ensuring business resilience

Failures or business disruption due to a cyberattack can have devastating consequences for a company and may disrupt the entire supply chain, leading to financial and reputational losses. In today's digital-dependent world, every second counts. The longer the recovery time, the greater the negative impact on the business.

Our business continuity policy pursues three objectives:

  1. Demonstrate the commitment of the company's management and its leadership role in ensuring business continuity.
  2. Form a common understanding within the company and beyond about the importance of business continuity for resilience.
  3. Encourage actions to ensure business continuity and disaster recovery.

With the emergence of big data, cloud technologies, and mobile devices, our company has to deal with processing and storing significant volumes of data. Disaster recovery plans have become much more complex to accommodate much larger volumes of data from various devices. To ensure resilience, a disaster recovery plan is applied, which includes an integrated strategy and advanced technologies, incorporating backup and data recovery orchestration.

These disaster recovery solutions help us quickly restore information systems during and after a cyberattack.

Business continuity planning covers all aspects of the business, including:

  • Business processes
  • Human resources
  • Supply chains

Our business continuity strategy addresses the questions:

  • What failure points exist in the organization?
  • What are the critical dependencies on equipment, personnel, suppliers, or other third parties?
  • What workarounds exist for the disruption of any of them?
  • What organizational processes, personnel, skills, and technologies are necessary to ensure business continuity and full recovery after a disaster?

Risk management

Our approach utilizes advanced technologies and best practices for risk assessment, prioritization, and protection of business-critical applications and data.

For our company, risk management includes evaluating the business continuity strategy and disaster recovery plans. Before creating a disaster recovery plan, we conducted a business impact analysis (BIA) and risk analysis (RA) and set recovery objectives. By analyzing, testing, and improving these plans, we gain more opportunities to ensure business resilience.

Disaster recovery plan

The main goal of the disaster recovery plan is not only to ensure data recovery but also to minimize the consequences of a disaster for business processes and enable the company to quickly return to normal operations after a natural disaster.

The disaster recovery plan identifies which applications are most important for business operations. The recovery time objective (RTO) describes the target amount of time during which a business application can be offline. The recovery point objective (RPO) describes the age of files that need to be recovered from backup storage before normal operations can resume.

The disaster recovery plan, designed in accordance with BSI 100-4 standard, includes:

  • Roles and responsibilities for implementing the disaster recovery plan
  • A list of potential risks to critical systems and confidential information
  • Procedures for reporting natural disasters, event escalation, recovery of critical operations, and resumption of normal operations
  • Information security requirements throughout the process
  • Inventory of backups and remote storage
  • Emergency action plans for different types of disaster situations
  • Availability of planned documentation

Disaster recovery plan testing

We increase the resilience of the company by updating BC and DR plans and regularly testing them.

Testing the business continuity and disaster recovery plan ensures that the established recovery procedures will work properly to maintain business operations. The testing phase also identifies areas for improvement, which are incorporated into the next version of the plan.

To assess the effectiveness of the disaster recovery plan, we conduct regular internal audits. The audit is aimed at detailing risks and verifying control measures to determine if these risks are acceptable for the organization.

Our concrete measures to ensure business continuity

To respond quickly, in a coordinated and effective manner in the event of a crisis, we have implemented the following operational measures:

  • Development of a comprehensive disaster recovery (DR) plan based on the BSI 100-4 standard
  • Regular performance of business impact analyses (BIA) to prioritize critical business processes
  • Deployment of redundant systems and backup solutions with automated recovery processes
  • Risk assessments (RA) based on up-to-date threat scenarios, particularly in the area of IT security
  • Contracts with external service providers to outsource emergency operational capacities
  • Structured documentation of all relevant processes and responsibilities
  • At least one recovery test per year, conducted through real-time simulation
  • Internal audits to assess the effectiveness of our measures
  • Awareness-raising and targeted training of all employees, tailored to their respective roles in emergency procedures
  • Provision of a crisis communication plan to enable rapid information flow both internally and externally

Employee training for maximum resilience

The success of business continuity and disaster recovery programs depends on proper employee training, which ensures the readiness of employees to respond to crises.

Disaster recovery training for employees includes both company management directly responsible for ensuring continuity and all other employees, which raises awareness, encourages a corporate culture of creating and maintaining business continuity, and fosters wider participation in recovery efforts.

Our understanding as a resilient company

As an internationally operating company, we place the highest importance on business continuity. We see resilience not merely as a technical challenge, but as a strategic objective. Through forward-looking planning, regular testing, and targeted training, we ensure that our company remains operational even in times of crisis – to protect our customers, partners, and employees.