Information Security Commitment

At Salesupply, we are dedicated to safeguarding your data with robust security and privacy measures. This interactive guide outlines our comprehensive approach to protecting the information entrusted to us. Explore our security pillars below.

Our Security Framework

This section outlines the foundational policies, governance, and certifications that form the backbone of our Information Security Management System (ISMS). Click each topic to learn more.

Formal Policies

We have a clearly documented Information Security Policy, approved by our Management Board on January 8, 2021. This policy is distributed through an online system and is mandatory for all Salesupply staff. It will be reviewed annually. Our Data Processing Agreements (DPAs) with customers and sub-processors further define our data protection and privacy commitments.

Risk Management

Our Information Security Policy states that identified risks are subject to a risk assessment, and the risk assessment and treatment plan are developed based on ISO 27005 guidelines.

Dedicated Responsibility

The Management Board is responsible for the Information Security Policy. The Information Security Manager (CTO) is responsible for maintaining and coordinating the Information Security Management System (ISMS).

Certifications

Our servers are hosted in ISO 27001 certified data centers, ensuring the highest standards of physical and environmental security.

Protecting Data: Organizational Measures

Our people and processes are fundamental to our security. Here we detail the organizational controls we have in place to protect your data throughout its lifecycle.

Employee Vetting & Confidentiality

Background checks are performed on new employees, including obtaining professional references. All employees sign employment contracts that include confidentiality clauses and an Information Security Policy acknowledgement. All staff are responsible for protecting information and reporting security incidents. Non-Disclosure Agreements (NDAs) are used with our partners.

Right to Audit

Our Data Processing Agreements include audit rights for the Controller (our customer) to verify compliance, with reasonable notice and at no additional cost as per the agreement.

Asset Management & Secure Disposal

All information assets are registered and have assigned owners. Secure disposal of media is conducted according to documented procedures to prevent data leakage from retired assets.

Incident Management

Our Information Security Policy details incident management, including reporting channels, investigation, and communication to affected parties. Our Data Processing Agreements require Salesupply to notify the Controller without undue delay after becoming aware of a personal data breach.

Supplier Due Diligence

Our Data Processing Agreements emphasize the requirement for Salesupply to ensure sub-processors comply with data protection regulations and to inform the controller about intended changes regarding sub-processors. The Information Security Policy states that “Suppliers who process information assets of Salesupply or its clients must comply with the requirements of this policy”.

Business Continuity

A Business Continuity Plan (BCP) is in place to minimize disruption of services in case of unexpected events, ensuring resilience and availability of our services.

Robust Technical Security Measures

We employ a multi-layered technical approach to protect our systems and your data from threats. Below are the key technical controls we have implemented.

Endpoint Security

Full disk encryption (BitLocker) is implemented on all laptops using a minimum of AES-256. All removable media are disabled. The use of private mobile devices for company purposes is not allowed. Regular users do not have local administrator rights.

Physical Security

Salesupply offices have security systems, alarm systems, video surveillance, and access control through key cards. Our ISO 27001 certified data centers feature physical access controls, surveillance, and alarms.

Network Security

Firewalls control network traffic and block unauthorized access. Separation of development, test, and production environments. Wireless networks secured using WPA2-Enterprise and Network Access Control (NAC).

Malware Protection

Advanced malware protection (antivirus, anti-spyware) is installed on all servers and endpoints and is kept continuously up-to-date.

Secure Communications

Secure remote access (VPN) with multi-factor authentication (MFA). Restricted and monitored access to administrative interfaces. Encrypted data transfer methods (VPN, SSL/TLS, SFTP) for all data exchange.

Intrusion Detection

Intrusion detection and prevention systems (IDS/IPS) are implemented to monitor network traffic for malicious activity and policy violations.

System Hardening

Systems are configured in accordance with industry best practices and security baselines (e.g., CIS Benchmarks, NIST) to reduce their attack surface.

Logging & Monitoring

System logs and audit trails are maintained for critical systems. Logging of personal data is minimized. Logs are reviewed regularly to detect security incidents and unusual activities.

Data Backup & Availability

Regular backups of critical data are performed, and their integrity is tested. Redundancy for critical systems is implemented to ensure high availability.