Our Commitment to Information Security

Our commitment to information security

At Salesupply, we make every effort to protect your data with robust security and privacy measures. This interactive guide outlines our comprehensive approach to protecting the information entrusted to us. Below are our security pillars.

Our security framework

This section describes the basic principles, governance and certifications that form the foundation of our Information Security Management System (ISMS). Click on each topic to learn more.

Formal policies

We have a clearly documented Information Security Policy, approved by our Board of Directors on 8 January 2021. This policy is distributed via an online system and is mandatory for all Salesupply employees. It will be reviewed annually. Our Data Processing Agreements (DPAs) with customers and subcontractors further specify our data protection and privacy obligations.

Risk management

Our Information Security Policy stipulates that identified risks are subject to risk assessment, and a risk assessment and management plan is developed based on ISO 27005 guidelines.

Dedicated responsibility

The Management Board is responsible for the Information Security Policy. The Information Security Manager (CTO) is responsible for maintaining and coordinating the Information Security Management System (ISMS).

Certificates

Our servers are hosted in ISO 27001-certified data centres, ensuring the highest standards of physical and environmental security.

Data protection: organisational measures

Our people and processes are the foundation of our security. Below, we detail the organisational controls we have put in place to protect your data throughout its lifecycle.

Employee verification and confidentiality

New employees undergo background checks, including obtaining professional references. All employees sign employment contracts that include confidentiality clauses and confirmation that they have read the Information Security Policy. All staff are responsible for protecting information and reporting security incidents. Non-disclosure agreements (NDAs) are used with our partners.

Right to audit

Our data processing agreements include the right for the Controller (our client) to audit compliance, upon reasonable prior notice and at no additional cost, in accordance with the agreement.

Asset management and secure disposal

All information assets are registered and assigned owners. Secure disposal of media is performed in accordance with documented procedures to prevent data leakage from retired assets.

Incident management

Our Information Security Policy details incident management, including reporting channels, investigation and communication with stakeholders. Our data processing agreements require Salesupply to notify the Controller without undue delay after becoming aware of a personal data breach.

Due diligence of suppliers

Our data processing agreements emphasise the requirement for Salesupply to ensure that subcontractors comply with data protection regulations and to inform the controller of any intended changes regarding subcontractors. The Information Security Policy states that ‘suppliers who process Salesupply’s or its customers’ information assets must comply with the requirements of this policy.’

Business continuity

A business continuity plan (BCP) has been implemented to minimise disruption to service delivery in the event of unexpected events, ensuring the resilience and availability of our services.

Robust technical security measures

We use a multi-layered technical approach to protect our systems and your data from threats. Below are the key technical controls we have implemented.

Endpoint security

Full disk encryption (BitLocker) is implemented on all laptops using at least AES-256. All removable media are disabled. The use of personal mobile devices for business purposes is not permitted. Regular users do not have local administrator rights on their computers.

Physical security

Salesupply offices have security systems, alarm systems, video surveillance and access control using access cards. Our ISO 27001-certified data centres have physical access controls, surveillance and alarms.

Network security

Firewalls control network traffic and block unauthorised access. Separation of development, testing and production environments. Wireless networks secured with WPA2-Enterprise and network access control (NAC).

Malware protection

Advanced malware protection (antivirus, antispyware) is installed on all servers and endpoints and is continuously updated.

Secure communication

Secure remote access (VPN) with multi-factor authentication (MFA). Restricted and monitored access to administrative interfaces. Encrypted data transfer methods (VPN, SSL/TLS, SFTP) for all data exchange.

Intrusion detection

Intrusion detection and prevention systems (IDS/IPS) are implemented to monitor network traffic for malicious activity and policy violations.

System hardening

Systems are configured in accordance with industry best practices and security fundamentals (e.g., CIS Benchmarks, NIST) to reduce their attack surface.

Logging and monitoring

System logs and audit trails are maintained for critical systems. Personal data logging is minimised. Logs are reviewed regularly to detect security incidents and unusual activity.

Data backup and availability

Regular backups of critical data are performed and their integrity is tested. Redundancy has been implemented for critical systems to ensure high availability.