2024-09-15
Information Security Policy
1. Introduction
This policy outlines the measures that Tagd AB has implemented to protect the security and confidentiality of contract information, including financial terms, proprietary information, and personal data, stored in our contract management system. This policy applies to all employees, contractors, and third parties with access to the system. It is the responsibility of every individual granted access to adhere to this policy and take appropriate measures to protect contract information.
2. Information Classification
All information in the contract management system is classified into categories: Public, Internal and Confidential. All customer data shall be managed as Confidential data. This classification determines the handling, access, and distribution requirements. Only authorized personnel with a legitimate business need may access Confidential information, and it should not be shared with unauthorized individuals. All confidential information must be marked accordingly.
3. Access Controls
Access is granted on a need-to-know basis, and permissions are reviewed quarterly to ensure relevance. Each individual is responsible for maintaining the confidentiality of their unique login credentials. If access is no longer required, it will be promptly revoked following an access review or role change.
4. Data Encryption
All data transmitted to and from the contract management system is encrypted using industry-standard protocols.”
Secure key management practices, including regular key rotation and secure storage, are implemented to maintain data integrity and confidentiality.
5. Physical Security
The contract management system is hosted in a secure data center, protected by 24/7 surveillance, and advanced access controls, and fire suppression systems. Only authorized personnel may access the data center, with all access logged and monitored. Remote work locations must adhere to equivalent security measures, including secure storage of devices and restricted access to physical documents.
6. Disaster Recovery
A disaster recovery plan is in place to ensure continuity, with Recovery Time Objectives and Recovery Point Objectives (RPO) for all critical data. Data backups occur daily.
7. Incident Response
In the event of a security incident, the incident response plan will be activated. All employees, contractors, and third parties must report incidents immediately to Tagd Head Quarters. The response steps include containment, eradication, recovery, and a post-incident review. Corrective actions will be documented to prevent future occurrences.”
8. Training and Awareness
All personnel with access to the contract management system must complete annual security awareness training. The training covers password management, data handling, incident response procedures, and simulated phishing exercises to reinforce awareness. Additional training may be required following policy updates or identified security incidents.”
9. Compliance
We comply with the EU’s General Data Protection Regulation (GDPR) and relevant information security laws. Periodic internal audits are conducted to verify compliance, and any identified deficiencies are addressed promptly. Third parties with access to the contract management system are required to adhere to these information security laws.
10. Review and Updates
This policy will be reviewed annually and updated as necessary to ensure its effectiveness in protecting contract information. All changes will be documented, version-controlled, and communicated to all relevant parties.