Privacy Policy
Data Security Rules processed by Datapolis sp. z o. o.
Chapter 1. Definitions and General Provisions
-
This document defines the standard rules applied by Datapolis sp. z o. o. in relation to the Client, in the area of security protection, including:
-
Client's information,
-
protection of the Client's Information System (CIS),
-
access to buildings and premises of the Client or Datapolis.
-
Definitions:
-
security incident - an event or series of undesired or unexpected security events concerning the Parties, which result or may result in disruption of the Parties' business activities, affecting the business activities of the Parties in terms of proper implementation of the Agreement. This group of incidents includes in particular:
-
unauthorized actions of the Parties' employees,
-
external fraud to the detriment of the Parties,
-
loss, disclosure or suspected loss or disclosure of protected information (e.g. personal data),
-
theft of equipment,
-
such a state of equipment, content of a set of protected information, disclosed working methods, disclosed working methods, manner of software operation or quality of communication in the IT network, which may indicate a breach of information security,
-
loss of an access card used in the access control system,
-
breach of cryptographic key security,
-
situations threatening the health or life of employees, guests or clients of the Parties,
-
actions aimed against the image and reputation of the Parties.
-
-
cybersecurity incident - an incident of violation of the security of the IT environment of Datapolis and/or the Client - a single undesired or unexpected security event of the IT environment (i.e. the occurrence of a state of an IT environment component indicating a potential violation of its security, an error of the control mechanism or a previously unknown situation that may be important from a security perspective) or a series of such events, in the case of which there is a significant probability of disruption of activities or violation of information security (based on ISO/IEC 27000:2009),
-
access right - granted by the Client, for the purpose of implementing the Agreement, access authorization (physical or logical) to a specific CIS resource or to a specific building and room of the Client (excluding generally accessible premises or parts thereof),
-
CIS (Client's Information System) - a set of all IT solutions (technical and functional), designed to comprehensively support the Client's activities,
-
security tests - any testing procedures relating to IT solutions or services provided under the Agreement,
-
CIS resource - a logically linked set of CIS components, implementing a specific business functionality, i.e.: applications, application modules, software: system, tool, utility and database, data processing technology in CIS, ICT equipment and ICT network, data and information processed and stored in CIS, links between CIS resources - interfaces, ICT services, in particular the Internet, electronic mail.
-
Chapter 2. Protection of Client's Information
-
Client's information means any information that Datapolis obtains from the Client under the Agreement, concerning in particular:
-
technologies and technological processes used by the Client,
-
internal regulations, business processes and procedures of the Client,
-
business and financial information of the Client,
-
personal and financial data: clients and suppliers of the Client and their employees and employees of the Client,
-
security procedures and other information, including information about rooms and protected areas at the Client's headquarters,
-
technical security systems used by the Client.
-
-
Client's information may take various forms, in particular:
-
documents,
-
shared or transferred software and data carriers,
-
any data sent to Datapolis for processing, where processing means any operations (automatic or manual) performed on data, in particular: production, collection, recording, storage, development, modification, sharing, expedition, archiving, deletion and destruction,
-
oral information obtained from the Client's employees.
-
-
The scope and manner of obtaining Client's information by Datapolis must be agreed with the Client and must be limited to the scope necessary for the implementation of the provisions of the Agreement. In particular, none of the IT infrastructure devices of Datapolis may collect, store and archive identifiers, passwords and PIN codes or other identification codes of CIS, CIS resource of CIS users, unless the Agreement provides otherwise.
-
Datapolis undertakes to maintain the confidentiality of all Client's information, unless this information is public, has already been previously publicly disclosed by the Client or a person or entity unrelated to Datapolis.
-
Datapolis is obliged, taking into account generally applicable law, to inform the Client about each case of receiving a request from authorized State bodies for the transfer of Client's information. Datapolis is obliged to provide support to the Client, aimed at preventing the disclosure of Client's information.
-
Datapolis is obliged to destroy all media containing Client's information when they are no longer necessary for the implementation of the Agreement. At the Client's request, Datapolis is obliged to provide appropriate evidence or declaration of information (data) destruction, in accordance with the Client's guidelines in this regard. Additionally, Datapolis is obliged to return all data carriers provided by the Client, unless the Agreement provides otherwise.
Chapter 3. Protection of the Client's Information System
-
Under the Agreement, Datapolis is obliged to:
-
ensure the level of security required by this Document, understood as maintaining confidentiality, integrity and availability for the Client of information and CIS resources processed under this Agreement,
-
submit to verification by the Client as to the fact of compliance with the minimum security requirements, with such verification not occurring more frequently than once every 12 months, provided that such verification may occur after prior notification of Datapolis by the Client in writing or via e-mail communication to the Datapolis Project Manager about the planned verification, with at least 3 business days' notice. Verification will be carried out at the Client's expense by the Client's representatives indicated by the Client. The rules for possible access of the Client's representatives to Datapolis IT Systems must be separately agreed between the Project Managers of the Parties. This does not limit the Client's right to demand immediate access by Datapolis to ICT equipment used in the network and/or on the premises of the Client's headquarters in the event of an occurrence or suspected occurrence of a security incident.
-
-
All actions of Datapolis on CIS Resources may be performed only and exclusively to the extent and in the manner specified by the Client.
-
Datapolis, before commencing the work resulting from the Agreement, will provide the Client (in the manner provided for in the Agreement) with a list of Datapolis employees and persons acting on behalf of Datapolis involved in the performance of the Agreement along with (if applicable) the documents required by the Agreement. According to the above-mentioned list, Datapolis employees may be granted the Right of access to CIS. The Client will not refuse the Right of access necessary to perform the Agreement without a valid reason.
-
Any changes relating to the list referred to in the paragraph above will be made available to the Client by Datapolis immediately (in the manner specified in the Agreement) in order to, respectively: grant, modify or revoke the Right of access.
-
Employees and all persons acting on behalf of Datapolis during the provision of services to the Client may not:
-
use devices other than the Client's equipment within the CIS without prior authorization (consent) of the Cybersecurity Department, unless the Agreement provides otherwise.
-
use software and applications not authorized by the Client when using the Client's equipment; unless the Agreement provides otherwise; the Cybersecurity Department may accept, in a special case and to a limited extent, the use of software not authorized by the Client, if it is necessary for the implementation of the subject of the Agreement.
-
-
Datapolis declares that it does not undertake the following activities:
-
placing illegal or unauthorized content in CIS by the Client,
-
copying data from CIS outside the Client's IT infrastructure, i.e. outside the Client's servers or outside the Client's encrypted memory media (except for cases specified in the Agreement), with the preceding provision being applicable, unless the Agreement or Order provides otherwise, in particular, unless the Agreement or Order provides for the provision of Services using Datapolis computers, however, in such a case, the use of Datapolis computers must obtain prior authorization from the Client, and in any case, copying of personal data, business secrets, insurance secrets, confidential information within the meaning of the Act on Trading in Financial Instruments is prohibited,
-
taking memory media belonging to the Client or containing confidential data outside the Client's headquarters,
-
connecting to CIS any devices without the Client's authorization, including, but not limited to, information processing means such as laptops or mobile communication devices or memory media,
-
disclosing or making available passwords to CIS to third parties or leaving passwords in a place allowing its discovery or takeover,
-
testing and attempting to learn and break CIS security,
-
disclosing information relating to the functioning of CIS, in particular regarding identified vulnerabilities, failures or security incidents,
-
using files obtained from external networks (i.e. from outside the Client's computer network, before these files are checked by anti-virus software; in the case of providing Services using the Client's computers, it is assumed that the workstation made available to Datapolis is always configured so that all documents are automatically scanned for viruses,
-
unauthorized access to CIS, i.e. not resulting from the Agreement,
-
enabling access to CIS to unauthorized persons,
-
using accounts of other CIS users,
-
unauthorized destruction of data collected or processed in CIS, in particular one aimed at harming the Client (e.g. intention to hide evidence, malicious action) or one that is the result of failure to exercise due diligence (e.g. failure to ensure that the data being destroyed are unnecessary),
-
introducing incorrect data to CIS production environments.
-
Chapter 4. Protection of access to the Client's buildings and premises
-
Datapolis employees and persons acting on behalf of Datapolis involved in the performance of the Agreement, while using access to the Client's premises excluded from public access, should have a personal identifier or identity document allowing for their identification.
-
Datapolis, before commencing the work resulting from the Agreement, will provide the Client (in the manner provided for in the Agreement) with a list of Datapolis employees and persons acting on behalf of Datapolis involved in the performance of the Agreement along with (if applicable) the documents required by the Agreement. According to the above-mentioned list, Datapolis employees may be granted the Right of access to the building and premises in the form of a card used in the access control system with permissions corresponding to the assigned scope of tasks. In order to carry out tasks performed in areas subject to special protection (server rooms, telecommunications nodes, etc.), the Right of access is granted separately after Datapolis reports the person performing the work in such an area. The Client will not refuse the Right of access necessary to perform the Agreement without a valid reason.
-
Any changes relating to the list referred to in the paragraph above will be made available to the Client by Datapolis immediately (in the manner specified in the Agreement) in order to, respectively: grant, modify or revoke the Right of access.
-
In order to carry out tasks resulting from the Agreement in areas subject to special protection (server rooms, telecommunications nodes, etc.), access is granted separately after Datapolis reports the person performing the work in such an area.
Chapter 5. Handling of security incidents
-
In the event of a security incident concerning the Client, a cybersecurity incident, or an atypical situation not described in the Agreement or in documents defining the scope of cooperation between Datapolis and the Client, potentially threatening the implementation of security requirements specified in this Appendix, Datapolis undertakes to:
-
immediately inform the Client's employee supervising the implementation of the Agreement, and in urgent cases (when there is a threat to the life or health of employees and clients of the Client) and in cases of committing or suspecting commission of a crime against the Client's property, also immediately notify the Client.
-
immediately remove the causes and effects of the security incident and the cybersecurity incident in the area of Datapolis operation, after prior agreement on the method of carrying out activities with the Client (the Client's employee supervising the implementation of the Agreement), in particular after determining the remuneration due to Datapolis for such removal by Datapolis of the causes or effects of the security incident and the cybersecurity incident, which was not caused by Datapolis actions or omissions. In the event of the need for immediate action to prevent danger to the life or health of natural persons or significant destruction of property, Datapolis will take immediate action even before consulting them with the Client.
-
The security incident and the cybersecurity incident referred to in paragraph 1 shall be understood as any single undesired or unexpected event (or a series of such events) creating a significant probability of disruption to the Client's business operations and threatening the security of CIS, and in particular:
-
incidents related to CIS security (cybersecurity incidents) - according to point 2.2), e.g.:
-
theft of CIS equipment,
-
breach of CIS security,
-
such a state of the CIS device, content of a set of protected information, disclosed working methods, manner of software operation or quality of communication in the IT network, which may indicate a breach of information security,
-
breach of cryptographic key security,
-
unauthorized actions of Datapolis employees or unauthorized actions of the Client's personnel known to Datapolis,
-
external fraud to the detriment of the Parties (e.g. loss of data as a result of a system breach, malware operation),
-
loss, disclosure or suspected loss or disclosure of protected information (e.g. personal data),
-
breach of security of Datapolis infrastructure or systems, if they were used to provide Services under the Agreement,
-
loss of an access card used in the access control system,
-
incidents not related to CIS security (security incidents), e.g.:
-
theft, excluding theft of CIS equipment,
-
breach of Access Rights due to loss or lending of a personal identifier or access card used in the access control system to the building and to the room,
-
entry to non-publicly accessible premises of the Client without the Client's authorization (whereby possession of an access card means authorization),
-
loss, disclosure or suspected loss or disclosure of the Client's protected information (e.g. personal data),
-
situations threatening the health or life of employees, guests or clients of the Client.
-
Each Party is obliged to collect and immediately provide the other Party with data regarding security incidents. The scope of registered and transferred data regarding Security Incidents and cybersecurity incidents should include at least:
-
date of occurrence of the security incident / cybersecurity incident,
-
date of identification of the security incident / cybersecurity incident,
-
cause of the security incident / cybersecurity incident,
-
description of the course of the security incident / cybersecurity incident,
-
effects of the cybersecurity incident in terms of confidentiality, integrity and availability,
-
corrective actions taken.
-
-
In the content of the security incident / cybersecurity incident notification, Datapolis includes information about the incident category according to the following classification: low, medium, high, critical.
-
The Client, after receiving information about the incident, verifies whether it constitutes a security incident / cybersecurity incident within the meaning of the Agreement. In the case of a positive verification, each Party immediately initiates the procedure for handling the reported security incident / cybersecurity incident. In the case of a negative verification, the Party immediately informs the other Party about it. In such a case, the Parties undertake to immediately develop a common position on further proceedings in the matter of the notification.
-
Datapolis undertakes to respond to a security incident / cybersecurity incident with a response time appropriate to the incident classification indicated by the Client according to the following principle:
-
LOW - no later than one month from the reporting of the security incident / cybersecurity incident,
-
MEDIUM - no later than one week from the reporting of the security incident / cybersecurity incident,
-
HIGH - no later than 3 business days from the reporting of the security incident / cybersecurity incident,
-
CRITICAL - no later than 4 business hours from the reporting of the security incident, and to provide a fix without undue delay, provided that providing such a fix is within the competence of Datapolis and subject to the provisions of point 19.2).
-
Chapter 6. Ensuring compliance with security requirements
-
As a result of a security incident, a cybersecurity incident or in the case of a justified suspicion that the manner of implementing the subject of the Agreement by Datapolis is not consistent with the Client's security requirements specified in this document, the Client may conduct an additional verification of the manner of their implementation, including security tests: IT solutions and security procedures of services provided under the Agreement. Such verification may take place on a date agreed by the Project Managers on the side of the Client and Datapolis. Verification will be carried out at the Client's expense by the Client's representatives indicated by the Client. The rules for possible access of the Client's representatives to Datapolis IT Systems must be separately agreed between the Project Managers of the Parties.
-
Regardless of the Client's tests referred to in paragraph 1, the Client under the Agreement may require Datapolis to conduct security tests. If conducting security tests, as referred to above, was not provided for in the Agreement / Order, Datapolis will receive remuneration for performing such tests, which, in the absence of different arrangements between the Parties, will be calculated based on the number of Person-days and the appropriate Rates per Person-day.
-
Datapolis, during the implementation of the work, will use the OWASP ASVS security standard in version 3.01 or higher as a reference for best practices, which means that within the scope of work of individual Orders, Datapolis will apply existing (within the parameterization) cybersecurity solutions in the integrated components.
-
Security-related errors (hereinafter "Security Errors") are defined in accordance with the OWASP Risk Methodology (https://www.owasp.org/index.php/OWASP_Risk_Rating_Methodology). Security Errors will have their levels defined in accordance with the OWASP Risk Methodology mentioned above. Those cases in which existing security functionalities of the components described in point 3 have not been used by Datapolis are qualified as Security Defects.
-
Security-related errors of CRITICAL and HIGH categories, reported during the period of validity of the Agreement, will be removed by Datapolis free of charge.
-
The maximum time limits for the removal of Security Defects depending on their category are defined as follows:
-
LOW - The found vulnerability has little impact on the system security and does not pose a threat by itself. Such a vulnerability can only facilitate the use of other vulnerabilities or increase their effects. To be removed no later than 12 months from the date of reporting.
-
MEDIUM - The found vulnerability has a significant impact on the system security, but the way it is used is not simple or requires actions from another user or victim. To be removed no later than 6 months from the date of reporting.
-
HIGH - The found vulnerability has a significant impact on the system security, and its method of use is not complicated - there are ready-made tools to help exploit the vulnerability or this vulnerability results from everyday work in the system. To be removed no later than 2 weeks from the date of reporting.
-
CRITICAL - The found vulnerability has a very significant impact on the system security, and its method of use is simple - there are publicly available exploits, ready-made tools to help exploit it, or it results from the normal work of users in the system. Work should be undertaken immediately, and a fix provided without undue delay.
-
-
The Software provided by Datapolis will meet the accountability requirement.
-
Accountability is understood as the following features:
-
the ability to determine: WHO? WHAT? WHEN? WHERE? HOW? LEVEL?,
-
accountability logs must allow searching using regular expressions,
-
the implementation of logging must be implemented as a single module on the server side.
-
logs must not contain sensitive data (e.g. user password, cryptographic keys, other protected data defined in personal data protection laws).
-
logs must be protected against unauthorized access and modification.
-
-
In the event that the security mechanisms used by Datapolis are assessed during security tests as not fully compliant with generally applicable law or not meeting the Client's requirements, Datapolis undertakes to:
-
inform the Client about the degree of non-compliance,
-
implement control, corrective or mitigating mechanisms agreed with the Client.
-
The obligation specified above applies after prior determination of Datapolis remuneration for removing irregularities resulting from the Client's failure to adapt the required security mechanisms to legal requirements, which remuneration - in the absence of different arrangements between the Parties - will be calculated based on the number of Person-days and the appropriate Rates per Person-day.
-
Each case of occurrence of an event referred to in paragraph 3 should be analyzed by the Parties and may cause, in justified cases, a change in the documentation (Agreement) describing the cooperation between Datapolis and the Client. In the event of the need to implement additional security measures or security procedures, Datapolis and the Client will determine which Party is responsible for covering the necessary expenditures.
Chapter 7. Security Audit
-
After prior agreement between the Parties of the date of such activities, Datapolis and/or the Client reserves the right to use the services of a third party, including the services of entities professionally providing business consulting services, to control the quality of Products and the manner of implementation of the Agreement, provided that Datapolis and/or the Client may not engage competitive entities towards the Party to perform such an audit. Entrusting the quality control referred to in paragraph 1 to third parties requires prior signing of a trilateral confidentiality agreement between Datapolis, the Client and the indicated third party.
-
An audit (including a security audit) may only be conducted in such a way that it does not prevent the timely implementation of project work by Datapolis.
-
The costs associated with the above services are borne by the Client.
-
To an auditor with written authorization from the Client, Datapolis will be obliged to provide all information, data and explanations in the requested scope regarding the Project and to make available and present the results of the work carried out, as well as to ensure the possibility of controlling them on terms agreed between Datapolis and the Client.
-
Before obtaining access to the Products of Datapolis works, which have not yet been accepted by the Client, such persons will be obliged to submit appropriate declarations of confidentiality of information, to the extent corresponding to the provisions of the Agreement.
-
Datapolis will not be liable for the negative impact of the control process on the Schedule.
-
In the event of post-audit recommendations, Datapolis will make efforts to implement these recommendations within the remuneration specified in §7 paragraph 3 or in a given Order.
Warsaw, December 14, 2020.
President of the Management Board of Datapolis,
Paweł Bujak