apadua-logo-home-small

Information Security Policy

Introduction

apadua has established an extensive ISMS (Information Security Management System) based on the ISO27001:2022 standards (certification pending) covering all their business operations. As part of this, we publish our latest Information Security Policy (POL-01) through our website. In case you have any questions, please reach out to your contact at apadua or our designated CISO through support@apadua.com

Version: 1.1 - May 5th 2025

Purpose

The purpose of this Information Security Policy is to establish a framework for protecting the confidentiality, integrity, and availability of the organization's information assets in accordance with ISO 27001 standards. This policy ensures that security risks are identified, assessed, and mitigated through appropriate controls, fostering a culture of continuous improvement and compliance with legal, regulatory, and contractual obligations. By implementing this policy, the organization aims to safeguard sensitive data, maintain business continuity, and build trust with stakeholders, customers, and employees.

Scope

This Information Security Policy applies to all information assets, systems, processes, and personnel within the organization that handle, process, store, or transmit data. It covers employees, contractors, third-party service providers, and any other stakeholders with access to the organization's information resources. The policy encompasses all physical, digital, and cloud-based environments, ensuring compliance with ISO 27001 requirements and relevant legal, regulatory, and contractual obligations. This document serves as a foundation for implementing security controls, risk management practices, and continuous improvement efforts to protect the organization's information security posture.

The ISMS

What is an ISMS?

An Information Security Management System (ISMS) is a structured framework of policies, processes, and controls designed to protect the confidentiality, integrity, and availability of an organization’s information. It helps systematically manage and reduce the risks related to information security, ensuring that sensitive data—such as customer details, financial records, and intellectual property—is adequately protected.

Why do we need an ISMS?

Information is one of the organization's most valuable assets. With increasing cyber threats, regulatory demands, and the need to protect customer trust, safeguarding information has never been more critical. An ISMS provides a proactive approach to protecting data, ensuring the organization can:

  • Comply with legal, regulatory, and contractual requirements.
  • Protect against data breaches, cyber-attacks, and accidental loss of information.
  • Ensure business continuity in the event of a disruption or security incident.
  • Build and maintain trust with customers, partners, and stakeholders.

How does it work?

  • Plan: Identify risks and set objectives for addressing them.
  • Do: Implement the necessary security measures and controls.
  • Check: Regularly monitor and evaluate the effectiveness of the security measures.
  • Act: Make improvements based on assessments and emerging risks.

The ISMS is not a one-time implementation but an ongoing process that adapts to changes in the business, technology, and external threats.

Alignment with ISO/IEC 27001

The ISMS is aligned with the internationally recognized ISO/IEC 27001:2022 standard. This standard provides a best-practice framework for managing information security. By adhering to ISO/IEC 27001, the organization demonstrates its commitment to:

  • Global best practices in information security management.
  • Ensuring compliance with applicable laws, regulations, and industry standards.
  • Continuous improvement in managing information security risks and safeguarding critical information assets.

ISO/IEC 27001 requires organizations to take a systematic approach to managing sensitive information and ensuring that security measures are continually reviewed, improved, and updated. Our ISMS helps us meet these requirements by integrating security into every part of the business, from IT infrastructure to human resources and operations.

Resources

The organization's InfoSec Team will receive comprehensive resources such as experienced employees, tools, additional training and best practices tailored to different roles and responsibilities to uphold the standards of security excellence. The goal is to ensure that every member of the organization is equipped with the necessary resources to effectively safeguard sensitive data, mitigate risks and contribute to a culture of security awareness. 

Management Commitment

Information security is a management responsibility, and decision-making for information security is not delegated. While specialists and advisors play an important role in helping to make sure that controls are designed properly, functioning properly and adhered to consistently, it is the manager in charge of the business area involved who is primarily responsible for information security.

Primary Departments Working on Information Security - Guidance, direction and authority for information security activities are centralized for all organizational units in the Information Security Program and summarized in this document. The management is responsible for establishing and maintaining organization-wide information security policies, standards, guidelines and procedures. 

Compliance checking to ensure that organizational units are operating in a manner consistent with these requirements is the responsibility of department managers. Investigations of system intrusions and other information security incidents are the responsibility of the InfoSec Team. Disciplinary matters resulting from violations of information security requirements are handled by CISO working in conjunction with the HR department. 

ISMS Activities

The scope defines the core processes, technology aspects, people and exclusions of the ISMS. It results in a governance framework which takes internal & external factors, interested parties, business objectives, legal requirements and interfaces & dependencies into consideration. 

Based on these factors, the Information Security Objectives were identified and described. They provide the higher level direction for the ISMS operations. Also see Annex: ISMS Process Diagram.

Information Security Objectives

The organization has defined the following information security objectives to protect information assets, reduce risks and increase awareness. 

Description

Confidentiality - Ensure that sensitive data is accessible only to authorized individuals or systems.
Availability - Securing availability of provided services, and data through business continuity measures.
Risk Reduction - Minimizing security risks and protecting business continuity.
Compliance - Ensuring adherence to industry standards and regulations.
Integrity - Ensure the accuracy and reliability of data throughout its lifecycle.
Continuous Improvement - Ensures the ISMS evolves to respond to new threats, incidents, and opportunities for enhancement.
Process Standardization - Improving processes by reducing manual efforts and creating standardized procedures.
Increased Awareness - Conduct frequent information security awareness training.

Review and Maintenance

This Information Security Policy will be reviewed at least annually, or when significant changes occur in the organization’s business environment, regulatory landscape, or operational structure. The CISO, along with top management, will be responsible for ensuring the policy remains current and aligned with business goals and evolving security threats. Revisions and updates will be documented in the version and approval history.

Policy Statements

Risk Management

The organization will identify, assess, and manage risks to its information assets through a formal risk management process. This process includes:

  • Regular risk assessments
    to evaluate and categorize risks based on their likelihood and impact.
  • Risk treatment plans
    that outline mitigation strategies, including risk acceptance, reduction, avoidance, and transfer, in accordance with the risk management policy.
  • Continuous monitoring
    of the risk environment to address emerging threats.

Compliance

The organization will comply with all relevant legal, regulatory, and contractual requirements. The ISMS will be monitored through regular internal & external audits, management reviews, and assessments to ensure its continued effectiveness and compliance with this policy. Weaknesses identified through these processes will be addressed through corrective actions and continuous improvement initiatives.

Asset Management

The organization will identify, document, and classify all information assets based on their sensitivity and importance to the business. Appropriate controls will be applied throughout the asset lifecycle (e.g., from creation to disposal) to ensure data protection.

Access Management

Access to the organization’s information systems and data will be based on the principle of least privilege. Access to systems and privileges rights will be reviewed regularly to ensure that users have only the permissions necessary to perform their job functions. Multi-factor authentication (MFA) and other access control measures will be implemented where applicable.

Incident Management

The organization will maintain an incident management process for the identification, reporting, and resolution of information security incidents. Employees and third parties are required to report security incidents immediately to the CISO. The organization will conduct root cause analysis and lessons-learned exercises to improve its incident response capability.

Business Continuity

The organization will develop and maintain a Business Continuity Plan (BCP) and Disaster Recovery Plan (DRP) to ensure that critical business functions can continue in the event of a security incident or major disruption. These plans will be tested regularly, and results will be used to improve the effectiveness of the continuity strategy. 

Backup Management

Furthermore, the organization implemented regular and secure backups of critical data, systems, and configurations to ensure business continuity and data integrity. Backups must be encrypted, stored securely, and tested periodically for reliability. Retention periods and recovery procedures shall be defined based on business, legal, and regulatory requirements. Unauthorized access, modification, or deletion of backups is strictly prohibited.

Logging and Monitoring

The organization implemented comprehensive logging and monitoring activities to detect and analyze security events. All critical systems must generate and retain protected security logs. Automated monitoring will identify anomalies and suspicious activities. Logs must be regularly reviewed and analyzed. Retention periods will be defined based on requirements. Incident response procedures will be in place, and responsibilities will be clearly defined.

Vulnerability Management

The organization implements a comprehensive vulnerability management process to safeguard its systems against potential risks. Vulnerabilities in critical systems, networks, and applications are identified through regular vulnerability scans. Automated tools are utilized for continuous monitoring to detect emerging threats in real-time. Once vulnerabilities are identified, they are promptly addressed through an established patch management process. All findings, actions, and outcomes are thoroughly documented for tracking and future audits, ensuring transparency and compliance.

Personnel Security

The organization implemented a standardized recruiting, on-boarding and offboarding process to ensure that all employees and contractors understand their responsibilities in maintaining information security. This includes comprehensive screening activities, standardized contracts and confidentiality agreements, as well as remote access requirements. Annual security awareness trainings are also implemented and obligatory for all employees to foster the organization’s security culture. All violations and security breaches will be threatened based on defined  disciplinary actions. 

Vendor Management

Vendors and third-party partners are integral to the organization’s operations, and their security practices directly impact the organization’s risk profile. During the onboarding process, each vendor undergoes a thorough assessment to evaluate their security measures and compliance with organizational standards. Contracts include explicit security requirements, such as data protection obligations and incident management methodologies. Regular risk evaluations are conducted to ensure vendors maintain compliance over time, and vendors are required to report any security incidents promptly. The organization collaborates with its partners to mitigate risks effectively and uphold a secure operational environment. Offboarding processes for vendors are standardized and documented according to ISMS requirements.

Physical Security

To ensure the safety of the organization’s physical assets, strict security measures are enforced. Access to facilities is controlled through the use of electronic key cards and biometric authentication systems for restricted areas. Visitor access is managed through a detailed logging process, and all entries and exits are monitored. A clean desk policy mandates that sensitive information must not be left unsecured, reducing the risk of unauthorized access. High-risk areas are equipped with CCTV systems to deter unauthorized activities and document incidents. Additionally, environmental controls, such as fire suppression systems and climate control, are implemented to protect critical infrastructure.

Secure Software Development 

The organization integrated security best practices throughout the software development lifecycle (SDLC) to ensure the confidentiality, integrity, and availability of applications. Security requirements must be defined, implemented, and tested at each process stage. The development lifecycle is carried out in a development, test and productive environment. Code reviews and automated tests are obligatory. Developers must follow secure coding guidelines and receive ongoing security training. Any identified security vulnerabilities must be promptly remediated before deployment.

Violations & Enforcement

Compliance with this policy is mandatory and is a fundamental requirement for the secure and compliant handling of information of the organization. Violations to this policy may result in disciplinary action according to the Information Security Policy, depending on the severity of the offense.

Our goal is to create a safe and trustworthy work environment. If there are any challenges in implementing this policy or suggestions for improvement, please contact the Chief Information Security Officer (CISO) or the InfoSec Team.

Privacy Policy

Data Protection Regulations


Version: August 01, 2024

As the operator of apadua.com, we attach great importance to the security and confidentiality of your data. In this privacy policy, we explain how we handle personal and company-related data and ensure its security. We make every effort to keep this policy up to date and will therefore amend it from time to time. In the event of significant changes, we will inform you via the e-mail address you have provided. If you continue to use our services after receiving the change information, you declare that you agree to these changes. In the event of an objection, you can block your account at any time and have your personal and project-related data deleted. By registering on our platform, you agree to these data protection provisions.


Protection of your data

Company and project-related data that you have stored on our platform will only be made available to the groups of persons or legal entities that you have personally selected. This also applies to data provided by you that is considered "confidential" within your company. You provide data of this type at your own risk. Data in your user profile will be checked and confirmed by our employees as part of a verification process. This does not apply to your selected passwords or information that you have stored in the system as a result of a project tender. In addition, we have taken industry-standard technical security precautions to protect your data from unauthorized external access.


Forwarding your data to third parties

apadua.com only forwards your data to selected users of our services if (1) you give the order to do so by starting a request for proposal (RfP) via our web service; (2) if the potential recipients have been personally checked and approved by our employees; (3) if you personally request us to view your data and have it processed by one of our employees; (4) if it has become necessary to hand over the data to government agencies due to legal violations.


Handling of your user profile data

In order to register with apadua.com, you must provide a minimum amount of information that allows us to verify and confirm its authenticity. We always endeavor to check the originators of the external data provided on apadua.com in order to ensure maximum reliability. Therefore, the user profile data provided by you should always correspond to the truth and enable the identification of your person and the business organization you represent.
Furthermore, by registering, you consent to your profile data being made available to participants in the course of tenders initiated by you. This also applies to company and project-related information that you have entered.


Optimization of our offer

As soon as you use our services, our system automatically records and stores your usage data within the functions of our web services. This data is collected anonymously for research and optimization of user-friendliness and evaluated internally. In addition, we use the data to constantly optimize the scope of our offer so that it meets the needs and requirements of our users. If you have any reservations regarding the handling of your usage data, you can delete your account at any time.


Notifications from apadua

We will contact you via the e-mail address you have provided to us for information relevant to usage or legal matters. Therefore, please ensure that you always have an active e-mail address in your user profile. We also recommend that after receiving the first e-mail from us, you classify the sender @apadua.com as secure in order to rule out possible classification as spam.


Data security

Our website uses the latest HTTPS encryption technologies to ensure the security of your data during use and storage. Nevertheless, we ask you to be careful when using web-based services due to various potential risks and to always use secure passwords and change them regularly.


© Copyright 2025 apadua.com