Information Security Protocol
Handling client assets
Client assets are handled by dedicated project managers and translated by a fixed team of translators, who are obliged to sign non-disclosure agreements. Every project is subject to standard security procedures.
Data categories
| Group | Obtaining | Basis for processing | Types of data | Storage | Format | Access by | Transfer |
| Customers | |||||||
| Corporate, institutions (contact persons) | E-mail from client | performance of contract Article 6(1)(b) and legal interest Article 6(1)(f) – in order to update the client or make inquiries regarding the ongoing project, payment, satisfaction | Full name, e-mail, phone number, Skype ID | Mail – Microsoft365, BMS – SpaceTMS | database | employees | SpaceTMS, Microsoft365 |
| Individual clients | E-mail from client, phone conversation, personal visit to the office | performance of contract Article 6(1)(b) and legal interest Article 6(1)(f) – in order to update the client or make inquiries regarding the ongoing project, payment, satisfaction | Full name, address, phone number, e-mail, Skype ID, business name, NIP, Regon | Mail – Microsoft365, BMS – SpaceTMS, Invoicing – Saldeo, Financial system, local file server | database and electronic documents (invoices) | employees | SpaceTMS, Microsoft365, Saldeo |
| Prospective clients | contact form on www.diuna.biz | consent | Full name, e-mail, phone number | WordPress, Microsoft365 mail, CRM-Bitrix24 | database | employees | Microsoft365 |
| Suppliers | |||||||
| Vendors | recruitment process – application | performance of contract Article 6(1)(b) | Full name, address, business name and address, phone numbers, e-mail address, NIP, REGON, bank account details, other payment details | Microsoft365 mail, SpaceTMS (vendor owned account), Autenti, Saldeo, local file server | database, documents (contracts) | employees | Microsoft365, SpaceTMS, Autenti, Saldeo |
| Employees | aplikacja | ||||||
| Employees | job application | performance of contract Article 6(1)(b) and statutory obligation Article 6(1)(c) | Full name, address, mailing address, parents’ names, date of birth, tax office, NIP, Pesel, bank account | Microsoft365, payroll system – Asseco, Bitrix24 (only name and contact information) | documents, contracts | General Manager, Office Manager, HR Manager | mail, file server |
| Apprentices and trainees | apprenticeship application | performance of contract Article 6(1)(b) and statutory obligation Article 6(1)(c) | Full name, address, mailing address, parents’ names, date of birth, tax office, NIP, Pesel, bank account | Microsoft365 mail, Bitrix24 (only name and contact information) | documents | Office Manager, Vendor Manager | |
| Translated content | |||||||
| personal data in translated content | shared by clients via email or otherwise (ftp) | data processing agreement | as per delivered content | Microsoft365 mail, SpaceTMS, translation memories | database, file | employees, shared with vendors employed to do specific tasks | Microsoft365 mail, SpaceTMS |
Data processing
| Type | Provider | EEA only | Backup | Access | Scope of data |
| Microsoft365 – cloud | Yes | Provider 30 days | Personal, Two way authentication | Client data (including personal), client content, vendor data (including personal) | |
| Mail 2 | Home.pl – cloud | Yes | Provider – 3 days | Personal, 2 way auth. | Client data (including personal), client content, vendor data (including personal) |
| File server | Local onsite | Yes | DIUNA | According to user rights | Client content in TM, vendor data (contracts and invoices) |
| PC | Local onsite / with user | Yes | NO | Personal/ password | No permanent storage, only for the time of processing, type of data depends on the role in DIUNA |
| Project management system | SpaceTMS.com – cloud | Yes | Provider, weekly backups | Personal/ password | Client data (including personal data), client content, vendors (on accounts owned by vendors) |
| Translation management system ™ | Trados – local file serverMemsource – cloud | Yes | DIUNA, Provider | According to user rights | Client content |
| Machine translation TM | Tilde – cloud | Yes | Through translation management system | Client content | |
| Invoicing | Saldeo – cloud, outsourced accountant | Yes | Provider | Authorised users | Vendors’ personal data |
| CRM, internal communication | Bitrix24 – cloud | Yes | Provider | Authorised users | Employees, trainees, apprentices – names, emails, phone numbers |
| Document editors | Microsoft365 – Onedrive | Yes | Provider | Individual users | Client content (only on client’s explicit request) |
Purpose of processing
| Group | Purpose of processing |
| Customers | |
| Corporate, institutions and individual clients | To send a quoteto perform a contractto deliver servicesto process paymentto inquire about client satisfactionto improve client experienceto improve quality of servicesto offer additional or new product and servicesto update our database |
| Prospective clients | To send a quoteto offer additional or new product and servicesto improve services and client experience |
| Suppliers | |
| Vendors | to offer tasksto negotiate ratesto inform about procedures and requirementsto process payments |
| Employees | |
| Employees | to perform employment contractto comply with employment regulations |
| Apprentices and trainees | to perform contractto give tasks and feedback |
Anti-virus software
Our IT resources are secured by anti-virus software with the following functions:
a) securing the IT resources against malware with a residential module that scans the entire computer system;
b) updating the virus signature database on an ongoing basis;
c) automated reaction in case new and unknown malware is detected, e.g. blocking all communications with the infected computer.
The software we are currently using is ESET and Windows Defender.
Handling of confidential information
Desktop workstations are secured with a password that is changed every few months. Passwords are comprised of 9 characters or more, including at least one special character, and are never simple. Unlocked workstations are never left unsupervised. Daily work is done on an account without administrator privileges.
Access to the network drive is secured with a password, and access to it via a VPN, with an additional password and certificates.
Desktop workstations are protected with a firewall and anti-virus software.
- Clean desk policy
- Every employee is responsible for maintaining the confidentiality of the data they are entrusted with access to.
- The company provides regular information security trainings for the personnel.
- Every employee is obliged to protect their access information to IT systems.
- Unsecured confidential information may not be taken outside of the company premises.
It is emphatically forbidden to take confidential information on digital media (flash drives, CDs etc.) outside of company premises. - Every new employee and service provider is obligated to agree to a non-disclosure agreement.
Protection of premises
- Secure electronic lock with authorised use only
- Barred windows
- Fence with a gate locked with a padlock
Chain of custody
- Collection of evidence – identification and recording of information about the security incident
- Examination and analysis of the aforementioned information
- Documentation of the above steps
Breach protocol
- Every employee who notices or suspects a personal data breach is obligated to report it to their immediate superior without delay. The superior then notifies the data controller of that fact.
- In case a data breach is confirmed, no actions may be taken that can impede the analysis of the circumstances and the documentation of the breach. The place of the incident must also not be left unattended without justification until the data protection officer or another person authorised by the data controller arrives.
- The data controller analyses the situation and decides on further steps, taking into consideration the risks to proper and continued operation of the company.
- The data controller receives a detailed report on the personal data breach from the person notifying of the incident and from any other person who may know something related to it.
- The data controller contacts external specialists, if needed.
- Pursuant to the GDPR, any breach of personal data must be reported to the data protection authority within 72 hours following the breach.
- When the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall communicate the personal data breach to the data subject without undue delay.
Rights of the data subject
Under the GDPR (General Data Protection Regulation), data subjects whose personal data is processed have a number of rights. Here are some of the key rights of data subjects in relation to data protection:
- Right to information: The data subject has the right to receive clear, comprehensible and exhaustive information about the processing of their personal data, such as the purpose of the processing, the categories of data, the storage period, and information about the controller.
- Right of access: The data subject has the right to obtain confirmation as to whether or not personal data is being processed and access to such data and information relating to it.
- Right to rectification of data: The data subject has the right to request the rectification or completion of their inaccurate or incomplete personal data.
- The right to erasure (the so-called „right to be forgotten”): The data subject may request the erasure of their personal data if there is a legitimate reason, e.g. when the data is no longer needed for the purposes for which it was collected.
- Right to restriction of processing: The subject has the right to request the restriction of the processing of their personal data in certain situations, for example in the case of verifying the accuracy of the data or objecting to the processing.
- Right to data portability: In some cases, the data subject has the right to receive their personal data in a structured format that is commonly used and machine-readable and to transmit this data to another controller.
- Right to object: The data subject has the right to object to the processing of their personal data on grounds relating to their particular situation, unless the controller demonstrates the existence of compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject.
For matters relating to the exercise of these rights, please contact: GDPR@diuna.biz
Last update July 2024
