Information Security Protocol

Handling client assets

Client assets are handled by dedicated project managers and translated by a fixed team of translators, who are obliged to sign non-disclosure agreements. Every project is subject to standard security procedures.

Data categories

GroupObtainingBasis for processingTypes of dataStorageFormatAccess byTransfer
Customers
Corporate, institutions (contact persons)E-mail from clientperformance of contract Article 6(1)(b) and legal interest Article 6(1)(f) – in order to update the client or make inquiries regarding the ongoing project, payment, satisfactionFull name, e-mail, phone number, Skype IDMail – Microsoft365, BMS – SpaceTMSdatabaseemployeesSpaceTMS, Microsoft365
Individual clientsE-mail from client, phone conversation, personal visit to the officeperformance of contract Article 6(1)(b) and legal interest Article 6(1)(f) – in order to update the client or make inquiries regarding the ongoing project, payment, satisfactionFull name, address, phone number, e-mail, Skype ID, business name, NIP, Regon

Mail – Microsoft365, BMS – SpaceTMS, Invoicing – Saldeo, Financial system, local file serverdatabase and electronic documents (invoices)employeesSpaceTMS, Microsoft365, Saldeo
Prospective clientscontact form on www.diuna.bizconsentFull name, e-mail, phone numberWordPress, Microsoft365 mail, CRM-Bitrix24databaseemployeesMicrosoft365
Suppliers
Vendorsrecruitment process – applicationperformance of contract Article 6(1)(b)Full name, address, business name and address, phone numbers, e-mail address, NIP, REGON, bank account details, other payment detailsMicrosoft365 mail, SpaceTMS (vendor owned account), Autenti, Saldeo, local file serverdatabase, documents (contracts)employeesMicrosoft365, SpaceTMS, Autenti, Saldeo
Employeesaplikacja
Employeesjob applicationperformance of contract Article 6(1)(b) and statutory obligation Article 6(1)(c)Full name, address, mailing address, parents’ names, date of birth, tax office, NIP, Pesel, bank accountMicrosoft365, payroll system – Asseco, Bitrix24 (only name and contact information)documents, contractsGeneral Manager, Office Manager, HR Managermail, file server
Apprentices and traineesapprenticeship applicationperformance of contract Article 6(1)(b) and statutory obligation Article 6(1)(c)Full name, address, mailing address, parents’ names, date of birth, tax office, NIP, Pesel, bank accountMicrosoft365 mail, Bitrix24 (only name and contact information)documentsOffice Manager, Vendor Managermail
Translated content
personal data in translated contentshared by clients via email or otherwise (ftp)data processing agreementas per delivered contentMicrosoft365 mail, SpaceTMS, translation memoriesdatabase, fileemployees, shared with vendors employed to do specific tasksMicrosoft365 mail, SpaceTMS

Data processing

TypeProviderEEA onlyBackupAccessScope of data
MailMicrosoft365 – cloudYesProvider 30 daysPersonal, Two way authenticationClient data (including personal), client content, vendor data (including personal)
Mail 2Home.pl – cloudYesProvider – 3 daysPersonal, 2 way auth.Client data (including personal), client content, vendor data (including personal)
File serverLocal onsiteYesDIUNAAccording to user rightsClient content in TM, vendor data (contracts and invoices)
PCLocal onsite / with userYesNOPersonal/ passwordNo permanent storage, only for the time of processing, type of data depends on the role in DIUNA
Project management systemSpaceTMS.com – cloudYesProvider, weekly backupsPersonal/ passwordClient data (including personal data), client content, vendors (on accounts owned by vendors)
Translation management system ™Trados – local file serverMemsource – cloudYesDIUNA, ProviderAccording to user rightsClient content
Machine translation TMTilde – cloudYesThrough translation management systemClient content
InvoicingSaldeo – cloud, outsourced accountantYesProviderAuthorised usersVendors’ personal data
CRM, internal communicationBitrix24 – cloudYesProviderAuthorised usersEmployees, trainees, apprentices – names, emails, phone numbers
Document editorsMicrosoft365 – OnedriveYesProviderIndividual usersClient content (only on client’s explicit request)

Purpose of processing

GroupPurpose of processing
Customers
Corporate, institutions and individual clientsTo send a quoteto perform a contractto deliver servicesto process paymentto inquire about client satisfactionto improve client experienceto improve quality of servicesto offer additional or new product and servicesto update our database
Prospective clientsTo send a quoteto offer additional or new product and servicesto improve services and client experience
Suppliers
Vendorsto offer tasksto negotiate ratesto inform about procedures and requirementsto process payments
Employees
Employeesto perform employment contractto comply with employment regulations
Apprentices and traineesto perform contractto give tasks and feedback

Anti-virus software

Our IT resources are secured by anti-virus software with the following functions:

a) securing the IT resources against malware with a residential module that scans the entire computer system; 

b) updating the virus signature database on an ongoing basis; 

c) automated reaction in case new and unknown malware is detected, e.g. blocking all communications with the infected computer.

The software we are currently using is ESET and Windows Defender.

Handling of confidential information

Desktop workstations are secured with a password that is changed every few months. Passwords are comprised of 9 characters or more, including at least one special character, and are never simple. Unlocked workstations are never left unsupervised. Daily work is done on an account without administrator privileges.

Access to the network drive is secured with a password, and access to it via a VPN, with an additional password and certificates.

Desktop workstations are protected with a firewall and anti-virus software.

  • Clean desk policy
  • Every employee is responsible for maintaining the confidentiality of the data they are entrusted with access to.
  • The company provides regular information security trainings for the personnel.
  • Every employee is obliged to protect their access information to IT systems.
  • Unsecured confidential information may not be taken outside of the company premises.
    It is emphatically forbidden to take confidential information on digital media (flash drives, CDs etc.) outside of company premises.
  • Every new employee and service provider is obligated to agree to a non-disclosure agreement.

Protection of premises

  •  Secure electronic lock with authorised use only
  • Barred windows
  • Fence with a gate locked with a padlock

 Chain of custody

  1. Collection of evidence – identification and recording of information about the security incident
  2. Examination and analysis of the aforementioned information
  3. Documentation of the above steps

Breach protocol

  • Every employee who notices or suspects a personal data breach is obligated to report it to their immediate superior without delay. The superior then notifies the data controller of that fact.
  • In case a data breach is confirmed, no actions may be taken that can impede the analysis of the circumstances and the documentation of the breach. The place of the incident must also not be left unattended without justification until the data protection officer or another person authorised by the data controller arrives.
  • The data controller analyses the situation and decides on further steps, taking into consideration the risks to proper and continued operation of the company. 
  • The data controller receives a detailed report on the personal data breach from the person notifying of the incident and from any other person who may know something related to it. 
  • The data controller contacts external specialists, if needed.
  • Pursuant to the GDPR, any breach of personal data must be reported to the data protection authority within 72 hours following the breach.
  • When the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall communicate the personal data breach to the data subject without undue delay.

Data processor

  • Data controller: Diuna Group Sp. z o.o. with the seat in Warsaw, Poland
  • e-mail: GDPR@diuna.biz
  • Data subject’s rights:

  • The Right to Information
  • The Right of Access
  • The Right to Rectification
  • The Right to Erasure
  • The Right to Restriction of Processing
  • The Right to Data Portability
  • The Right to Object
  • The Right to Avoid Automated Decision-Making

    Last update June 2023

    small_c_popup.png

    Zadaj nam dowolne pytanie – nasz konsultant skontaktuje się z Tobą szybciej niż możesz się tego spodziewać.

    Szybki kontakt