Information Security Protocol

Handling client assets

Client assets are handled by dedicated project managers and translated by a fixed team of translators, who are obliged to sign non-disclosure agreements. Every project is subject to standard security procedures.

Data categories

Group Obtaining Basis for processing Types of data Storage Format Access by Transfer
Corporate, institutions (contact persons) E-mail from client performance of contract Article 6(1)(b) and legal interest Article 6(1)(f) – in order to update the client or make inquiries regarding the ongoing project, payment, satisfaction Full name, e-mail, phone number, Skype ID Mail – Microsoft365, BMS – SpaceTMS database employees SpaceTMS, Microsoft365
Individual clients E-mail from client, phone conversation, personal visit to the office performance of contract Article 6(1)(b) and legal interest Article 6(1)(f) – in order to update the client or make inquiries regarding the ongoing project, payment, satisfaction Full name, address, phone number, e-mail, Skype ID, business name, NIP, Regon

Mail – Microsoft365, BMS – SpaceTMS, Invoicing – Saldeo, Financial system, local file server database and electronic documents (invoices) employees SpaceTMS, Microsoft365, Saldeo
Prospective clients contact form on consent Full name, e-mail, phone number WordPress, Microsoft365 mail, CRM-Bitrix24 database employees Microsoft365
Vendors recruitment process – application performance of contract Article 6(1)(b) Full name, address, business name and address, phone numbers, e-mail address, NIP, REGON, bank account details, other payment details Microsoft365 mail, SpaceTMS (vendor owned account), Autenti, Saldeo, local file server database, documents (contracts) employees Microsoft365, SpaceTMS, Autenti, Saldeo
Employees aplikacja
Employees job application performance of contract Article 6(1)(b) and statutory obligation Article 6(1)(c) Full name, address, mailing address, parents’ names, date of birth, tax office, NIP, Pesel, bank account Microsoft365, payroll system – Asseco, Bitrix24 (only name and contact information) documents, contracts General Manager, Office Manager, HR Manager mail, file server
Apprentices and trainees apprenticeship application performance of contract Article 6(1)(b) and statutory obligation Article 6(1)(c) Full name, address, mailing address, parents’ names, date of birth, tax office, NIP, Pesel, bank account Microsoft365 mail, Bitrix24 (only name and contact information) documents Office Manager, Vendor Manager mail
Translated content
personal data in translated content shared by clients via email or otherwise (ftp) data processing agreement as per delivered content Microsoft365 mail, SpaceTMS, translation memories database, file employees, shared with vendors employed to do specific tasks Microsoft365 mail, SpaceTMS

Data processing

Type Provider EEA only Backup Access Scope of data
Mail Microsoft365 – cloud No Provider 30 days Personal, Two way authentication Client data (including personal), client content, vendor data (including personal)
Mail 2 – cloud Yes Provider – 3 days Personal, 2 way auth. Client data (including personal), client content, vendor data (including personal)
File server Local onsite Yes DIUNA According to user rights Client content in TM, vendor data (contracts and invoices)
PC Local onsite / with user Yes NO Personal/ password No permanent storage, only for the time of processing, type of data depends on the role in DIUNA
Project management system – cloud Yes Provider, weekly backups Personal/ password Client data (including personal data), client content, vendors (on accounts owned by vendors)
Translation management system ™ Trados – local file serverMemsource – cloud Yes DIUNA, Provider According to user rights Client content
Machine translation TM Tilde – cloud Yes Through translation management system Client content
Invoicing Saldeo – cloud, outsourced accountant Yes Provider Authorised users Vendors’ personal data
CRM, internal communication Bitrix24 – cloud Yes Provider Authorised users Employees, trainees, apprentices – names, emails, phone numbers
Document editors Microsoft365 – Onedrive Yes Provider Individual users Client content (only on client’s explicit request)

Purpose of processing

Group Purpose of processing
Corporate, institutions and individual clients To send a quoteto perform a contractto deliver servicesto process paymentto inquire about client satisfactionto improve client experienceto improve quality of servicesto offer additional or new product and servicesto update our database
Prospective clients To send a quoteto offer additional or new product and servicesto improve services and client experience
Vendors to offer tasksto negotiate ratesto inform about procedures and requirementsto process payments
Employees to perform employment contractto comply with employment regulations
Apprentices and trainees to perform contractto give tasks and feedback

Anti-virus software

Our IT resources are secured by anti-virus software with the following functions:

a) securing the IT resources against malware with a residential module that scans the entire computer system; 

b) updating the virus signature database on an ongoing basis; 

c) automated reaction in case new and unknown malware is detected, e.g. blocking all communications with the infected computer.

The software we are currently using is ESET and Windows Defender.

Handling of confidential information

Desktop workstations are secured with a password that is changed every few months. Passwords are comprised of 9 characters or more, including at least one special character, and are never simple. Unlocked workstations are never left unsupervised. Daily work is done on an account without administrator privileges.

Access to the network drive is secured with a password, and access to it via a VPN, with an additional password and certificates.

Desktop workstations are protected with a firewall and anti-virus software.

  • Clean desk policy
  • Every employee is responsible for maintaining the confidentiality of the data they are entrusted with access to.
  • The company provides regular information security trainings for the personnel.
  • Every employee is obliged to protect their access information to IT systems.
  • Unsecured confidential information may not be taken outside of the company premises.
    It is emphatically forbidden to take confidential information on digital media (flash drives, CDs etc.) outside of company premises.
  • Every new employee and service provider is obligated to agree to a non-disclosure agreement.

Protection of premises

  •  Secure electronic lock with authorised use only
  • Barred windows
  • Fence with a gate locked with a padlock

 Chain of custody

  1. Collection of evidence – identification and recording of information about the security incident
  2. Examination and analysis of the aforementioned information
  3. Documentation of the above steps

Breach protocol

  • Every employee who notices or suspects a personal data breach is obligated to report it to their immediate superior without delay. The superior then notifies the data controller of that fact.
  • In case a data breach is confirmed, no actions may be taken that can impede the analysis of the circumstances and the documentation of the breach. The place of the incident must also not be left unattended without justification until the data protection officer or another person authorised by the data controller arrives.
  • The data controller analyses the situation and decides on further steps, taking into consideration the risks to proper and continued operation of the company. 
  • The data controller receives a detailed report on the personal data breach from the person notifying of the incident and from any other person who may know something related to it. 
  • The data controller contacts external specialists, if needed.
  • Pursuant to the GDPR, any breach of personal data must be reported to the data protection authority within 72 hours following the breach.
  • When the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall communicate the personal data breach to the data subject without undue delay.

Data processor

  • Data controller: Diuna Group Sp. z o.o. with the seat in Warsaw, Poland
  • e-mail:
  • Data subject’s rights:

  • The Right to Information
  • The Right of Access
  • The Right to Rectification
  • The Right to Erasure
  • The Right to Restriction of Processing
  • The Right to Data Portability
  • The Right to Object
  • The Right to Avoid Automated Decision-Making

Last update June 2023


Zadaj nam dowolne pytanie – nasz konsultant skontaktuje się z Tobą szybciej niż możesz się tego spodziewać.

Szybki kontakt