Information Security Protocol

Handling client assets

Client assets are handled by dedicated project managers and translated by a fixed team of translators, who are obliged to sign non-disclosure agreements. Every project is subject to standard security procedures.

Data categories

Group	Obtaining	Basis for processing	Types of data	Storage	Format	Access by	Transfer
Customers
Corporate, institutions (contact persons)	E-mail from client	performance of contract Article 6(1)(b) and legal interest Article 6(1)(f) – in order to update the client or make inquiries regarding the ongoing project, payment, satisfaction	Full name, e-mail, phone number, Skype ID	Mail – Microsoft365, BMS – SpaceTMS	database	employees	SpaceTMS, Microsoft365
Individual clients	E-mail from client, phone conversation, personal visit to the office	performance of contract Article 6(1)(b) and legal interest Article 6(1)(f) – in order to update the client or make inquiries regarding the ongoing project, payment, satisfaction	Full name, address, phone number, e-mail, Skype ID, business name, NIP, Regon	Mail – Microsoft365, BMS – SpaceTMS, Invoicing – Saldeo, Financial system, local file server	database and electronic documents (invoices)	employees	SpaceTMS, Microsoft365, Saldeo
Prospective clients	contact form on www.diuna.biz	consent	Full name, e-mail, phone number	WordPress, Microsoft365 mail, CRM-Bitrix24	database	employees	Microsoft365
Suppliers
Vendors	recruitment process – application	performance of contract Article 6(1)(b)	Full name, address, business name and address, phone numbers, e-mail address, NIP, REGON, bank account details, other payment details	Microsoft365 mail, SpaceTMS (vendor owned account), Autenti, Saldeo, local file server	database, documents (contracts)	employees	Microsoft365, SpaceTMS, Autenti, Saldeo
Employees	aplikacja
Employees	job application	performance of contract Article 6(1)(b) and statutory obligation Article 6(1)(c)	Full name, address, mailing address, parents’ names, date of birth, tax office, NIP, Pesel, bank account	Microsoft365, payroll system – Asseco, Bitrix24 (only name and contact information)	documents, contracts	General Manager, Office Manager, HR Manager	mail, file server
Apprentices and trainees	apprenticeship application	performance of contract Article 6(1)(b) and statutory obligation Article 6(1)(c)	Full name, address, mailing address, parents’ names, date of birth, tax office, NIP, Pesel, bank account	Microsoft365 mail, Bitrix24 (only name and contact information)	documents	Office Manager, Vendor Manager	mail
Translated content
personal data in translated content	shared by clients via email or otherwise (ftp)	data processing agreement	as per delivered content	Microsoft365 mail, SpaceTMS, translation memories	database, file	employees, shared with vendors employed to do specific tasks	Microsoft365 mail, SpaceTMS

Data processing

Type	Provider	EEA only	Backup	Access	Scope of data
Mail	Microsoft365 – cloud	No	Provider 30 days	Personal, Two way authentication	Client data (including personal), client content, vendor data (including personal)
Mail 2	Home.pl – cloud	Yes	Provider – 3 days	Personal, 2 way auth.	Client data (including personal), client content, vendor data (including personal)
File server	Local onsite	Yes	DIUNA	According to user rights	Client content in TM, vendor data (contracts and invoices)
PC	Local onsite / with user	Yes	NO	Personal/ password	No permanent storage, only for the time of processing, type of data depends on the role in DIUNA
Project management system	SpaceTMS.com – cloud	Yes	Provider, weekly backups	Personal/ password	Client data (including personal data), client content, vendors (on accounts owned by vendors)
Translation management system ™	Trados – local file serverMemsource – cloud	Yes	DIUNA, Provider	According to user rights	Client content
Machine translation TM	Tilde – cloud	Yes		Through translation management system	Client content
Invoicing	Saldeo – cloud, outsourced accountant	Yes	Provider	Authorised users	Vendors’ personal data
CRM, internal communication	Bitrix24 – cloud	Yes	Provider	Authorised users	Employees, trainees, apprentices – names, emails, phone numbers
Document editors	Microsoft365 – Onedrive	Yes	Provider	Individual users	Client content (only on client’s explicit request)

Purpose of processing

Group	Purpose of processing
Customers
Corporate, institutions and individual clients	To send a quoteto perform a contractto deliver servicesto process paymentto inquire about client satisfactionto improve client experienceto improve quality of servicesto offer additional or new product and servicesto update our database
Prospective clients	To send a quoteto offer additional or new product and servicesto improve services and client experience
Suppliers
Vendors	to offer tasksto negotiate ratesto inform about procedures and requirementsto process payments
Employees
Employees	to perform employment contractto comply with employment regulations
Apprentices and trainees	to perform contractto give tasks and feedback

Anti-virus software

Our IT resources are secured by anti-virus software with the following functions:

a) securing the IT resources against malware with a residential module that scans the entire computer system; 

b) updating the virus signature database on an ongoing basis; 

c) automated reaction in case new and unknown malware is detected, e.g. blocking all communications with the infected computer.

The software we are currently using is ESET and Windows Defender.

Handling of confidential information

Desktop workstations are secured with a password that is changed every few months. Passwords are comprised of 9 characters or more, including at least one special character, and are never simple. Unlocked workstations are never left unsupervised. Daily work is done on an account without administrator privileges.

Access to the network drive is secured with a password, and access to it via a VPN, with an additional password and certificates.

Desktop workstations are protected with a firewall and anti-virus software.

• Clean desk policy
• Every employee is responsible for maintaining the confidentiality of the data they are entrusted with access to.
• The company provides regular information security trainings for the personnel.
• Every employee is obliged to protect their access information to IT systems.
• Unsecured confidential information may not be taken outside of the company premises.
  It is emphatically forbidden to take confidential information on digital media (flash drives, CDs etc.) outside of company premises.
• Every new employee and service provider is obligated to agree to a non-disclosure agreement.

Protection of premises

•  Secure electronic lock with authorised use only
• Barred windows
• Fence with a gate locked with a padlock

 Chain of custody

1. Collection of evidence – identification and recording of information about the security incident
2. Examination and analysis of the aforementioned information
3. Documentation of the above steps

Breach protocol

• Every employee who notices or suspects a personal data breach is obligated to report it to their immediate superior without delay. The superior then notifies the data controller of that fact.
• In case a data breach is confirmed, no actions may be taken that can impede the analysis of the circumstances and the documentation of the breach. The place of the incident must also not be left unattended without justification until the data protection officer or another person authorised by the data controller arrives.
• The data controller analyses the situation and decides on further steps, taking into consideration the risks to proper and continued operation of the company. 
• The data controller receives a detailed report on the personal data breach from the person notifying of the incident and from any other person who may know something related to it. 
• The data controller contacts external specialists, if needed.
• Pursuant to the GDPR, any breach of personal data must be reported to the data protection authority within 72 hours following the breach.
• When the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall communicate the personal data breach to the data subject without undue delay.

Data processor

• Data controller: Diuna Group Sp. z o.o. with the seat in Warsaw, Poland
• e-mail: GDPR@diuna.biz
• Data subject’s rights:

• The Right to Information
• The Right of Access
• The Right to Rectification
• The Right to Erasure
• The Right to Restriction of Processing
• The Right to Data Portability
• The Right to Object
• The Right to Avoid Automated Decision-Making

Last update June 2023