Information Security Policy

Last updated: January 31, 2025

Introduction and Purpose

This Information Security Policy (the “Policy”) outlines the measures and controls implemented by VeroMotion to protect the confidentiality, integrity, and availability of information assets, particularly Customer Personal Data, processed through its Quallie SaaS platform (the “Services”). This Policy demonstrates VeroMotion’s commitment to maintaining a robust security posture in compliance with applicable data protection laws, including GDPR and UK GDPR, and industry best practices.

VeroMotion acknowledges its role as a data processor and its responsibility to implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk of processing Customer Personal Data on behalf of its customers (data controllers).

Scope

This Policy applies to all VeroMotion employees, contractors, and third parties who have access to or process information related to the Quallie Services, including all systems, networks, applications, and physical facilities involved in the provision of Quallie SaaS.

General Principles

Confidentiality: Protecting personal data from unauthorized disclosure.
Integrity: Ensuring the accuracy and completeness of personal data throughout its lifecycle.
Availability: Ensuring that personal data is accessible and usable when required by authorized individuals.
Risk Management: Identifying, assessing, and mitigating information security risks.
Continuous Improvement: Regularly reviewing and enhancing security measures.

Information Security Governance

Information Security Management: A dedicated team or individual is responsible for overseeing information security, including policy development, risk assessment, and compliance monitoring.
Policy Framework: This Policy is supported by more detailed internal standards, procedures, and guidelines that dictate specific security controls and practices.
Regular Reviews: The Security Policy and its effectiveness are reviewed at least annually, or more frequently in response to significant changes in risk, technology, or regulatory requirements.

Access Management

Logical Access Controls:

Role-Based Access Control (RBAC): Access to Quallie systems and customer data is granted based on the principle of least privilege, meaning users only have access to what is strictly necessary for their job function.
Unique User IDs: All users are assigned unique identifiers.
Strong Authentication: Multi-factor authentication (MFA) is enforced for access to all internal and production systems containing or processing personal data. Password policies require complexity, regular changes, and protection against common attacks.
Access Reviews: User access rights are reviewed periodically (e.g., quarterly or bi-annually) and revoked promptly upon role change or termination.
Segregation of Duties: Critical functions are segregated to prevent a single individual from performing a complete sensitive process.

Physical Access Controls:

Data Center Security: VeroMotion relies on the robust physical security measures implemented by its chosen cloud infrastructure providers and server hosting providers. This includes biometric controls, video surveillance, 24/7 security personnel, and strict access logging. VeroMotion does not maintain its own physical data centers for customer data storage.

Data Security

Encryption

Encryption in Transit: All data transmitted between Customer devices and Quallie Services, and between VeroMotion’s internal systems and sub-processors, is encrypted using industry-standard protocols (e.g., TLS 1.2 or higher).
Encryption at Rest: Customer Personal Data stored within Quallie’s databases and storage systems (e.g., cloud storage, backups) is encrypted using industry-standard encryption algorithms (e.g., AES-256).
Pseudonymisation and Anonymization: Where appropriate and feasible, personal data is pseudonymized or anonymized to reduce risk, particularly for analytical or testing purposes.
Secure Data Transfer: Secure methods are used for any internal or external transfer of personal data.

Network and System Security

Firewalls and network segmentation: Network access to and within Quallie’s infrastructure is controlled by firewalls and network segmentation to restrict unauthorized traffic and isolate critical systems.
Vulnerability management: Regular vulnerability scanning and penetration testing are performed on Quallie applications and infrastructure to identify and address security weaknesses. Remediation efforts are prioritized based on risk severity.
Patch management: Operating systems, applications, and infrastructure components are regularly patched and updated to protect against known vulnerabilities.
Security configuration baselines: Systems are configured according to secure baseline configurations.

Incident Management

Incident response plan: A documented incident response plan is in place to detect, contain, investigate, and recover from security incidents, including personal data breaches.
Incident reporting: All security incidents and suspected personal data breaches are promptly reported and escalated internally.
Notification procedures: In the event of a personal data breach affecting Customer Personal Data, VeroMotion will notify the affected Customer without undue delay, in accordance with the terms of the Data Processing Addendum.

Business Continuity & Disaster Recovery

Backups: Customer Personal Data is regularly backed up with appropriate frequency and retention periods to ensure recoverability in case of data loss or system failure. Backups are encrypted and stored securely.
Disaster Recovery Plan: A comprehensive disaster recovery plan is maintained and regularly tested to ensure the ability to restore Services and access to data following a major disruption.
Redundancy and Resilience: Quallie infrastructure is designed with redundancy and resilience to minimize single points of failure and ensure high availability.

Personnel Security

Confidentiality Agreements: All VeroMotion employees and relevant contractors are required to sign confidentiality agreements.
Security Training: Mandatory security awareness training is provided to all personnel upon hiring and on an annual basis thereafter. Training covers data protection principles, security policies, and incident reporting procedures.
Background Checks: Background checks are conducted for all new hires in accordance with applicable law and industry standards.

Vendor/Sub-processor Management

Due Diligence: A due diligence process is followed to evaluate the security and data protection practices of all third-party vendors and sub-processors who may access or process Customer Personal Data.
Contractual Obligations: Sub-processors are engaged under written agreements that impose data protection obligations equivalent to those contained in VeroMotion’s Data Processing Addendum with its customers.
Monitoring: VeroMotion periodically monitors the compliance of its sub-processors.

Audit and Assurance

Internal audits: Regular internal security audits are conducted to assess compliance with this Policy and relevant security standards.
External audits: VeroMotion undergoes independent third-party security audits to provide assurance regarding its security controls.

Physical and Environmental Security

Serverhosting and cloud provider reliance: As Quallie operates entirely within secure serverhosting and cloud infrastructure environments, VeroMotion relies on the comprehensive physical and environmental security controls provided by these cloud providers for their data centers. This includes environmental controls (temperature, humidity), fire suppression, power redundancy, and continuous monitoring of facilities.

Policy Review

This Policy will be reviewed periodically (at least annually) and updated as necessary to reflect changes in legal requirements, industry best practices, or VeroMotion’s data processing activities. The current version will always be available at the URL specified in the Data Processing Addendum.