Skip to main content

Information Security Policy

ISP

Written by Morten Borum

1. Scope and Purpose

  • This policy applies to all BitaBIZ personnel, systems, and services that process company and customer data.

  • The goal is to ensure a risk-based, compliant approach to information security in line with GDPR (EU, UK), Swiss FADP, and ISAE 3000 standards.

  • The policy supports our contractual obligations as a data processor under Article 28 of the GDPR.

2. Governance and Roles

  • The Executive Management Team is responsible for implementing and overseeing information security.

  • The CEO leads the day-to-day execution of technical and organizational controls.

  • Managers make sure all staff understand and follow information security responsibilities.

  • All employees, including contractors, must complete security training every year.

3. Platform and Infrastructure Security

  • BitaBIZ provides its SaaS platform through Microsoft Azure (West Europe), using Azure App Services, Functions, SQL, and Virtual Machines.

  • Microsoft Defender antivirus and antimalware are active on all infrastructure components.

  • All access to production systems is secured with the Microsoft Entra Identification suite and Just-in-Time (JIT) access, with audit logging of all activities.

  • Privileged roles are only granted after approved elevation requests via Azure Privileged Identity Management (PIM), ensuring controlled and accountable access.

  • The infrastructure is monitored 24/7 using Azure Application Insights and Log Analytics.

  • Cloudflare WAF and Microsoft Backbone provide protection at both the application and network layers.

4. Authentication & Access Controls (For customers’ use of the SaaS Platform)

  • HTTPS is enforced with HSTS across all services.

  • Authentication methods include:

    • SSO (SAML 2.0) for enterprise identity integration.

    • SCIM for automated user provisioning.

    • Manual login with a minimum 8-character password encrypted using SHA256 or newer.

  • Session timeout is set to 335 hours (14 days) based on customer requests.

  • Accounts are locked after 5 failed login attempts and remain locked for 5 minutes.

  • MFA is available when SSO is set up by the customer.

  • BitaBIZ is not accessible from Russia and Belarus.

5. Logging and Monitoring

  • Azure Application Insights and Azure Log Analytics are used to collect and analyze logs.

  • Logs from Azure SQL, App Services, Functions, and Logic Apps are kept for 30 days.

  • Azure VM logs are kept indefinitely.

  • Cloudflare and Azure Defender provide IPS and real-time threat detection.

6. Data Security and Processing Controls

  • Data encryption:

    • At rest, using Azure Transparent Data Encryption (TDE) & SSE (Server-Side Encryption)

    • In transit, using SSL and TLS, enforced by default.

  • Backup strategy:

    • PITR (Point in time restore) backup every hour.

    • Point-in-time backups are kept for 1 month.

    • Weekly backups are kept for 2 months on ZRS across 3 Azure zones.

  • Only test users, test accounts, and pseudonymized customer data are used in non-production environments.

  • Access to encryption keys is limited to authorized administrators.

7. Vulnerability Management and Testing

  • Continuous vulnerability scanning is performed by Azure Defender.

  • An annual penetration test is conducted by an independent third party using Burp Suite Professional.

  • Testing follows the OWASP Top 10 and CWE/SANS 25 methodologies.

  • A Microsoft Security Assessment is also completed each year.

  • Patch management is automated through Azure Update Manager.

8. Privacy by Design and Default

  • Privacy Impact Assessments (PIAs) are done before launching new services.

  • Data minimization and access control are built into system design.

  • Default settings prioritize privacy, and user roles are enforced across all features.

9. Device and Endpoint Management

  • All company devices are managed and controlled using Microsoft Intune.

  • Devices must have Defender antivirus and antimalware, firewalls, and compliance monitoring in Microsoft Intune.

  • Only company-managed SharePoint and OneDrive are approved for storing customer or personal data for authorized BitaBIZ users, and only for the contractual relationship between BitaBIZ and its customers or prospects.

10. Risk Management

  • All risks are assigned to owners and documented in the BitaBIZ Openli compliance system.

  • Risk assessments are performed annually using Azure Risk Detection, and whenever there are operational changes or questions about the assessments.

  • The risk management framework includes impact scoring, control tracking, and audit readiness.

11. Incident Response and Breach Notification

  • BitaBIZ follows GDPR Article 33 for notifying customers (controllers) of breaches.

  • Notifications are sent within 48 hours of a confirmed breach.

  • The Personal Data Breach Procedure is used to assess risk and severity.

  • All incidents are logged, investigated, and resolved, with formal reviews of lessons learned.

12. Review and Maintenance

  • This policy is reviewed and updated annually as part of the ISAE 3000 GDPR audit by EY.

  • Any changes to this policy must be approved by the Executive Board.

Download PDF

Did this answer your question?