Skip to main content

Information Security Policy

ISP

Morten Borum avatar
Written by Morten Borum
Updated over 3 weeks ago

1. Scope and Purpose

  • This policy applies to all BitaBIZ personnel, systems and services that handle company and customer data.

  • The aim is to ensure a risk-based, compliant approach to information security based on GDPR (EU, UK), Swiss FADP, and ISAE 3000 standards.

  • The policy supports our contractual obligations as a data processor under Article 28 of the GDPR.

2. Governance and Roles

  • The Executive Management Team is accountable for the implementation and oversight of information security.

  • The CEO leads operational execution of technical and organizational controls.

  • Managers ensure that all staff understand and comply with information security responsibilities.

  • All employees, including contractors, must complete security training annually.

3. Platform and Infrastructure Security

  • BitaBIZ delivers its SaaS platform via Microsoft Azure (West Europe), leveraging Azure App Services, Functions, SQL, and Virtual Machines.

  • Microsoft Defender antivirus and -malware are active on all infrastructure components.

  • All access to production systems is secured using the Microsoft Entra Identification suite and Just-in-Time (JIT) with audit logging of all activities.

  • Privileged roles are granted only upon approved elevation requests via Azure Privileged Identity Management (PIM), ensuring a controlled and accountable access workflow.

  • The infrastructure is monitored 24/7 using Azure Application Insights and Log Analytics.

  • Cloudflare WAF and Microsoft Backbone provide application layer and network layer protection.

4. Authentication & Access Controls (For customers’ use of the SaaS Platform)

  • HTTPS is enforced using HSTS across all services.

  • Authentication methods include:

    • SSO (SAML 2.0) for enterprise identity integration.

    • SCIM for automated user provisioning.

    • Manual login with minimum 8-character passwords encrypted using SHA256 or newer.

  • Session timeout is set to 335 hours (14 days) based on customer requests.

  • Account lockout is triggered after 5 failed login attempts; accounts are locked for 5 minutes.

  • MFA is available when SSO is implemented by the customer.

  • BitaBIZ is not accessible from Russia and Belarus

5. Logging and Monitoring

  • Azure Application Insights and Azure Log Analytics are used to collect and analyze logs.

  • Azure SQL, App Services, Functions, and Logic Apps logs are retained for 30 days.

  • Azure VM logs are retained indefinitely.

  • Cloudflare and Azure Defender provide IPS and real-time threat detection.

6. Data Security and Processing Controls

  • Data encryption:

    • At rest, using Azure Transparent Data Encryption (TDE) & SSE (Server-Side Encryption)

    • In transit using SSL and TLS enforced by default.

  • Backup strategy:

    • PITR (Point in time restore) backup every 1 hour.

    • PIT Point-in-time backups retained for 1 month.

    • Weekly backups retained for 2 months on ZRS across 3 Azure zones.

  • Only test users and test accounts, and pseudonymized customer data are used in non-production environments.

  • Access to encryption keys is restricted to authorized administrators.

7. Vulnerability Management and Testing

  • Continuous vulnerability scanning is performed by Azure Defender.

  • The annual penetration test is conducted by an independent third-party using Burp Suite Professional.

  • Testing methodology includes the OWASP Top 10 and CWE/SANS 25.

  • A Microsoft Security Assessment is also completed yearly.

  • Patch management automated through the Azure Update Manager.

8. Privacy by Design and Default

  • Privacy Impact Assessments (PIAs) are conducted before launching new services.

  • Data minimization and access control are integrated into system design.

  • Default configurations prioritize privacy, and user roles are enforced across all features.

9. Device and Endpoint Management

  • All company devices are controlled and managed using Microsoft Intune.

  • Devices must have Defender antivirus and antimalware, firewalls and compliance monitoring in Microsoft Intune.

  • Only company-managed SharePoint and OneDrive are approved for storing customer or personal data for approved BitaBIZ users and are limited to the contractual relationship between BitaBIZ and its customers/prospects.

10. Risk Management

  • All risks are assigned to owners and documented in the BitaBIZ Openli compliance system.

  • Risk assessments are carried out annually using Azure Risk Detection in response to any operational changes or questions regarding the assessments.

  • The risk management framework includes impact scoring, control tracking, and audit readiness.

11. Incident Response and Breach Notification

  • BitaBIZ follows GDPR Article 33 for breach notification to customers (controllers).

  • Notifications are issued within 48 hours of a confirmed breach.

  • The Personal Data Breach Procedure is used to assess risk and severity.

  • All incidents are logged, investigated, and remediated with formal lessons-learned reviews.

12. Review and Maintenance

  • This policy is reviewed and updated annually in conjunction with the ISAE 3000 GDPR audit by EY.

  • Changes to this policy require approval by the Executive Board.

Download PDF

Did this answer your question?