1. Scope and Purpose
This policy applies to all BitaBIZ personnel, systems and services that handle company and customer data.
The aim is to ensure a risk-based, compliant approach to information security based on GDPR (EU, UK), Swiss FADP, and ISAE 3000 standards.
The policy supports our contractual obligations as a data processor under Article 28 of the GDPR.
2. Governance and Roles
The Executive Management Team is accountable for the implementation and oversight of information security.
The CEO leads operational execution of technical and organizational controls.
Managers ensure that all staff understand and comply with information security responsibilities.
All employees, including contractors, must complete security training annually.
3. Platform and Infrastructure Security
BitaBIZ delivers its SaaS platform via Microsoft Azure (West Europe), leveraging Azure App Services, Functions, SQL, and Virtual Machines.
Microsoft Defender antivirus and -malware are active on all infrastructure components.
All access to production systems is secured using the Microsoft Entra Identification suite and Just-in-Time (JIT) with audit logging of all activities.
Privileged roles are granted only upon approved elevation requests via Azure Privileged Identity Management (PIM), ensuring a controlled and accountable access workflow.
The infrastructure is monitored 24/7 using Azure Application Insights and Log Analytics.
Cloudflare WAF and Microsoft Backbone provide application layer and network layer protection.
4. Authentication & Access Controls (For customers’ use of the SaaS Platform)
HTTPS is enforced using HSTS across all services.
Authentication methods include:
SSO (SAML 2.0) for enterprise identity integration.
SCIM for automated user provisioning.
Manual login with minimum 8-character passwords encrypted using SHA256 or newer.
Session timeout is set to 335 hours (14 days) based on customer requests.
Account lockout is triggered after 5 failed login attempts; accounts are locked for 5 minutes.
MFA is available when SSO is implemented by the customer.
BitaBIZ is not accessible from Russia and Belarus
5. Logging and Monitoring
Azure Application Insights and Azure Log Analytics are used to collect and analyze logs.
Azure SQL, App Services, Functions, and Logic Apps logs are retained for 30 days.
Azure VM logs are retained indefinitely.
Cloudflare and Azure Defender provide IPS and real-time threat detection.
6. Data Security and Processing Controls
Data encryption:
At rest, using Azure Transparent Data Encryption (TDE) & SSE (Server-Side Encryption)
In transit using SSL and TLS enforced by default.
Backup strategy:
PITR (Point in time restore) backup every 1 hour.
PIT Point-in-time backups retained for 1 month.
Weekly backups retained for 2 months on ZRS across 3 Azure zones.
Only test users and test accounts, and pseudonymized customer data are used in non-production environments.
Access to encryption keys is restricted to authorized administrators.
7. Vulnerability Management and Testing
Continuous vulnerability scanning is performed by Azure Defender.
The annual penetration test is conducted by an independent third-party using Burp Suite Professional.
Testing methodology includes the OWASP Top 10 and CWE/SANS 25.
A Microsoft Security Assessment is also completed yearly.
Patch management automated through the Azure Update Manager.
8. Privacy by Design and Default
Privacy Impact Assessments (PIAs) are conducted before launching new services.
Data minimization and access control are integrated into system design.
Default configurations prioritize privacy, and user roles are enforced across all features.
9. Device and Endpoint Management
All company devices are controlled and managed using Microsoft Intune.
Devices must have Defender antivirus and antimalware, firewalls and compliance monitoring in Microsoft Intune.
Only company-managed SharePoint and OneDrive are approved for storing customer or personal data for approved BitaBIZ users and are limited to the contractual relationship between BitaBIZ and its customers/prospects.
10. Risk Management
All risks are assigned to owners and documented in the BitaBIZ Openli compliance system.
Risk assessments are carried out annually using Azure Risk Detection in response to any operational changes or questions regarding the assessments.
The risk management framework includes impact scoring, control tracking, and audit readiness.
11. Incident Response and Breach Notification
BitaBIZ follows GDPR Article 33 for breach notification to customers (controllers).
Notifications are issued within 48 hours of a confirmed breach.
The Personal Data Breach Procedure is used to assess risk and severity.
All incidents are logged, investigated, and remediated with formal lessons-learned reviews.
12. Review and Maintenance
This policy is reviewed and updated annually in conjunction with the ISAE 3000 GDPR audit by EY.
Changes to this policy require approval by the Executive Board.