Valtech standard technical, organisational and security measures
Last review: February 2023
The following technical, organisational and security measures are implemented in the Valtech Group:
Privacy & Security Governance
Valtech has established a Security Governance by the appointement of Security Officers (ISO) within each of Valtech affiliates. Valtech has established a Privacy Governance by the appointment of a Data Protection Officer (DPO) at Group level and Data Protection Managers (DPM) within each of Valtech affiliates.
Privacy and Security Policies and documentation
Privacy and Security training programs
Valtech has an annual mandatory training program for Security and Privacy Awareness for all employees and external consultants.
All communication of sensitive data is done over encrypted lines using industry-standard algorithms and certificates, currently with a minimum level of AES-256.
Valtech stores any sensitive information according to its ISMS following industry standard practices for security, currently with a minimum level of AES-256. Stored sensitive data is encrypted and/or pseudonymised at rest.
Valtech hosts most of its services on Microsoft Azure, AWS, Google Cloud and Atlassian Cloud and rely on contractual agreements, privacy policies, and vendor compliance programs in order to protect data processed or stored by these vendors according to applicable laws.
Physical and environmental security
All of Valtech’s offices are governed by Valtech’s ISMS policies which are audited for ISO 27001 compliance annually, among other certifications.
Accesses to any client data within Valtech’s environment rely on Valtech’s uniform password policy and 2 factor authentication control. Valtech’s baseline password policy requires using a complex password and yearly updates.
The authorization model used relies on generally accepted industry practices and is designed to ensure that only the appropriately assigned individuals can access relevant features, views, and customization options. Access is granted based upon the need-to-know/need-to-use principle, following the Request for Access process. When access is no longer needed, it will be revoked.
Network access control mechanisms are designed to prevent network traffic using unauthorized protocols from reaching the product infrastructure. The technical measures implemented differ between Valtech cloud providers and include Virtual Private Cloud (VPC) implementations, security group assignment, and traditional firewall rules.
Intrusion detection and prevention
For client applications or websites hosted in Valtech environment, intrusion detection and prevention controls will safeguard these assets.
Valtech ensures that vulnerability scans are performed on coding and servers and network security scans are completed at a minimum annually. In each case using an industry standard vulnerability scanner tool.
Valtech also maintains relationships with third party vendors that can provide additional independent tests under specific circumstances.
IT Code of Conduct
Valtech employees shall comply with Valtech’s IT Code of Conduct, as well as with company guidelines, security policies, non-disclosure requirements, and ethical standards.
Valtech infrastructure is designed and implemented to log information about system behavior, traffic received, system authentication, and other application requests. Logged data alerts appropriate employees of abnormal activities.
Valtech maintains a record of known security incidents that includes descriptions, dates and times of relevant activities, and incident disposition. Suspected and confirmed security incidents are investigated by security, operations, or support personnel; and appropriate resolution steps are identified and documented. For any confirmed incidents, Valtech takes appropriate steps to minimize client impact or unauthorized disclosure. Notification to the Client will be in accordance with the terms of the respective agreement.
Infrastructure availability controls are put in place to meet the availability requirements for the services used by Valtech.
All storage devices, data retention and deletion procedures are governed by Valtech’s ISMS policies.
Any Valtech employee, vendor or client has a duty to ensure that country-appropriate privacy laws and regulations are met. Any potential privacy violations, such as an inappropriate use of personal information or breach of personal data, should be reported to Valtech DPO or, for vendors, to Valtech primary contact and to clients depending on the terms of the respective agreements.
Valtech security measures listed above may be supplemented according to the specific needs of each project and the instructions provided by Valtech's client.