Last review: February 2026
Security and compliance
1. Overview
Valtech is ISO27001, ISO27701 and ISO22301 certified. Valtech’s Integrated Management System (IMS) describes the minimum level of operation each entity must adhere to in accordance with its information security, data privacy and business continuity standards. Valtech has several variants of certifications and reports globally and over multiple countries, including: ISO9001, Cyber Essentials, TISAX and ISAE3000/SOC2. The sections below describe Valtech’s information security program.
2. Organizational security
2.1. Governance structure
Valtech has a named Chief Information Security Officer (CISO), Operational CISO, and Data Protection Officer (DPO) at a Global level, with named Regional and Local Information Security Officers (ISOs) and Data Protection Managers (DPMs) covering each entity of our organization.
2.2. Policies
Valtech has an Information Security Policy which describes our ISMS and is available to all employees. The policy is reviewed and approved annually by the Global Security Leadership Team. Underpinning this policy are policies addressing topics such as access control, AI, backups, business continuity, information classification, mobile device management, secure development, incident management and more.
There can’t be security without privacy, so a cornerstone of Valtech’s ISMS is GDPR compliance. Valtech has four key privacy policies addressing privacy for website visitors, job candidates, employees, and clients. These documents are reviewed and approved annually by the Group CEO.
2.3. Risk methodology and treatment plan
Risk management is a process that is integrated into all security and privacy controls at Valtech. The risk of each control is assessed and where applicable, measures are taken to treat the risk by mitigating the exposure. At least yearly all risks are re-evaluated by the Regional and Local ISOs, together with the appropriate specialists. The risk treatment plan is approved by each Global and Local Security Management Team and audited by an external auditor.
2.4. Information classification and handling
Valtech classifies information into several categories and types. Valtech works together with the client to determine the types of data to be processed and the protection measures to be put in place, in accordance with the handling rules and guidelines set out in Valtech's Information Classification Policy. This includes how to handle confidential information and corresponding retention periods.
2.5. Authentication
Access to any internal data and client data within Valtech’s environment relies on Valtech’s Access Control and Password Policies. Account management for all important and base applications are centrally managed by Valtech's Active Directory (AD) which enforces a complex password and Multi-Factor Authentication (MFA). Valtech also makes use of a password management tool to store and protect work related passwords.
2.6. Authorization
The authorization model used by Valtech relies on generally accepted industry practices and is designed to ensure that only the appropriately assigned individuals can access relevant features, views, and customization options. Access is granted based upon the need-to-know/need-to-use principle, following the Access Change Management Process. Segregation of duties and responsibilities is also enforced to ensure that no one has the ability to abuse their rights.
The role of administrator is separated from the regular roles for all systems holding confidential information, or any system identified as a corporate system. Access reviews for both standard and privileged accounts are performed at regular intervals. Dormant or expired accounts are also checked and cleaned up frequently.
2.7. Third party management
Valtech works with a variety of third parties, some of which may process confidential or personal data. For these types of third parties, a series of due diligence activities are performed, including putting in place the necessary agreements covering confidentiality, security and privacy requirements. Post the evaluation and selection phase, Supplier Onboarding is coordinated by the applicable team(s) for cases where the third party requires access to a Valtech office or any Valtech IT system. When the third party service is discontinued, all access rights are revoked and any Valtech property that may have been in use is returned and tracked through the Supplier Offboarding Process.
2.8. Artificial intelligence
Valtech is committed to delivering trustworthy content and code as part of its services. To achieve this, Valtech carefully considers the use of AI within delivery, as well as other business operations, using the AI Governance Framework. AI systems, like any other tooling must be approved for use by the AI Steering Committee, with consideration of security and privacy implications of the tool.
2.9. Internal and external audits
Annually an internal audit program is coordinated by the Regional and Local ISOs. Non-conformances and improvements are recorded and discussed with management for remediation. This program is conducted in preparation for the ISO27001, ISO27701 and ISO22301 external surveillance audits and recertification process which occurs yearly.
2.10. Incident management
Valtech maintains a record of known security incidents that includes descriptions, dates and times of relevant activities, and incident disposition. Suspected and confirmed security incidents are investigated by security, operations, or support personnel, and appropriate resolution steps are identified and documented. For any confirmed incidents, Valtech has a dedicated Incident Response Team who will analyze, support and take the appropriate steps to minimize client impact and unauthorized disclosure. Notification to the client will be in accordance with the terms of the respective agreement. If the incident involves personal data, authorities and data subjects will be informed where required.
2.11. Business resilience
Valtech’s approach to business continuity involves leveraging cloud-based systems or services and the ability to execute full remote working to ensure that Valtech’s resources and client environments remain available after a disaster strikes. To ensure that activities are prioritized, business impact analyzes are included in Valtech’s business continuity planning, with the output of these formulated into business continuity plans.
Backups are performed of all Valtech environments. Backups are encrypted, tested, and retained in accordance with Valtech’s ISMS controls. Backups of client environments are managed through the respective agreements and in accordance with the policies or guidelines set out by the client.
3. People security
3.1. Onboarding
To pre-empt any external threats which may be introduced into the Valtech environment and to get new employees and contractors familiar with Valtech’s expectations on safe digital behaviour, Valtech’s Onboarding Process is carried out by HR, IT, Office Management, amongst other teams.
3.1.1. Background checks
Valtech carries out background verification checks for all candidates of employment. Valtech does this in accordance with relevant laws, regulations, ethics, and in proportion to the classification of the information to be accessed.
3.1.2. Confidentiality obligations
Upon joining the company, all Valtech employees and contractors sign a non-disclosure clause in their contract. This remains valid after termination of the contract.
3.1.3. Security responsibilities
Security obligations are defined in Valtech’s IT Code of Conduct which is required to be read and acknowledged by all employees and contractors when first joining Valtech.
3.1.4. Training and awareness program
Valtech has an annual mandatory training program for security and privacy awareness for all new and existing employees and contractors. In addition, quarterly campaigns reflecting emerging trends are published and all employees are audited for phishing resilience. Our development teams are also educated and familiar with OWASP-Top 10 development best practices.
3.2. Offboarding
When Valtech’s relationship with an employee or contractor has come to an end, Valtech’s Offboarding Process is initiated. Tasks are coordinated with IT and the project lead (if applicable) to remove all Valtech and client accounts and revoke access rights. The employee’s asset is removed from the device entry in the asset management system and wiped. In cases where the asset is no longer needed, Valtech securely and safely disposes of it, in accordance with our Data Deletion, Wiping and Media Destruction Policy.
4. Physical security
The goal of Valtech’s information security program is to minimize the impact of a compromised location, whether employees work remotely or at the office. All Valtech offices adhere to the controls set out in Valtech’s ISMS. Access to Valtech offices is limited to holders of electronic keys. All visitors are required to identify themselves at reception and are to be accompanied by an employee. Offices are also secured with an alarm system and/or CCTV cameras. Each office location has confidential bins or shredders, which are emptied by a certified supplier.
5. Technological security
5.1. Cloud hosting
Valtech hosts most of its services on Microsoft Azure, AWS, Google Cloud and Atlassian Cloud and rely on contractual agreements, privacy policies, and vendor compliance programs in order to protect data processed or stored by these vendors according to applicable laws.
Network access control mechanisms are designed to prevent network traffic using unauthorized protocols from reaching the product infrastructure. The technical measures implemented differ between Valtech cloud providers and include Virtual Private Cloud (VPC) implementations, security group assignments, and traditional firewall rules.
For client applications or websites hosted in a Valtech environment, intrusion detection and prevention controls, amongst others, are used to safeguard these assets.
5.2. Device management
All provisioned Valtech assets are registered in an asset management system. Before assets can access the network or store classified data, they must meet the specified minimum requirements set out in Valtech's Mobile Device Policy. Only equipment with proper protection (anti-malware software, MDM, encryption, strong passwords etc.) is allowed to connect to the Valtech network or services.
5.3. Encryption
All transport and storage of non-public data is encrypted using industry-standard algorithms and certificates. Restricted information like personal or financial information is at least encrypted using TLS1.2 and AES256 techniques. Boot disk encryption is used for all mobile devices with valuable data.
5.4. Logging and monitoring
Valtech’s infrastructure is designed and implemented to log relevant security information, including but not limited to system behavior, traffic received, system authentication, authorization and other application requests. Abnormal (suspicious) activities trigger alerts, and corrective actions are taken where required.
Valtech has implemented a SIEM system and has a SOC team that monitors relevant events for irregularities and/or potential doubtful activities. For confirmed incidents, the Security Incident Management Process is initiated for subsequent analysis, containment, eradication and threat mitigation.
5.5. Secure software development program
Valtech uses development, testing, acceptance, and production environments, where each environment is set up as a self-supporting unit to prevent interactions or interferences with other environments. Configuration and deployment of the environments are automated as much as possible using the CI/CD process and infrastructure as code.
All changes are controlled through the Change Management Process to ensure proper planning, testing and evaluation of the change. Developers have, by default, no permissions to manually deploy to production systems, only the Technical Lead is allowed to start the automated deployment process.
Automated security testing is incorporated into the CI/CD pipeline for continuous analysis. Testing is executed as agreed together with the client. Test data is produced by creating well-constructed fake data or anonymizing the data from production.
5.6. Vulnerability management and penetration testing
Valtech uses industry recognized tools to perform regular vulnerability scans on code, servers and the network, to keep a pulse on its security posture and make appropriate adjustments to reflect industry changes, threat levels, client needs etc.
Vulnerability scans are initiated by several events: (a) in accordance with the vulnerability scanning schedule; (b) as required for services or products, prior to production; or (c) security events (security advisories, released patches, incidents, attacks, zero-day vulnerabilities, etc.). Based on the criticality of the vulnerability, the Cyber Security Team analyzes the results and assists the system/application/asset owner in prioritizing and resolving the findings.
Penetration tests are performed by Valtech's Cyber Security Team based on a yearly test schedule. Valtech also maintains relationships with third-party vendors that can provide additional independent tests under specific circumstances.
6. Certifications and reports
The following variants of certifications and reports are found across Valtech's entities.
- ISO27001:2023
- ISO27701: 2025
- ISO22301:2019
- ISO9001: 2015
- ISAE 3000: SOC 2
- TISAX
- Cyber Essentials Plus