Valtech standard technical, organizational and security measures

Last review: March 2024

The following technical, organizational and security measures are implemented in the Valtech Group:

Organisational measures

• Privacy & Security Governance

Valtech has established a Security Governance by the appointment of Security Officers at the Group and Regional level and in each of Valtech’s affiliates. Valtech has established a Privacy Governance by the appointment of a Data Protection Officer (DPO) at the Group level and Data Protection Managers (DPM) within each of Valtech's affiliates.

• Privacy and Security Policies and documentation

Valtech has implemented an IT Code of Conduct, an Employee Privacy Policy, a Valtech Privacy Statement, Valtech’s Information Security Management System (ISMS) and other system security policies, information notices, dedicated intranet and extranet pages, Data Processing Agreement templates, Data Request process, Data breach process, etc.; and the Valtech Group is ISO 27001 certified. This documentation is reviewed and audited by internal and external auditors annually.

• Privacy and Security training programs

Valtech has an annual mandatory training program for Security and Privacy Awareness for all employees and external consultants. In addition, all employees are trained and audited for phishing resilience.

Transmission Controls

• In transit

All communication of sensitive data is done over encrypted lines using industry-standard algorithms and certificates, currently with a minimum level of AES-256.

• At rest

Valtech stores any sensitive information according to its ISMS following industry standard practices for security, currently with a minimum level of AES-256. Stored sensitive data is encrypted and/or pseudonymized at rest.

Access Controls

• Cloud hosting

Valtech hosts most of its services on Microsoft Azure, AWS, Google Cloud and Atlassian Cloud and rely on contractual agreements, privacy policies, and vendor compliance programs in order to protect data processed or stored by these vendors according to applicable laws.

• Physical and environmental security

All of Valtech’s offices are governed by Valtech’s ISMS policies which are audited for ISO 27001 compliance annually, among other certifications.

• Authentication

Accesses to any client data within Valtech’s environment rely on Valtech’s uniform password policy and multifactor authentication (MFA) control. Valtech’s Password policy requires using a complex password and yearly updates.

• Authorization

The authorization model used relies on generally accepted industry practices and is designed to ensure that only the appropriately assigned individuals can access relevant features, views, and customization options. Access is granted based upon the need-to-know/need-to-use principle, following the Request for Access process. When access is no longer needed, it will be revoked.

• Access controls

Network access control mechanisms are designed to prevent network traffic using unauthorized protocols from reaching the product infrastructure. The technical measures implemented differ between Valtech cloud providers and include Virtual Private Cloud (VPC) implementations, security group assignments, and traditional firewall rules.

• Intrusion detection and prevention

For client applications or websites hosted in a Valtech environment, intrusion detection and prevention controls will safeguard these assets.

• Security testing

Valtech ensures that vulnerability scans are performed on code, servers and network security scans are completed at a minimum annually. In each case, they are using an industry-standard vulnerability scanner tool.

Valtech also maintains relationships with third-party vendors that can provide additional independent tests under specific circumstances.

• IT Code of Conduct

Valtech employees shall comply with Valtech’s IT Code of Conduct, as well as with company guidelines, security policies, non-disclosure requirements, and ethical standards.

Input Controls

• Detection

Valtech’s infrastructure is designed and implemented to log information about system behavior, traffic received, system authentication, and other application requests. Logged data alerts appropriate employees of abnormal activities.

• Record tracking

Valtech maintains a record of known security incidents that includes descriptions, dates and times of relevant activities, and incident disposition. Suspected and confirmed security incidents are investigated by security, operations, or support personnel; and appropriate resolution steps are identified and documented. For any confirmed incidents, Valtech takes appropriate steps to minimize client impact or unauthorized disclosure. Notification to the Client will be in accordance with the terms of the respective agreement.

Availability Controls

• Infrastructure availability

Infrastructure availability controls are put in place to meet the availability requirements for the services used by Valtech.

• Storage

All storage devices, data retention and deletion procedures are governed by Valtech’s ISMS policies.

Reporting Non-Compliance

Any Valtech employee, vendor or client has a duty to ensure that country-appropriate privacy laws and regulations are met. Any potential privacy violations, such as an inappropriate use of personal information or breach of personal data, should be reported to Valtech DPO or, for vendors, to Valtech primary contact and to clients depending on the terms of the respective agreements.

Valtech security measures listed above may be supplemented according to the specific needs of each project and the instructions provided by Valtech's client.