Information Security Policy: Data Protection and Security Regime

1. Data Storage

All data is stored on servers located in a secured room with controlled access in the company’s server premises.

2. Network Protection

The network is protected by a UTM firewall device.

3. Access to Data

Vendors and Clients

Main platform for file and data exchange is the Vocalegal website:

• Access via HTTPS secured using SSL.
• All data is stored in our Virtual Data Room (VDR) platform with 256 AES encryption and ISO 27001 certified.

• File exchange using secure VDR and e-mail:

  1. The company uses email encryption upon the request of customers or vendors.
  2. All files containing personal data are sent to vendors or clients through our VDR protected by a password.
  3. The password required to access the file is sent separately.

• Vendor Interface:

  1. Vendors use our proprietary CAT tool as their main tool for translation.
  2. Vendors can access only the content of the file in our CAT tool to translate, not the file itself.

b. Employees:

• Access Rights:

  1. Access rights are controlled by Microsoft Group Policy Management.
  2. Employees are grouped based on the necessity to access certain data relevant to the responsibilities described in the job description.

• Data Storage:

  1. Vocalegal project management portal:

     • Access via HTTPS secured using SHA-256 with RSA encryption.

  2. Remote drives:

     • Access from the local network secured by UTM firewall device, only by authorized personnel based on Microsoft Group Policy Management policies with differentiated access levels depending on access rights relevant to the position.

• Access to the Company Network:

  1. Only company devices have access to the company network.
  2. Guests and private devices of employees can only connect to a network separated from the company’s network with no access to data in the company network.

• Portable Devices:

  1. All company devices leaving company premises (laptops, mobile phones, tablets, etc.) are encrypted.
  2. All private devices of employees that expressed consent to use their private devices for work purposes (i.e. remote work) are encrypted.

4. Data Backup

• On-site Backup Device:

  1. Data is retained for 6 years.
  2. After 6 years, data is securely deleted.

• Off-site, EU based data center:

  1. Deleted files are retained for 12 months in the backup from the date of deletion.
  2. Data is retained for 6 years.
  3. After 6 years, data is securely deleted.

• Data is archived to the on-site backup device after 12 months:

  1. Archived data is retained for 6 years.
  2. After 6 years, data is securely deleted.

• Email Backup:

  1. We are using Postfix/dovecot as our email platform, and all emails are stored and archived on our servers with Hetzner (ISO 27001 certified).
  2. All emails are retained for 6 years.
  3. After 6 years, emails are deleted securely by overwriting.

5. Secure Data Deletion

Data qualified for secure deletion (either after a 6-year period of retention or in case there is no longer a legitimate reason for keeping data) is overwritten with not less than 24 overwriting cycles using Recuva software.