Keeping our customers’ information secure is the highest priority at CyberVadis. Our security-first approach is fundamental to our business.
Our board is committed to providing and maintaining the level of Quality and Information Security that meets all of our stakeholders’ needs. Our purposes are to:
– promote a culture that enables each employee to do their job right, the first time and every time, in a safe and stimulating work environment;
– ensure transparency on our realization of the business activities;
– preserve the availability, integrity, confidentiality and traceability of our information assets and maintain our legal and contractual compliance;
– examine systematically the organisation information security risks and implement the security controls to address the risks deemed unacceptable;
– set clear and mutually beneficial relationships with relevant interested parties and try to exceed their expectations where possible.
We incorporate security practices at all the levels described in this document.
For this reason, CyberVadis has established an Information Security management system (ISMS) which is certified ISO27001 and which enables us to systematically operate and maintain information security in our business processes and services and to determine and apply the necessary security measures based on our risk assessment. We have a security incident management process in place in order to detect and remediate security incidents in the future. Penetration tests are performed on a regular basis in order to evaluate our IT infrastructure and identify vulnerability and improvement areas.
The ISMS allows us to ensure the availability, integrity, confidentiality, and traceability of information.
Policies and Processes include:
The terms and conditions of the CyberVadis assessment platform have been designed to guarantee your data confidentiality. The information you provide is kept confidential and cannot be shared without your approval. Learn more in our terms and conditions
One major pillar for the success of the ISMS is security awareness of all CyberVadis employees. CyberVadis Employees are regularly trained on information security to keep them updated about current issues and best practices by attending a yearly refresher training and taking a test on our practices and policies.
All newly hired employees have to participate in mandatory information security training as part of the induction training. CyberVadis employees must follow the set of information security policies that are regularly reviewed. Employees also go through a regular phishing test to raise cyber awareness.
CyberVadis believes that the GDPR is an important step to strengthen and harmonize data protection of EU citizens’ personal data. As a data controller CyberVadis is committed to comply with regulations and to put in place the best practices.
CyberVadis uses the ISO 27001 standard, for which we are certified, as a framework and integrates personal data protection aspects in its management system.
We use the ISO 27701 framework to meet GDPR requirements our data protection practices and compliance are confirmed by a third party audit.
For the data processing performed outside of the EU, we have in place Standard Contractual Clauses (SCCs) with our subsidiaries. We always carefully select our providers (processors) and we require the conclusion of Data Protection Agreements with processors and Standard Contractual Clauses (SCCs) or Binding Corporate Rules (BCR) in case of processing outside of the EEA region to be able to work for us. We always aim to choose subscriptions with providers to have data hosted on servers based in Europe. We use the following major processors:
We are awaiting recommendations on additional measures to be issued by the French Data protection authority CNIL concerning the possibilities of transferring data to the United States based on SCCs (or BCR). Depending on their opinion, we will take further action.
CyberVadis employees are required to sign a code of conduct and a confidentiality clause as part of their employment contract prior to access to our platform. The clause prohibits any disclosures of confidential information concerning the business of CyberVadis and its customers. The obligations and duties remain valid even after termination.
CyberVadis’ online collaborative platform enables companies to assess and monitor supply chain information security performance and the information security management system governing development and operations thereof is ISO/IEC 27001:2013 certified, one of the world’s most widely recognized information security standards.
Our Compliance is certified by PwC Certification B.V, an independent and accredited certification body.
View the Statement of Applicability
Customers upload data for storage and processing within applications that are hosted on our cloud platforms.
We ensure the confidentiality and integrity of customer data with industry best practices.
CyberVadis’ services are hosted at ISO/IEC 27001, ISO/IEC 27018, SOC 1 and SOC 2 certified Microsoft Azure data centers located within the EU.
Microsoft Azure’s data centers are certified to comply with the most comprehensive portfolio of internationally-recognized standards and certifications of any cloud service provider. Microsoft takes a layered approach to physical security. Data centers managed by Microsoft have extensive layers of protection: access approval, at the facility’s perimeter, at the building’s perimeter, inside the building, and on the datacenter floor.
This layered approach reduces the risk of unauthorized users gaining physical access to data and the data center resources.
We take steps to develop and test against security threats to ensure the information
security of our customer data.