1. Introduction

The Platform Provider of Nordic Defender️ is committed to maintain a high level of security for Users data and internal data. We have a structured process in place to enable us to achieve this and we regularly evaluate its performance to continuously improve data security.

This Security Appendix explains how The Platform Provider works to achieve a high level of security for User data, which are processed in Nordic Defender️, hereafter referred to as Nordic Defender️.

The Appendix also contains a chapter on the requirements that the Platform Provider places on its user companies, and the opportunities and obligations of the user companies to help ensure that security procedures and practices are upheld.

2. Regulatory documents

The Platform Provider has its own set of regulatory documents covering system development, incident management, etc. to ensure that operational security is maintained in the operation and administration of Nordic Defender️.

3. Organization

3.1. Security function

An in-house security function works in an integrated way with the business operations and provides the organization with expertise, evaluations and guidelines for data and IT security. The security function deals with a range of issues covering IT security, physical security and personnel security.

3.2. SOC (Security Operation Center)

The company has a team to manage cyber-attacks, with specialist expertise in communications security, client protection, data centers, and other infrastructures. Other specialist expertise can be drawn upon if necessary.

4. Personnel security

All personnel, both our own staff and consultants, sign a confidentiality and non-disclosure agreement before they are given access to IT systems. Employees who work with Nordic Defender️ receive training in how the Nordic Defender️ is used and what restrictions apply. We hold regular meetings with our own staff to detect and prevent improper conduct.

5. Asset management

The personal data processed in the Nordic Defender️ is classified as confidential. The Platform Provider therefore works actively with allocation of access rights via roles. Access rights are only granted to personnel to the extent necessary for them to perform their duties.

6. Access control

Only a few people in The Platform Provider’s Operations Department have full access rights to databases. The team from The Platform Provider’s Systems Development Department, which is responsible for developing the Nordic Defender️, has limited read access rights to the database. All logins to the Nordic Defender️ are made via personal accounts and are logged into the central log management system.

The Platform Provider’s Nordic Defender️ support staff can connect to the user profile and thus gain access to the user company’s data. Written permission to do so must first be obtained from the user . All readings of data in Nordic Defender️ are logged for each individual case. These logs can be accessed in Nordic Defender️ by authorized staff at the user company.

7. Encryption

The system uses SSL (TLS) encryption with publicly signed certificates. There are documented procedures in place for managing and updating cryptographic material such as keys for certificates.

8. Physical and environmental security

All our data centers are subject to the highest physical and environmental security with access controls, alarms, fire protections, protections systems and surveillance. There is a power protection system installed in case of a power outage. Only authorized personnel have physical access to the data centers. Access to the data centers is permission-based.

9. Equipment

The secure disposal of digital media requires all data on the media to be deleted and the digital media then to be destroyed. This is carried out at a secure facility by approved personnel.

10. Operational reliability

10.1. Communication

The data centers backbone network is connected to multiple Internet service providers. All traffic from and to the application flows through firewall and threat detection service that continuously monitors for malicious activity and unauthorized behavior. Only specific endpoints are exposed to the Internet where the rest of components are deployed in private non-routable networks.

10.2. Traceability and monitoring

Centralized log management is used for Nordic Defender️ and for related network communications. Designated personnel actively work to detect high-risk activities via rules-based alarms and tools for analysis of non-conformities. Where necessary, relevant components of the logs can be made available to customer companies.

Data is protected using access rights and multi-factor authentication where it’s applicable that are controlled at all levels in Nordic Defender️. Data processing, reading, editing and logins are all logged. Failed attempts to log in are also logged.

Nordic Defender’s time is taken from the System’s servers. Logged times are presented in the user browser’s time zone and the format is taken from the user’s language settings.

Manipulation of the logs is not possible from inside Nordic Defender️. The logs are saved without changes unless the case is removed, or the user is deleted or inactivated. The system logs any changes to and readings of events data. Both successful and unsuccessful logins are logged. Changes to access rights are also logged. Access to logs is dependent on access rights of the roles.

10.3. Backups

Databases and transaction logs are routinely backed up and recovery of backups is tested regularly. The maximum data loss period (i.e. RPO) is 4 hours and the recovery time (i.e. RTO) is 8 hours. Backups of servers in both of the data centers are stored separately from the original.

10.4. Malware protection

Nordic Defender️ is separated from other IT systems within the Platform Provider via firewalls. All servers in the environment are protected from malware by whitelisting software. Clients that are used to connect to the servers have anti-virus software enabled. Both servers and clients are hardened prior to deployment. Additionally, all files sent by users are scanned by antivirus software.

10.5. Vulnerability management

A team of dedicated staff is responsible for monitoring information from suppliers about products and components concerning security deficiencies and available updates. A risk analysis is performed, after which serious security deficiencies and important updates are addressed immediately. Other issues are addressed in line with documented procedures for routine version management. All changes to software used and to constituent third-party components in Nordic Defender️ are documented.

11. Communications security

The solution is protected by a firewall so that only pre-defined traffic is allowed network access to the solution.

All traffic that passes the firewall is logged. The logs are saved for a period of 12 months. All entries are saved for the same period of time.

12. Acquisition, development and maintenance of systems

12.1. Testing and development

Development team

Systems are developed using an agile approach, based on proactive quality assurance with continuous testing and feedback of performance. The agile approach to system development includes a requirement process and testing. The development team is responsible for all activities needed to assure the quality of each product backlog item (PBI) in each sprint.

The team is also responsible for assuring the quality of Nordic Defender️ and the product over the long term.

IT environments

Separate IT environments are used for production and for testing and developing Nordic Defender️. To ensure the best quality of the software we deliver we use Continuous Integration process that automates code integration, builds the application and executes the tests.

12.2. Penetration testing

Internal and external parties conduct thorough penetration tests at least once a year to evaluate the system’s security. User companies may not conduct security audits or penetration tests on Nordic Defender️ without prior permission of the Platform Provider. Contact The Platform Provider’s support for further information.

13. Managing data security incidents

The Application Manager is responsible for the operative management of serious IT incidents. This involves communication, investigation and reporting of incidents. The Application Manager analyses the IT incidents to ensure that adequate action has been taken to manage the incident and that the experience gained from the incident can be used in the organization’s operative risk management processes.

A solutions team is appointed to solve the incident and assist the Application Manager with the investigation. In the event of a cyber-attack, SOC is enabled. The Platform Provider’s Crisis Management Team can be activated if warranted by the seriousness of the incident.

Incidents relating to personal data are managed in accordance with the Data Processing Agreement.

14. Business continuity management

Nordic Defender️ is mirrored in two separate data centers in the EU area. Each data center has the capacity to maintain system availability should one of the data centers go down.

15. Compliance

Nordic Defender is ISO27001-ISMS Certified,The Platform Provider’s Internal Audit operates to an annual audit plan. Internal Audit reports to the Board of Directors and the CEO. The Audit Plan is prepared through an objective and independent assessment of materiality and risk to provide an overall opinion on the adequacy of internal governance and control.