The company has an information security policy in place to help ensure that security is top priorty in our company.

The company's risk assessments are performed 4 times a year. As part of this process, threats and changes (environmental, regulatory, and technological) to service commitments are identified and the risks are formally assessed.

The company has a documented risk management program in place that includes guidance on the identification of potential threats, rating the significance of the risks associated with the identified threats, and mitigation strategies for those risks.

Information security risks related to projects are effectively addressed in project management throughout the project life cycle

The company's production systems can only be accessed by authorized employees possessing a valid multi-factor authentication (MFA) method.

The company's access control policy documents the requirements for the following access control functions: adding new users, modyfying users and/or removing existing users' access.

The company deploys anti-malware technology to environments commonly susceptible to malicious attacks and configures this to be updated routinely, logged, and installed on all relevant systems.

The company requires passwords for production systems to be configured according to the company's policy.

The company has an external-facing support system in place (https://help.doccle.be) that allows users to report system information on failures, incidents, concerns and other complaints.

The company conducts access reviews at least twice a year for the in-scope system components to help ensure that access is restricted appropriately.

The company has security and privacy incident response policies and procedures that are documented and communicated to authorized users.

The company's security and privacy incidents are logged, tracked, resolved, and communicated to affected or relevant parties by management according to the company's security incident response policy and procedures.

The company has written agreements in place with vendors and related third-parties. These agreements include confidentiality and privacy commitments applicable to that entity.

The company has a vendor management program in place. Components of this program include: critical third-party vendor inventory; vendor's security and privacy requirements; and review of critical third-party vendors at least annually.

The company requires employees to sign a confidentiality agreement during onboarding.

The company requires contractors to sign a confidentiality agreement at the time of engagement.

The company managers are required to complete performance evaluations for direct reports at least annually.

The company requires employees to complete security awareness training within thirty days of hire and at least annually thereafter.

The company performs background checks on new employees.

The company has processes in place for granting, changing, and terminating physical access to the company office.

The company has imposed a clear screan and clean desk policy to prevent data to be leaked.

Standards are set to ensure the security of information when personnel are working remotely

The company has electronic media containing confidential information purged or destroyed in accordance with best practices.

The company restricts privileged access to encryption keys to authorized users with a business need

The company utilizes a log management tool to identify events that may have a potential impact on the company's ability to achieve its security objectives.

The company uses an intrusion detection system to provide continuous monitoring of the company's network and early detection of potential security breaches.

The company has infrastructure supporting the service patched as a part of routine maintenance and as a result of identified vulnerabilities to help ensure that servers supporting the service are hardened against security threats.

The company requires authentication to systems and applications to use unique username and password

The company uses firewalls and configures them to prevent unauthorized access.

The company restricts privileged access to the firewall to authorized users with a business need.

The company reviews its firewall rulesets regularely. Required changes are tracked to completion.

An infrastructure monitoring tool is utilized to monitor systems, infrastructure, and performance and generates alerts when specific predefined thresholds are met.

The company's network is segmented to prevent unauthorized access to customer data.

All changes to the production systems go through a strict process maximizing the availability of our products.

The company's penetration testing is performed continiously via Intigriti.com. A remediation plan is developed and changes are implemented to remediate vulnerabilities in accordance with SLAs.

The company uses secure data transmission protocols to encrypt confidential and sensitive data when transmitted over public networks.

The company has implemented a secure software development lifecycle to help ensure that security is addressed throughout the software development process.

All software code can only be released when no vulnerabilities are present.

Doccle has created and implemented a Data Protection Governance Structure, including an independent, external Data Protection Officer (DPO); a Data Protection Management System (Responsum) documenting our Register of Processing Activities, DPIAs, etc, to demonstrate our accountability and compliancy.

Doccle guarantees it will only process personal data compliant to the principles as established in the GDPR. The processing of personal data will always by based on a documented, lawful basis, as well as specified, documented and legitimate purposes. Doccle is committed to processes strictly necessary personal data that is accurate at all times.

Our Transparency Control ensures that all data subjects are fully informed about how their personal data is being processed. We provide clear and accessible information about the types of data we collect, the purposes of processing and much more. This transparency allows users to make informed decisions about their data. This trust center is also an excellent example of such transparency control.

Doccle ensures the careful selection and monitoring of our (sub-)processors, establishing robust data protection agreements, and facilitating secure international data transfers. We implement strict procedures to ensure they meet our data protection standards. Additionally, we utilize appropriate data transfer mechanisms and ensure that any joint controller arrangements are clearly defined where necessary. Audits are conducted to verify compliance, safeguarding data privacy throughout the entire processing chain.

Our Data Security Controls are designed to uphold the highest standards of integrity and confidentiality, with certifications ensuring compliance with global security and data protection best practices. We are ISO 27000 certified for information security and ISO 9000 certified for quality management. We also comply to the ISO 27701 standard regarding data protection. All databases, documents, and data are encrypted to safeguard against unauthorized access and ensure the privacy and integrity of personal information. These measures provide a comprehensive, secure environment for data at every stage of processing.

We have documented procedures to manage and handle all our incoming Data Subject Right Requests. This means our end-users are in complete control regarding their personal data.

We have a lot of controls in place to mitigate the possibility and impact of incidents in our organization. When an incident should occur nevertheless, Doccle is prepared. There are structured procedures in place to ensure the quick response to any type of incidents, as well as data breaches.

Our robust reporting and communication framework ensures transparency and accountability in compliance with GDPR. This includes proactive engagement with Supervisory Authorities as per Article 31, alongside annual compliance reporting to demonstrate our commitment to data protection and privacy.

We implement state-of-the-art measures to ensure data protection, including a Data Protection Policy, Audit Procedures, ongoing Monitoring & Review procedures and Training and Awareness programs to foster a culture of compliance and security. Together with our Information Security Certificate (ISO 27001:2013) we can guarantee the safety of your personal data.