Entrustment and Further Entrustment of Personal Data Processing
How many subcontractors does the processor use and to what extent?
Depending on the service provided, the list of processors may vary. Details are regulated by the personal data processing agreement.
The list is available in the Personal Data Processing section.
What is the subject, nature, and purpose of processing personal data?
The processing is carried out to provide the Service to the Client based on the Main Agreement and to fulfill Vercom's obligations arising from this Data Processing Agreement, particularly concerning data security, including ensuring their integrity and availability.
What categories of individuals does the agreement cover?
The processed personal data concerns the following categories of individuals: End Users - individuals who are recipients of electronic communications sent by the Client based on the Main Agreement.
What types of special categories of personal data are covered by the agreement?
The processed special categories of personal data include the following categories: Not applicable.
Have all subcontractors used during the provision of services been checked to ensure an appropriate level of personal data protection?
Yes, subcontractors undergo an annual assessment.
Is there a record of suppliers to whom you entrust or further entrust the processing of personal data?
Yes, there is a detailed list of further processors used by Vercom S.A., last updated on 20_03_2023, as well as a Register of Processing Activities at VERCOM S.A.
Have internal regulations been prepared and implemented regarding the supervision and monitoring of personal data processing processes?
Yes. Periodic internal and external audits are conducted. Testing occurs at least once every 12 months or more frequently if necessary.
The most recent ISO 22301 audit took place in January 2025. Previous external audits for ISO 27001 and ISO 27018 were conducted in August 2024. These audits covered the entire organization, assessing compliance with all required standards and evaluating the effectiveness of security controls. Compliance with ISO 22301, ISO 27001, and ISO 27018 was verified, resulting in the issuance of a certification of conformity.
Additionally, in 2024, three internal audits were conducted, culminating in an audit report and a review of the Information Security Management System’s performance.
Where are the data entrusted for processing stored?
All operations performed on personal data take place within an IT system. Data entrusted for processing are not stored on employees' computers. Vercom does not process personal data in paper form as part of its services. All personal data entrusted to us for processing are stored in an external data center that meets the highest security standards and undergoes multi-layered security measures.
How does the entity ensure separation of data entrusted to it by the Controller from data of other entities, including its own data?
Vercom uses logical separation of data in its systems provided as part of the services rendered.
Is the storage and processing of data carried out only within the EEA?
The main server environment within VERCOM's CPaaS is located within the EEA. All further processors handling personal data provide services covered by regionalization within PL, EU, or EEA territories. We do not process data outside of the EEA.
Do we have procedures regarding backups of the data we process?
According to the documented and implemented policy, backups are created daily. Backup copies are stored for 2 years and are encrypted. Backups are maintained only within the EEA in external data centers with the highest security standards, subject to multi-layered security measures.
Last updated