Entrustment and Further Entrustment of Personal Data Processing

Depending on the service provided, the list of processors may vary. Details are regulated by the personal data processing agreement.

The list is available in the section.

The processing is carried out to provide the Service to the Client based on the Main Agreement and to fulfill Vercom's obligations arising from this Data Processing Agreement, particularly concerning data security, including ensuring their integrity and availability.

The processed personal data concerns the following categories of individuals: End Users - individuals who are recipients of electronic communications sent by the Client based on the Main Agreement.

The processed special categories of personal data include the following categories: Not applicable.

Yes, subcontractors undergo an annual assessment.

Yes, there is a detailed list of further processors used by Vercom S.A., last updated on 20_03_2023, as well as a Register of Processing Activities at VERCOM S.A.

Yes. Periodic internal and external audits are conducted. Testing occurs at least once every 12 months or more frequently if necessary.

The most recent ISO 22301 audit took place in January 2025. Previous external audits for ISO 27001 and ISO 27018 were conducted in August 2024. These audits covered the entire organization, assessing compliance with all required standards and evaluating the effectiveness of security controls. Compliance with ISO 22301, ISO 27001, and ISO 27018 was verified, resulting in the issuance of a certification of conformity.

Additionally, in 2024, three internal audits were conducted, culminating in an audit report and a review of the Information Security Management System’s performance.

All operations performed on personal data take place within an IT system. Data entrusted for processing are not stored on employees' computers. Vercom does not process personal data in paper form as part of its services. All personal data entrusted to us for processing are stored in an external data center that meets the highest security standards and undergoes multi-layered security measures.

Vercom uses logical separation of data in its systems provided as part of the services rendered.

Yes.

Yes.

The main server environment within VERCOM's CPaaS is located within the EEA. All further processors handling personal data provide services covered by regionalization within PL, EU, or EEA territories. We do not process data outside of the EEA.

According to the documented and implemented policy, backups are created daily. Backup copies are stored for 2 years and are encrypted. Backups are maintained only within the EEA in external data centers with the highest security standards, subject to multi-layered security measures.