Security Measures

Data Protection Measures

Rooms Security
  • Personal data is stored in a room secured with standard key-locked doors (non-reinforced, non-fire-resistant).

  • Personal data is stored in a room secured with doors of increased resistance to break-ins - C-class doors.

  • The room where personal data is stored has windows secured with grilles, blinds, or anti-break-in film.

  • Rooms where the dataset is processed are equipped with an intruder alarm system.

  • Access to rooms where the dataset is processed is covered by an access control system.

  • Access to rooms where the dataset is processed is monitored by a surveillance system using industrial cameras.

  • Access to rooms where the dataset is processed is supervised by security personnel in the absence of employees working there.

  • Access to rooms where the dataset is processed is under the 24/7 surveillance of security personnel.

  • Backup/archival copies of the dataset are stored in a closed non-metallic cabinet.

  • Backup/archival copies of the dataset are stored in a closed safe or armored cabinet.

  • The room where personal data sets are processed is protected against fire through a fire protection system and/or standalone fire extinguisher.

  • Documents containing personal data, after becoming obsolete, are destroyed using document shredders.

Organizational Measures
  • Employees involved in data processing are familiar with the regulations regarding the protection of personal data.

  • Employees engaged in processing personal data have undergone training on the security measures of the information system.

  • Individuals employed in personal data processing are obligated to maintain confidentiality.

  • Computer monitors processing personal data are positioned to prevent unauthorized viewing by third parties.

  • Personal data is not disclosed by employees to third parties during activities (e.g., invoicing personal data for another client).

  • Backup copies of the dataset are stored in a different room than the one containing the server where personal data is processed in real-time.

Hardware Measures in Information Technology and Telecommunication Infrastructure
  • The dataset of personal data is processed using a laptop computer.

  • The computer used for processing personal data is connected to the local computer network.

  • Devices such as UPS, a power generator, and/or a dedicated power network are employed to protect the information system processing personal data from the consequences of power failures.

  • Access to the computer's operating system where personal data is processed is secured through authentication processes using a username and password.

  • Measures are implemented to prevent unauthorized copying of personal data processed using information systems.

  • System mechanisms enforcing periodic password changes are in place.

  • A system for logging access to the system/dataset of personal data is implemented.

  • Cryptographic measures are applied to protect personal data transmitted via teletransmission.

  • Access to teletransmission facilities is secured through authentication mechanisms.

  • Disk arrays are used to protect personal data from the consequences of disk memory failures.

  • Measures are implemented to protect against malicious software such as worms, viruses, trojan horses, and rootkits.

  • A Firewall system is used to protect access to the computer network.

Protection Measures within Software Tools and Databases
  • Measures have been implemented to define access rights to specific data within the processed dataset of personal data.

  • Access to the dataset of personal data requires authentication using a username and password.

  • Screen savers have been installed on workstations where personal data is processed.

Technical and Organizational Measures

VERCOM implements policies, procedures, standards, and guidelines related to information security, typically within the context of an Information Security Management System, as defined in ISO/IEC 27001 and ISO 27018 standards.


  • VERCOM S.A. conducts a risk analysis and implements appropriate controls in its systems to prevent unauthorized access to data. These controls encompass a combination of legal, technical, physical, procedural, and human layers to prevent unauthorized misuse, destruction, disclosure, or modification of data.

  • The area of rooms, facilities, or buildings containing information, information systems, or other network infrastructure is physically and durably protected, using risk-oriented security measures.

  • Formal procedures for granting access to data have been introduced.

  • Access to data is restricted to authorized employees only.

  • Access is granted based on the principle of least privilege, minimizing necessary and justified access directly related to the employee's job responsibilities.

  • Access to data can only be granted to an identified individual with associated individual user accounts, and audit records of these activities must be logged and made available upon request. The use of privileged access rights and non-personal accounts is limited and controlled.

  • Data is made available on a "need-to-know" basis. Users or clients (external or internal) cannot have access to data that does not concern them.

  • Portable media is secured through encryption and appropriately labelled.

  • Multi-factor authentication is implemented for all authorized access.

  • A periodic access review is conducted at least once a year.


  • For each access to client data, there is an identifiable person or automated process responsible.

  • Formal processes governing the granting, removal, or modification of access to data are in place. All such actions are recorded and made available to the client within 48 hours upon their request.

  • Systems, hardware, and software used for data processing are maintained in accordance with these security requirements.

Security Incident Response

All detected security incidents and data breaches affecting client data or services provided to the client must be reported by VERCOM S.A. without undue delay, within a maximum of 48 hours after detection.

A report of a personal data breach includes at least the following information:

  • Nature of the personal data affected.

  • Categories and number of individuals affected.

  • Number of personal data records affected.

  • Measures taken to remedy the data breach.

  • Potential consequences and negative impact of the data breach.

As applicable:

  1. Criminal background check (for teams handling banks, and financial institutions).

  2. Creditworthiness check.


All sensitive data (such as Personally Identifiable Information - PII) must be encrypted during transmission and at rest.

Antivirus Protection

  • VERCOM S.A consistently raises user awareness and implements appropriate controls and policies for detecting, preventing, and recovering data in the event of malicious software (viruses, malware).

  • VERCOM S.A. conducts periodic training for employees in this area.

Full compliance with GDPR and other applicable laws, regulations, and contractual obligations is required.

Security Training

All employees with access to data or information must undergo appropriate security training. Vercom assesses employees' knowledge levels after training.

Asset Ownership

  • All informational assets (data, systems, processes, etc.) must have a designated responsible owner within VERCOM S.A.

  • Upon completion of assigned tasks or when data is no longer needed for processing activities, it will be returned to the client and securely destroyed.


Controls must be implemented to ensure that actions and events will have legal effect and cannot be challenged or repudiated by VERCOM S.A. The actions must meet the requirements of authorized individuals within VERCOM S.A, including the Data Protection Officer (DPO) and the authorized representative.

Periodic Review

VERCOM S.A. conducts a periodic review of access, security controls, and risks at least once a year to ensure that the security of assets is not compromised.

Right to Audit

During the term of the agreement with VERCOM S.A., the client and its associated entities have the right to conduct a security assessment at an agreed-upon and convenient time to ensure an adequate level of data protection. This security protection will encompass measures related to technical, physical, procedural, and human controls.

Last updated