Information Security Policy.

Information Security Policy and Privacy Statement

 

Published: June 17th, 2026

Qualifyze’s  leadership  team  promotes  the  implementation,  maintenance  and  continuous improvement of its Information Security Management System based on the requirements of the reference standards UNE-ISO/IEC 27001 and ISO/IEC 27701. 

Qualifyze   is   committed   to   protecting   the confidentiality, integrity and availability   of information , as well as the privacy and protection of Personally Identifiable Information (PII) processed in the context of its business activities.

In  the  context  of  its  business  activities, Qualifyze may  act  as  a  Personally  Identifiable Information (PII) Controller, PII Processor, or both, depending on the nature of the service or processing activity, and may rely on third-party processors where applicable, ensuring that all such processing is subject to appropriate contractual, technical and organizational safeguards. 

Qualifyze’s leadership and management are committed to maintaining a secure and privacy respecting environment in which information and personal data are processed, ensuring compliance with applicable legal, regulatory, contractual and privacy obligations, and meeting the expectations of clients, partners, and other interested parties. 

Policy Principles and Commitments

The principles that serve as the foundation to achieve and guarantee the effectiveness of the Information Security and Privacy Management System are set out below:

  • A high level of commitment to customers, ensuring uninterrupted service delivery and the  rapid  and appropriate management of information  security  and  personal  data incidents, including personal data breaches affecting PII.
  • Identification,  assessment, and  compliance  with legal,  regulatory, and  contractual requirements related to information security and privacy, including data protection obligations applicable to the processing of PII.
  • Promotion of awareness and training on information security and privacy policies, principles, and  obligations,  including  data  protection  requirements  related  to  the processing of PII.
  • Delivery  of  specific  training  on  threats  such  as  phishing,  smishing,  vishing,  social engineering and other information security and privacy related risks.
  • Continuous     improvement using updated     technologies,     secure     solutions, and innovation to proactively address emerging risks.
  • Implementation of appropriate technical and organizational measures, including Secure  Software  Development  Life  Cycle  (SSDLC),  encryption,  backup policies, disaster recovery processes, and the application of privacy by design and privacy by default principles. 
  • Evaluation of proprietary and third-party software platforms prior to use, ensuring that information and personal data are not exposed to unnecessary or unacceptable risks. 
  • Secure management of business intelligence and development processes, embedding information security and privacy controls throughout the full lifecycle of systems and services. 
  • Identification, analysis, and treatment of risks to the confidentiality, integrity, and availability of information, as well as risks related to the processing of PII, including risks to the rights and freedoms of data subjects. 
  • Performance of risk assessments on a continual basis and implementation of appropriate risk treatment plans for nonacceptable risks. 
  • Active involvement of Qualifyze’s leadership team in reviewing the effectiveness of the ISMS/PIMS, ensuring availability of resources, and promoting responsible security and privacy behaviours among employees, suppliers, and contractors. 
  • Continuous evaluation and implementation of improvements as part of an ongoing Plan Do Check Act (PDCA) cycle. 

These certifications validate our ability to protect critical data and systems, reinforcing the trust of our clients and partners. 

  • Interpretation of Information Security and Privacy

 

When  the  term “information security” is  used  within  this  policy,  it  shall  be  understood  to include information   security   and   privacy,   specifically   the   protection   of Personally Identifiable Information (PII), in accordance with ISO/IEC 27701. 

This interpretation applies to all objectives, controls, processes, and continuous improvement activities defined within the management system.

 

  • Alignment with other Frameworks

 

SOC 2 Type II

Qualifyze aligns  its  information  security  and  privacy  controls,  where  applicable,  with  other recognized   frameworks,   including SOC   2   Type   II, to further   strengthen   assurance, transparency  and  trust  for  clients  and  partners. To  achieve  this,  we  have  implemented  a rigorous  set  of  controls  and  continuous  monitoring  processes,  ensuring  compliance  with the Trust Services Criteria (TSC) established by the AICPA.

ISO/IEC 42001 – Artificial Intelligence Management System

Qualifyze recognizes the relevance of responsible and controlled use of  Artificial Intelligence within its business activities and digital platforms.

In  this  context, Qualifyze aligns  its  Information  Security  and  Privacy  Management  System (ISMS/PIMS),  based  on  ISO/IEC 27001  and  ISO/IEC 27701,  with  the  principles  and requirements  of  ISO/IEC 42001  (Artificial  Intelligence  Management  System),  ensuring  a consistent and integrated governance approach.

This alignment supports the secure, transparent and responsible use of Artificial Intelligence, considering information security, privacy, risk management, human oversight and compliance with  applicable  legal  and  regulatory  requirements  throughout  the  life cycle  of  AI  systems, while maintaining detailed AI -specific policies and procedures in dedicated documentation.

 

  • Communication and non-compliance 

This policy is communicated to all Qualifyze employees and relevant external parties. All personnel and third parties acting on behalf of Qualifyze are required to comply with the information security and privacy requirements derived from this policy, as well as with all associated standards, procedures, and controls.

 

Published: August 29th, 2025 

At Qualifyze, we take the security of our systems and the protection of our clients’ data very seriously.

We strive to stay up to date in cybersecurity and work proactively to prevent, detect, and mitigate vulnerabilities.

For this reason, we conduct our own security analyses, penetration tests, and vulnerability scans on a regular basis, using qualified personnel and trusted providers.

 

What We Do Not Allow

  • Scans or vulnerability testing of our URLs, systems, or infrastructure without prior written authorization.
  • Security testing with the purpose of evaluating us as a service provider without prior contact.
  • Tests carried out with the intention of “helping” or to attempt to obtain financial or other types of rewards.
  • Activities involving access to, alteration, or deletion of data, or actions that may impact the availability of our services.

Any such activity may be considered malicious and will be reported to the competent authorities.

What We Do Accept

If you have identified a vulnerability legitimately (for example, during normal use of our services, without bypassing security measures or performing intrusive testing), we appreciate you reporting it through our official channel: security@qualifyze.com

Please include:

  1. A clear description of the finding.
  2. Non-intrusive evidence (screenshots, logs, etc.).
  3. Contact details so we can follow up with you.

Applicable Legislation

This policy is applied under the legal framework in force in the European Union and Germany, including:

  • Directive (EU) 2013/40 on attacks against information systems.
  • German Criminal Code (“Strafgesetzbuch”): §202a, §202c, §303a and §303b, relating to unauthorized access, computer damage, and use of tools for intrusion.
  • Regulation (EU) 2016/679 (GDPR) and the Federal Data Protection Act (“BDSG”)when the processing of personal data is involved.

Failure to comply with these provisions may result in criminal, civil, and/or administrative liability, and may be reported by us to the competent authorities if detected.

Quick Summary

  • We do not run bounty programs.
    We do not authorize unsolicited scans.
    We do appreciate legitimate and responsible reports.
    Always use our official channel: security@qualifyze.com