Login
Schedule a Demo

Information Security Policy.

Information Security Policy

 

Published: March 6th, 2025 

 

Qualifyze’s leadership team promotes the implementation, maintenance and continuous improvement of its Information Security Management System based on the requirements of the reference standards UNE-ISO/IEC 27001. Qualifyze commits to respecting the privacy of all its clients and to protecting any data relating to clients from any third parties. To this end, Qualifyze leadership and management are committed to maintaining a secure environment in which to process data so that Qualifyze can meet these promises. 
 
The bases that will serve as pillars to achieve and guarantee the effectiveness of the Information Security Management System for the organization are set out below: 
 
  • High commitment to the customer with the aim of guaranteeing an uninterrupted service, with rapid and appropriate management of Information Security incidents. Business Continuity Plan & Incident Response Plan are the pillars of the ISO and such processes are in place at Qualifyze. 
  • Legal requirements of clients pertaining to the information and data security are met and maintained. Our Information Security governance & legal team assesses such requirements and contributes to meeting those requirements. 
  • Creating awareness about existing policies regarding security and privacy through a platform.  Giving special emphasis on trainings derived from the Information Security Management Systems implemented in the organization and ensuring active participation by Qualifyze staff in respect of such trainings that are conducted internally on a regular basis to establish and meet the objectives and goals related to Information Security. 
  • We conduct specific trainings for our teams and resources on phishing, smishing, vishing, social engineering and other aspects of information security. 
  • Providing added value to the client using updated technologies, creating solutions, ensuring continuous improvement in the existing processes and conducting steady research towards innovation to ensure we are always ahead of any security issues that may arise. 
  • The updated process and technologies we use at Qualifyze includes SSDLC, Encryption, DRP, Security Dashboards, Backup policies amongst others.
  • For quality and assurance, we have various controls for clients that have been tested from functional and security perspective. Our software platforms, whether proprietary or third party, is evaluated prior to use to ensure that we do not subject data to unnecessary risk. 
  • Our business intelligence processes follow clear guidelines on information security. Secure Software Development Life Cycle is at the core of this process. 
  • We have a Secure Software Development Life Cycle to build new software in an organised and robust manner. This process also ensures that we have controls in place to minimise the risk in case of any data leakage.
  • Managing the provision of services carried out by Qualifyze to clients in an effective and efficient manner within a life cycle that allows the continuous improvement of the processes implemented. 
  • Ensuring the confidentiality, integrity, and availability of the information by analysing our risks. We look at them from all three dimensions. They are always present in our processes, and we seek to ensure that all information handled by our company complies with all three dimensions. 
  • Corporate Policy of Information Security Management System constitutes to be the reference framework for the establishment of goals of ISMS in such a way as to ensure continuous improvement in performance.
  • Because of the concern for Information Security, Qualifyze carries out a risk analysis that is constantly updated to maintain control over possible new risk situations and the establishment of the corresponding plan for the treatment of unaccepted risks. Based on the results obtained in the planning phase and threat intelligence analysis, security controls are implemented, and the procedures of the management system are adapted to the requirements of the process. 
  • In addition, the Qualifyze leadership team checks the impulse of the system, conducts data analysis and implements decision making by ensuring the availability of resources and intercommunication between all departments of the company’s organization chart. It also proactively and positively influences the behaviour of its stakeholders and key suppliers and contractors by promoting the adoption of responsible information security behaviours. 
  • Improvements are evaluated, and once their feasibility is assessed, they are implemented, operated and maintained. The entire Information Security Management System is based on a continuous improvement cycle that includes the planning of its activities, its implementation, operation, review and subsequent improvement. 
  • Improvements to this policy and the underlying management systems are established during the review and improvement phases based on inputs received from internal and external stakeholders/ personnel. 
Additionally, we are committed to ensuring the highest standards of security, availability, integrity, confidentiality, and privacy of information, aligning with the SOC 2 Type II framework.To achieve this, we have implemented a rigorous set of controls and continuous monitoring processes, ensuring compliance with the Trust Services Criteria (TSC) established by the AICPA.
 
This certification validates our ability to protect critical data and systems, reinforcing the trust of our clients and partners.
 
This policy is communicated to all Qualifyze employees. All Qualifyze employees are required to comply with the standards and procedures derived from this policy.
 
Version: 1.0

 

Published: August 29th, 2025 

At Qualifyze, we take the security of our systems and the protection of our clients’ data very seriously.

We strive to stay up to date in cybersecurity and work proactively to prevent, detect, and mitigate vulnerabilities.

For this reason, we conduct our own security analyses, penetration tests, and vulnerability scans on a regular basis, using qualified personnel and trusted providers.

 

What We Do Not Allow

  • Scans or vulnerability testing of our URLs, systems, or infrastructure without prior written authorization.
  • Security testing with the purpose of evaluating us as a service provider without prior contact.
  • Tests carried out with the intention of “helping” or to attempt to obtain financial or other types of rewards.
  • Activities involving access to, alteration, or deletion of data, or actions that may impact the availability of our services.

Any such activity may be considered malicious and will be reported to the competent authorities.

What We Do Accept

If you have identified a vulnerability legitimately (for example, during normal use of our services, without bypassing security measures or performing intrusive testing), we appreciate you reporting it through our official channel: security@qualifyze.com

Please include:

  1. A clear description of the finding.
  2. Non-intrusive evidence (screenshots, logs, etc.).
  3. Contact details so we can follow up with you.

Applicable Legislation

This policy is applied under the legal framework in force in the European Union and Germany, including:

  • Directive (EU) 2013/40 on attacks against information systems.
  • German Criminal Code (“Strafgesetzbuch”): §202a, §202c, §303a and §303b, relating to unauthorized access, computer damage, and use of tools for intrusion.
  • Regulation (EU) 2016/679 (GDPR) and the Federal Data Protection Act (“BDSG”)when the processing of personal data is involved.

Failure to comply with these provisions may result in criminal, civil, and/or administrative liability, and may be reported by us to the competent authorities if detected.

Quick Summary

  • We do not run bounty programs.
    We do not authorize unsolicited scans.
    We do appreciate legitimate and responsible reports.
    Always use our official channel: security@qualifyze.com