Information Security Policy.
Information Security Policy and Privacy Statement
Published: June 17th, 2026
Qualifyze’s leadership team promotes the implementation, maintenance and continuous improvement of its Information Security Management System based on the requirements of the reference standards UNE-ISO/IEC 27001 and ISO/IEC 27701.
Qualifyze is committed to protecting the confidentiality, integrity and availability of information , as well as the privacy and protection of Personally Identifiable Information (PII) processed in the context of its business activities.
In the context of its business activities, Qualifyze may act as a Personally Identifiable Information (PII) Controller, PII Processor, or both, depending on the nature of the service or processing activity, and may rely on third-party processors where applicable, ensuring that all such processing is subject to appropriate contractual, technical and organizational safeguards.
Qualifyze’s leadership and management are committed to maintaining a secure and privacy respecting environment in which information and personal data are processed, ensuring compliance with applicable legal, regulatory, contractual and privacy obligations, and meeting the expectations of clients, partners, and other interested parties.
Policy Principles and Commitments
The principles that serve as the foundation to achieve and guarantee the effectiveness of the Information Security and Privacy Management System are set out below:
- A high level of commitment to customers, ensuring uninterrupted service delivery and the rapid and appropriate management of information security and personal data incidents, including personal data breaches affecting PII.
- Identification, assessment, and compliance with legal, regulatory, and contractual requirements related to information security and privacy, including data protection obligations applicable to the processing of PII.
- Promotion of awareness and training on information security and privacy policies, principles, and obligations, including data protection requirements related to the processing of PII.
- Delivery of specific training on threats such as phishing, smishing, vishing, social engineering and other information security and privacy related risks.
- Continuous improvement using updated technologies, secure solutions, and innovation to proactively address emerging risks.
- Implementation of appropriate technical and organizational measures, including Secure Software Development Life Cycle (SSDLC), encryption, backup policies, disaster recovery processes, and the application of privacy by design and privacy by default principles.
- Evaluation of proprietary and third-party software platforms prior to use, ensuring that information and personal data are not exposed to unnecessary or unacceptable risks.
- Secure management of business intelligence and development processes, embedding information security and privacy controls throughout the full lifecycle of systems and services.
- Identification, analysis, and treatment of risks to the confidentiality, integrity, and availability of information, as well as risks related to the processing of PII, including risks to the rights and freedoms of data subjects.
- Performance of risk assessments on a continual basis and implementation of appropriate risk treatment plans for nonacceptable risks.
- Active involvement of Qualifyze’s leadership team in reviewing the effectiveness of the ISMS/PIMS, ensuring availability of resources, and promoting responsible security and privacy behaviours among employees, suppliers, and contractors.
- Continuous evaluation and implementation of improvements as part of an ongoing Plan Do Check Act (PDCA) cycle.
These certifications validate our ability to protect critical data and systems, reinforcing the trust of our clients and partners.
- Interpretation of Information Security and Privacy
When the term “information security” is used within this policy, it shall be understood to include information security and privacy, specifically the protection of Personally Identifiable Information (PII), in accordance with ISO/IEC 27701.
This interpretation applies to all objectives, controls, processes, and continuous improvement activities defined within the management system.
- Alignment with other Frameworks
SOC 2 Type II
Qualifyze aligns its information security and privacy controls, where applicable, with other recognized frameworks, including SOC 2 Type II, to further strengthen assurance, transparency and trust for clients and partners. To achieve this, we have implemented a rigorous set of controls and continuous monitoring processes, ensuring compliance with the Trust Services Criteria (TSC) established by the AICPA.
ISO/IEC 42001 – Artificial Intelligence Management System
Qualifyze recognizes the relevance of responsible and controlled use of Artificial Intelligence within its business activities and digital platforms.
In this context, Qualifyze aligns its Information Security and Privacy Management System (ISMS/PIMS), based on ISO/IEC 27001 and ISO/IEC 27701, with the principles and requirements of ISO/IEC 42001 (Artificial Intelligence Management System), ensuring a consistent and integrated governance approach.
This alignment supports the secure, transparent and responsible use of Artificial Intelligence, considering information security, privacy, risk management, human oversight and compliance with applicable legal and regulatory requirements throughout the life cycle of AI systems, while maintaining detailed AI -specific policies and procedures in dedicated documentation.
- Communication and non-compliance
This policy is communicated to all Qualifyze employees and relevant external parties. All personnel and third parties acting on behalf of Qualifyze are required to comply with the information security and privacy requirements derived from this policy, as well as with all associated standards, procedures, and controls.
Vulnerability Disclosure Policy (VDP)
Published: August 29th, 2025
At Qualifyze, we take the security of our systems and the protection of our clients’ data very seriously.
We strive to stay up to date in cybersecurity and work proactively to prevent, detect, and mitigate vulnerabilities.
For this reason, we conduct our own security analyses, penetration tests, and vulnerability scans on a regular basis, using qualified personnel and trusted providers.
What We Do Not Allow
- Scans or vulnerability testing of our URLs, systems, or infrastructure without prior written authorization.
- Security testing with the purpose of evaluating us as a service provider without prior contact.
- If you wish to conduct a supplier evaluation, you must first request authorization at: security@qualifyze.com
- Tests carried out with the intention of “helping” or to attempt to obtain financial or other types of rewards.
- Activities involving access to, alteration, or deletion of data, or actions that may impact the availability of our services.
Any such activity may be considered malicious and will be reported to the competent authorities.
What We Do Accept
If you have identified a vulnerability legitimately (for example, during normal use of our services, without bypassing security measures or performing intrusive testing), we appreciate you reporting it through our official channel: security@qualifyze.com
Please include:
- A clear description of the finding.
- Non-intrusive evidence (screenshots, logs, etc.).
- Contact details so we can follow up with you.
Applicable Legislation
This policy is applied under the legal framework in force in the European Union and Germany, including:
- Directive (EU) 2013/40 on attacks against information systems.
- German Criminal Code (“Strafgesetzbuch”): §202a, §202c, §303a and §303b, relating to unauthorized access, computer damage, and use of tools for intrusion.
- Regulation (EU) 2016/679 (GDPR) and the Federal Data Protection Act (“BDSG”)when the processing of personal data is involved.
Failure to comply with these provisions may result in criminal, civil, and/or administrative liability, and may be reported by us to the competent authorities if detected.
Quick Summary
- We do not run bounty programs.
We do not authorize unsolicited scans.
We do appreciate legitimate and responsible reports.
Always use our official channel: security@qualifyze.com