Introduction

Privacy statement

This Privacy Policy tells how Creuna gather and use certain information about individuals.

1. Purpose of collecting personal data

Creuna process personal data only for purposes that are needed by Creuna’s services and to perform the processing according to privacy rights and regulations, including the need to protect personal integrity and private life and to ensure that personal data are of right quality.

Further it is the policy of Creuna to adhere to local data privacy legislation as well as corporate policies and procedures and applicable privacy directives, including General Data Protection Regulation (EU 2016/679). Processing may include collection, recording, alignment, storage, transfer and disclosure or a combination of this. Creuna may use resources from subcontractors outside EU-/EEA-area in a way that is considered as transfer of personal data for carrying out tasks (I a support services) based on EU standard contractual clauses. Creuna processes personal data both as a processor and as a controller.

2. Categories of Personal data

Personal data are related to employees, customers, and customers of the customers, vendors and visitors on Creuna’s webpages. Creuna processes:

1. Personal data on behalf of Creuna’s customers and
2. Personal data where Creuna is data controller

It is the policy of Creuna to limit these data only to include contact details, strictly professional information and information related to the activities Creuna has performed in relation to the persons concerned. Creuna may collect, store, use and transfer personal data for specifically expressed purposes when the user visits Creuna’s webpages. Such purposes are in general daily operation of the system and communication.

3. Principle rules

When processing personal data Creuna will fulfill obligations

1. towards the data subjects,
2. towards public authorities and
3. towards customers and other controllers than Creuna regarding how the processing is carried out.

The obligations are further detailed below.

3.1. In relation to the data subject there are provisions in the applicable personal data act stipulating conditions for authorizing the processing. Consent from the data subject is normally a sufficient authorization. Dependent upon the data being sensitive or not, other conditions may authorize the processing. Furthermore, Creuna has an obligation to provide information to the data subject and upon request to provide access to the data. To ensure that personal data are of right quality, inadequate personal data may be corrected.

3.2. In relation to the public authorities the applicable Personal Data Act contains an obligation to give notification.

3.3. When Creuna is providing services to customers that include processing of personal data, such processing can only take place when there is a contractual basis for such processing. The transfer of personal data to Creuna’s subcontractors in countries outside EU/EEA can only take place when the data subject or the customer has approved the transfer. A legal basis is required for such transfer, for example a specific EU model clause agreement.

3.4. Regarding the processing itself there are obligations with regard to data security and internal control. Organizational, physical and technical security measures shall be implemented to ensure adequate level of data security. The measures shall be in proportion to the probability and consequences of any breaches of security to prevent loss of life or health, economical loss or loss of reputation and personal integrity. The use of external resources to process personal data may be subject to specific provision of applicable Personal Data Act, as well as the transfer of data to other countries. Creuna will delete personal data when all purposes of the processing of the personal data are fulfilled. The retention time of each category of personal data is assessed considering practical, technical and other considerations.

4. Audit program

To verify that Creuna’s processing meets data protection and privacy requirements, Creuna will conduct audits according to standard audit regime.

5. Changes to the Privacy Statement

Creuna reserves the right to amend this Statement at any time.

6. Complaint Mechanisms

Complaints may be addressed to compliance@creuna.com

Creuna Information Security and Data Privacy statement

1. General

This document is an overview of the Creuna Information Security and Data Privacy Governance.

2. Risk Assessment and Treatment

Creuna has the organization and routines in place to continuously identify and mitigate risks regarding:
• Security in IT operations
• Business
• Legal

3. Security and Data Privacy Policies

Creuna has, through the Creuna Security Governance and in accordance with ISO 27001 and OWASP S-SDLC, implemented several security- and data privacy policies:

• DATA CLASSIFICATION POLICY
• DATA PROTECTION POLICY
  • PERSONAL DEVICES POLICY
• NETWORK POLICY
• ENCRYPTION POLICY
• IDENTITY AND ACCESS POLICY
• SOFTWARE AND SYSTEMS POLICY
• DATA CENTER POLICY
• TRAFFIC, DEVICE AND DATA MONITORING POLICY
• SOFTWARE DEVELOPMENT POLICY
• BREACH AND DATA LEAK DISCLOSURE POLICY
• TRAINING AND AWARENESS POLICY
• DATA SHARING AND COLLABORATION POLICY
• PII PROCESSING POLICY
• LOCAL POLICIES

4. Organization of Information Security

The Creuna SOC (Security Operations Center) is responsible for maintaining the high level of Security and Data Privacy stated in the Creuna Security Governance document. The Creuna SOC is not only responsible for the IT operations part of security and data privacy, but also has close collaboration with HR, Legal and Management. The Creuna SOC department reports to NMT (Nordic Management Team) which is the top-level operational management entity within the Creuna organization. The Head of SOC is responsible for identifying, reporting and mitigating any Security and Data Privacy risks and/or incidents. The Head of SOC is also available for consultation on specific customer, partner, sub-contractor and/or 3rd party requirements and questions.

5. Asset Management and Confidentiality Controls

As part of the Security Governance, Creuna has an implemented Data Classification policy. This policy aims to ensure that all data processed by Creuna is classified as either Forbidden, Highly Sensitive, Sensitive, Normal or Public, and handled accordingly. Creuna has systems and routines in place to monitor the compliance of the classified data, and act on violations.

6. Human Resources Security

The Creuna SOC works closely together with HR to make sure we maintain a high level of awareness and competence in regard to Information Security and Data Privacy among our employees and sub-contractors. Creuna incorporates training and awareness as part of our onboarding process, and continuously host training sessions. All Creuna employees and sub-contractors have a responsibly to keep up-to-date with the Security and Data Privacy policies and procedures.

7. Physical and Environment Security

The Creuna server facilities (Data Centers) has high levels of certification in regard to physical and environmental security. Creuna also has procedures and systems in place to security our premises and monitor access to facilities and equipment:

• Visitor system
• Key-card access
• Alarms
• Pin codes and screen locks on computers and devices

8. Communications and Operations Management

The Creuna Data Center is our common infrastructure in the organization. This allows us to approach Information Security and Data Privacy in an efficient and unified fashion. Some of the common tools implemented in this infrastructure are:

• anti-malware
• phishing protection
• services disruption protection
• intrusion prevention
• DLP
• cloud services assessment, monitoring and compliance
• identity and access management
• vulnerability scanning and patch management
• network encryption and segmentation
• monitoring and incident response

Creuna provides and maintains numerable systems (Sanctioned Systems) for collaboration and processing of data and documents covered by the infrastructure security and compliance tools listed above.

9. Access Control

Creuna control access and authentication centrally and can quickly deploy and demote access as needed.

10. Information Systems Acquisition, Development and Maintenance

The Creuna Systems & Security board are responsible for deciding on introduction of- and changes to- sanctioned systems. The board evaluates and decides requests on recurring meetings through a change management process. Decisions are made based on:

• Security
• Business risk
• Compliance
• Business needs
• Cost

The Creuna SOC is responsible for ensuring that our customer solutions are developed in a secure manner (Secure by design, Privacy by default), and that the solutions maintained by Creuna stay secure through continuous vulnerability monitoring

11. Information Security Incident Management

The Creuna SOC is responsible for monitoring our compliance and respond to incidents. This includes, but is not limited to, notifying authorities of breaches.

12. Business Continuity Management

Creuna has implemented several solutions and processes to secure our Business Continuity in case of disaster or emergency.

• perimeter security and access control
• education and awareness
• onboarding and offboarding procedures
• highly available and geo-resilient data center
• backup and D/R
• Personnel and knowledge retention
• Procedure documentation and procedure automation
• Continuous risk assessment and adaptation

13. Compliance

The Creuna SOC has the main responsibility for ensuring compliance. We also rely on external specialists and mechanisms to validate the work of the SOC and make sure we’re compliant. For example:

• Recurring Legal auditing
• Electronic whistle-blowing system
• External InfoSec specialists doing recurring auditing