Information security and privacy statement

Sound of Data supplies specialized Software as a Service (SAAS)-platforms to clients. This software enables clients to outsource to Sound of Data the interaction with – and the related data processing of – participants at an event or those involved in a business process. Sound of Data manages this process, the execution of which is mostly carried out by suppliers working together to safeguard delivery.

Clients naturally demand the highest standards with respect to the availability, integrity, and confidentiality of data processing. For this reason, the Sound of Data executive team has decided to offer its services in accordance with NEN-ISO/IEC 27001 and to be accredited for these services to ensure full compliance with customer requirements. Internal business processes at Sound of Data are also being benchmarked against the NEN-ISO/IEC 27001 provisions. The executive team is simultaneously taking measures to ensure it is in compliance with applicable personal data protection legislation, known as the General Data Protection Regulation (GDPR).

Scope

For Sound of Data, the certification scope is as follows:

Providing services in the field of customer service communication.

A set of measures related to the scope has been determined, known as the Statement of Applicability. These measures are taken to guarantee information security and privacy.

A copy of the valid certificate and the Statement of Applicability are available upon request.

Policy principles

The Sound of Data executive team states that:

  • Information security is one of the significant operational risks for Sound of Data. Following determination and implementation, risk analysis measures are examined periodically during internal and external audits to assess functioning and compliance.
  • They are in conformance with the NEN-ISO/IEC27002 directives and the applicable law related to the protection of personal information, the General Data Protection Regulation (GDPR).
  • In accordance with the ISO27001 standard, appropriate technical and organizational measures have been taken to guarantee the security of personal data and to prevent unauthorized, coincidental or wrongful amendment, loss, disclosure, access to and processing of personal data, notwithstanding the status of technology and the costs of its implementation or the nature of the personal data stored and the related risk profile, and irrespective of whether this results from human action or from material or natural circumstances.
  • Computer criminality is an undesirable social issue and the responsibility of taking appropriate measures to mitigate the damage as a consequence of criminal activity is addressed to the best of its ability.
  • Acquisition, installation, and maintenance of information and communication systems, as well as the incorporation of new technologies, are executed if necessary with supplementary measures so they do not detract from the security level.
  • The Human Resources policy is partially aimed at raising employee knowledge levels by offering training programs in privacy and security awareness.
  • Assignments to third parties to conduct work are so carefully wrapped in measures that no infringement of confidentiality, integrity and availability/continuity of the information flow can take place and no personal privacy violated. To this end, Sound of Data concludes processing and confidentiality agreements with the third parties concerned.
  • They remain in control thanks to their information security management processes (Plan-Do-Check-Act) and are hereby able to ensure that the risk of breaches of confidentiality, integrity, and availability of information is minimized.
  • They upload only the minimal amount of client information deemed necessary for the satisfactory execution of the service and to comply contractually with client requirements.

The measures are related to the following:

  • Drawing up a security policy that provides a framework to define, implement and control information security within Sound of Data.
  • Determine and safeguard the integrity of employees who have access to sensitive information.
  • Classification of information by appointing an owner and enshrining it in an Asset Management accounting process.
  • Acquisition, development, and maintenance of information systems, in accordance with the applicable security requirements. These include updates and strict separation of the testing and development environment, the acceptance test environment and the production environment.
  • Access control thanks to a formalized process on the basis of need-to-know and need-to-do principles.
  • Encryption (encoding), if necessary through the use of certificates.
  • Physical and environmental security to withhold access to unauthorized people, confront the bringing about of damage to or interference with information or information systems.
  • Supplier management, including other formulation of processing agreements, contracts and service level agreements.
  • Correction and prevention, including incident management and escalation.
  • Managing business continuity, including backup/recovery, redundancy, and fall-back contingency planning.
  • Compliance with applicable legislation.
  • Communication and operational management, including the Plan-Do-Check-Act cycle and awareness.

Safeguarding service

In order to establish optimal customer service and to guarantee the security of the information systems made available to it, Sound of Data has chosen to pursue a structured approach in line with ISO. For years, the company has been licensed for two standards and has been granted the most recent certification, namely:

  • ISO 9001:2015 quality management
  • ISO 27001:2017 information security

Whereas ISO 9001 maps the corporate processes and their underlying coherence as well as ensuring that they remain up-to-date, ISO 27001 ensures that all due care and attention is paid to secure use of client data and that the transmission and storage of this data – and access to it – is regulated and organized in a secure environment. To this end, attention is paid to the privacy provisions as set forth in legislation such as GDPR.

ISO 27001 requires information security to be governed through a system of information security management. A system of this nature consists of four phases that need ongoing execution to mitigate the risk of breaches of confidentiality or integrity and availability of information.

The phases are:

  • The PLAN phase – this phase is required for the fundamental organization of information security, to determine the objectives of information security as well as to undertake appropriate security checks and balances (the standard consists of a catalog of 133 potential control moments)
  • The DO phase – this phase consists of the execution of everything that was planned in the previous phase
  • The CHECK phase – the intention behind this phase is to monitor the way in which the information security management system (ISMS) functions with the help of various channels and to check if the results are in line with the set objectives
  • The ACT phase – the aim of this phase is to improve everything that was simply insufficient in the preceding phase.

These four phases are part of a never-ending cycle, and each of the activities requires the cyclical application to promote ISMS effectiveness.

Sound of Data attaches significant importance to the continuous improvement of its service and uses both ISO standards to enhance the quality of its operational processes on an ongoing basis. Similarly, security procedures are also improved continuously by monitoring and auditing these processes as appropriate.

In addition to this, accredited external accountants perform an annual audit to assess the level of compliance with ISO requirements.

Should deviations become apparent in the functioning and quality of the processes or if potentially unsafe situations develop with regard to information security breaches or those pertaining to information processing systems, Sound of Data shall take appropriate measures according to established procedures to resolve these deviations once and for all. These processes are then subject to tightened internal control until it can be certified that the process is back on track and/or that information security can be guaranteed. In the event of a data leak, Sound of Data will immediately inform its clients potentially impacted by the leak and in joint consultation notify the Dutch Data Protection Authority (the Dutch DPA).

With regard to the identified deviations, Sound of Data shall develop an Action Plan and fine-tune the ‘Design, Develop and Deliver’ process where necessary and place it under closer supervision. The communicative aspect and client approval procedures weigh particularly heavily in this respect.