Data security and customer privacy

With the large amounts of data about debtors and customers that we handle daily, data security and customer integrity is an important area of sustainability for us.

We have both a legal and ethical responsibility to handle sensitive information in a way that guarantees respect for personal integrity and that takes into account the human right to freedom from arbitrary interference with privacy.

Axactor respect the personal integrity of individuals. Different types of personal data are processed in different ways and situations, depending on whether a person is representative of a customer, vendor or public authority, debtor, employee, job applicant, visitor and so on. A robust data privacy framework is required when handling a huge amount of data including sensitive data related to individuals financial and, in many cases, vulnerable situations. As a listed company and with great respect for the trust given by partners and investors, Axactor focuses on safeguarding confidential information and trade secrets to which Axactor has access.

Data privacy and information security are more important than ever

One of our prioritized areas is activities related to secure data privacy and information security. Policies and procedures shall be adjusted to reflect the risk situation at all times. Data protection impact assessments shall be established for all relevant processing activities. Art. 30 registers, privacy declarations and cookie policies shall be updated. Retention periods shall be reviewed. We shall ensure that all data subjects receive correct information about our processing of their data. Data privacy agreements and our vendors processing of our data shall be reviewed.

Regardless of the situation, Axactor shall only process personal data in accordance with applicable data protection regulations. Appropriate technical and organizational measures shall be implemented in accordance with Regulation (EU) 2016/679 (GDPR) and local data protection laws.

Handling of personal data

Following the minimisation principle, only personal data necessary for the relevant processing shall be collected and only processed fairly and lawfully towards the data subject.

To ensure transparency and safeguard the rights of the data subject, information on Axactor’s data processing is provided at our web pages, in email and letters sent, in agreements, internal communication and external calls.

Personal data shall be deleted when we no longer have legal grounds for processing and the purpose is fulfilled. Anonymisation and pseudonymisation techniques shall be used to remove unnecessary personal data, e.g. during system testing activities. Axactor shall process requests from data subjects regarding their rights and informs of data breaches in a timely manner.

Internal focus on security

To build a solid security culture Axactor carries out awareness activities continuously. All employees receive regularly data privacy and information security awareness trainings including digital trainings covering both theoretical and technical aspects, more advanced trainings adjusted for respective job roles in combination with practical initiatives, e.g. phishing test campaigns to increase the employee’s awareness of potential threats and cybersecurity issues. Awareness activities must be adjusted to the risk situation.

The data privacy policy and IT and information security policy with detailed procedures applicable for all employees within the Group with clear roles and responsibilities are reviewed and approved annually by the Board. The Group CISO role, the security committees and the data protection officers (DPOs) at the group and country-level monitor risks and govern compliance and report to management regularly, and the Board’s audit committee at least quarterly. Data processing agreements are entered with all vendors processing data on Axactor’s behalf. The vendor responsible for most of the Group’s infrastructure confirms their compliance through independent third-party ISAE 34002 Type II and ISAE 3000 Type II audit reports. The main vendor for application operations and IT development is ISO 27001 certified.

Access management

Access management in Axactor is regulated by, among other things, a role-based access management system, CMDB (Configuration management database), common titles, single-sign-on as well as documented regular control activities. Practices and technology are adopted to preserve confidentiality, integrity and availability of data, through different forms of encryption, multi-factor authentication and vulnerability management. Automated internal security scans are performed regularly within the infrastructure area. A complementary external penetration test from an independent specialized company is conducted for an additional level of vulnerability identification.

Focus

Our focus is, among others, on repeatable and optimizing the information security processes, early detection and root-cause mitigation, automation of tools and workflows including improved incident reporting and continuous awareness.

For additional information, please contact

Vibeke Ly

Chief of Staff

+47 911 79 195

vibeke.ly@axactor.com