Information security and personal data protection

The business we have created is associated with the intensive use of personal data, so we recognize that data protection is paramount to business continuity and apply the highest standards to ensure it. We are committed to secure data management throughout its lifecycle.

Most of the information we create and use in our work is either for internal use only or will only be publicly disclosed at certain times and for a specific purpose. Confidential information can take many forms, including trade secrets, research and financial projections, and consumer data.

The trust of our customers and partners is critical to our business. Treating personal data with due care and respect is necessary to build trust, protect our company's reputation and achieve our strategic goals.

Cyber security

Our information security management system is a structure based on three pillars: people, processes and technology, in accordance with the ISO 27001 standard.

People

Attention from the company's top management and ongoing staff training allows the organization not only to comply with complex and changing data protection regulations, but also to help raise the awareness of internal and external stakeholders.

All employees of our company must:

• keep confidential commercial and industrial secrets, as well as other information that has become available as a result of an employment relationship, including in relation to family members or friends. This applies to information about commercial partners and customers that is not publicly available. The obligation to maintain trade secrets remains in effect after the termination of the employment relationship.
• protect company confidential information from inadvertent disclosure by never creating, accessing or using our confidential information in a public environment where it can be overheard or viewed.
• protect confidential information from theft by using only company-provided tools and software, and create and store passwords in accordance with our policies and standards.
• comply with our IT infrastructure and information security policies and standards as well as our policies regarding disclosure to social media or other channels.

Training and awareness campaigns for all employees ensure that a high level of personal data protection is maintained in all business processes.

A thorough background check of potential employees is an essential part of our company's recruitment process.

Processes

Any disclosure of confidential information outside the company and for some types of information even within the company is strictly controlled to best protect the interests of our company, partners, consumers and employees. It is imperative that information security best practices be followed to ensure that these interests are adequately protected. It is also crucial to remain vigilant against inadvertent disclosure of company confidential information, which can be as damaging to the company as intentional disclosure.

The processing of personal data in our company is automated, given the significant volumes of personal data that we process and the need for security, speed and reliability of their maintenance. In order to reduce the risk, customers' personal data is deleted after the processing of documents is completed.

We conduct regular IT audits to ensure the confidentiality, availability and integrity of information, as well as the compliance of the information security management system with laws, data protection standards and policy regarding the processing of personal data and identify weaknesses in information systems.

Technology

All the information we generate is stored digitally in our DMS system. Information security is the practice of protecting information by restricting any unauthorized or otherwise improperly obtained access to, disclosure, destruction, alteration or copying of such information.

We use advanced security practices to strengthen our protection against cyber attacks. Each of our branches has an encrypted VPN connection and is protected by firewalls. Personnel only have access to the applications for which they are responsible and also have limited access within the application. Each server is located in an ISO 27001 certified data center and has its own firewall and antivirus. All traffic in and out of our network is encrypted and constantly monitored, and if unusual behavior is detected, immediate action is taken.

To ensure information security, we have implemented and use a Defense in Depth (DiD) strategy, which includes a set of multi-layered and redundant procedures and means of physical and administrative control, as well as technical protection against various threats, such as:

Personal data protection

Our privacy management principles comply with the "gold standard" of the EU General Data Protection Regulation (GDPR). We consistently apply these principles around the world as a minimum standard for managing the information that our clients have entrusted to us, even if this is not required in specific countries.

Personal data is any information that directly or indirectly identifies and describes an individual. This personal information may relate to consumers, our work colleagues, our business partners or other third parties. Privacy is the right of individuals to know and influence how and why their personal information is collected and processed. In addition, almost everywhere we do business, there are privacy laws in place. Any failure to comply with these laws may result in fines, lawsuits or criminal prosecution against both the company and our individual employees.

Therefore, all employees must:

• process, disclose or otherwise use protected personal data only for authorized purposes and only within the scope of their job duties. The obligation to maintain the confidentiality of personal data remains even after leaving the company.
• ensure that personal information is not disclosed to unauthorized internal or external parties.
• when in doubt, ask your supervisor how to handle personal information.
• report any known or suspected unauthorized use or disclosure of personal data immediately.

All our employees understand their responsibilities and are accountable for ensuring that their activities comply with the principles and laws on the personal data protection .

Our privacy principles:

1. Transparency: We inform customers about how we plan to use their personal data.
2. Fair and lawful Use: We only use customer personal information in accordance with applicable law and only when we have a legitimate reason to do so.
3. Purpose limitation: We use customer information only for specific purposes and in no other way.
4. Data minimization: We do not retain any customer data for longer than is necessary to provide the requested service or to pursue our legitimate interests. No copies of applicants' data are made or stored, either digitally or physically.
5. Privacy by design: We make sure that our services and technologies are designed with the privacy of our customers in mind.
6. Data accuracy: We strive to maintain appropriate data quality standards.
7. People's rights: We respect people's right to privacy.
8. Data security: We maintain appropriate standards for protecting personal data and delete it as soon as it is no longer needed, in accordance with data protection laws.
9. Data transfer: If we need to transfer customer information to a third party, we make sure that such transfer is secure and in accordance with the law. For example, paper documents are sent only by reliable courier services.
10. Third parties: When we choose a third party service provider, we implement due diligence, monitoring, and security measures to ensure that our customers' information is adequately protected and legal requirements are met.

Measures to ensure the security of personal data:

• The online application form is stored in a secure, ISO 27001 certified data center, fully encrypted and has controlled access.
• Physical media is securely guarded for access control purposes, and any electronic data is encrypted.
• Data is transmitted securely only in encrypted form and only over encrypted transmission channels.
• All data is deleted at the end of the order processing period. We delete all data after the statutory deadlines.

Business continuity and disaster recovery for ensuring business resilience

Failures or business disruption due to a cyberattack can have devastating consequences for a company and may disrupt the entire supply chain, leading to financial and reputational losses. In today's digital-dependent world, every second counts. The longer the recovery time, the greater the negative impact on the business.

Each server is located in an ISO 27001 certified data center and has its own firewall.

As with online banking, your access is only through a secure, SSL-encrypted connection.

Our company complies with the EU General Data Protection Regulation (GDPR). GDPR regulation is the most stringent in the world.

Speak Up!

We encourage employees and partners to report possible misconduct and ethical breaches confidentiality and, if desired, anonymously.

In line with our principles, we provide support and protection to people who report issues. We do not condone or tolerate any acts of retaliation against those who speak out.

Contact by e-mail: compliance-hotline@schmidt-export.com