Self-Assessment Sheet
Evaluation of VERCOM S.A. as a personal data processor. This document has been prepared in response to the most frequently asked questions by Vercom S.A. clients regarding information security and the processing of entrusted personal data.
VAT ID
7811765125
REGON
300061423
KRS (National Court Register)
535618
LEI
259400P9VT804CUH6G16
EUID
PLKRS.0000535618
Scope of Services
Vercom develops global cloud-based communication platforms (CPaaS) that enable companies to build and cultivate lasting relationships with their audiences across multiple communication channels, including SMS, EMAIL, PUSH, and OTT. Our solutions help our clients and partners overcome communication complexities, enabling them to automate and scale operations while maintaining high deliverability and efficiency. All of this is achieved in a fast, secure, and reliable manner.
Within the scope of the services provided, Vercom S.A. acts as a personal data processor. Vercom does not determine the purposes of personal data processing. To the necessary extent, Vercom supports Data Controllers in fulfilling their obligations arising from legal regulations.
FREQUENTLY ASKED QUESTIONS (FAQ)
Data Protection Officer (DPO)
Has the Processor appointed a Personal Data Protection Officer?
Yes, VERCOM S.A. has appointed a Data Protection Officer.
Please provide contact details for the Personal Data Protection Officer.
Marika Rybarczyk - [email protected]
Are the activities of the Data Protection Officer (the person responsible for the personal data protection area) documented?
Yes, the DPO's activities are documented.
Data Controller
Have procedures been implemented for the exercise of data subject rights (right to information, access to data and copies thereof, rectification or completion, erasure, restriction of processing, data portability, objection, and not being subject to automated profiling)?
Yes, to the extent that these obligations rest upon Vercom S.A. as the Data Controller.
Does the processing entity maintain a registry of requests from data subjects?
As a processor, we do not maintain a registry of requests from data subjects, as these matters are the responsibility of the Data Controller.
Are there designated persons responsible for maintaining contact with the Controller entrusting the processing?
Yes.
Entrustment and Sub-processing of Personal Data
How many sub-contractors does the processor use and to what extent?
The list of processors may vary depending on the service provided. Details are regulated by the concluded Data Processing Agreement (DPA).
What is the subject matter, nature, and purpose of the personal data processing?
Processing takes place for the purpose of providing the Service to the Client based on the Main Agreement and to fulfill Vercom's obligations under this Data Processing Agreement, particularly regarding data security, including ensuring its integrity and availability.
What is the duration of the processing?
The data processing period shall be the same as the period of Service provision under the Main Agreement, with the proviso that the Data Processing Agreement remains in force until the data is deleted in accordance with its provisions.
What categories of natural persons does the agreement cover?
The processed personal data concerns the following categories of natural persons:
End users – natural persons who are recipients of electronic communication sent by the Client under the Main Agreement.
What types of special categories of personal data are covered by the agreement?
The processed special categories of personal data include the following categories: Not Applicable.
Have all sub-contractors used during service provision been vetted to ensure an appropriate level of personal data protection?
Yes, sub-contractors are subject to annual assessment.
Is a record kept of suppliers to whom you entrust or sub-entrust personal data processing?
Yes, a detailed list of Vercom S.A. sub-processors is maintained (last update 12 August 2025), as well as a Record of Processing Activities at VERCOM S.A.
Have internal regulations been prepared and implemented regarding supervision and monitoring of personal data processing?
Yes. Periodic internal and external audits are conducted. Testing takes place at least once every 12 months, or more frequently if necessary.
Where is the entrusted data stored?
All operations performed on personal data take place within the IT system. Data entrusted for processing is not stored on employee computers. Vercom does not process personal data in paper form within the scope of the provided services. All personal data entrusted to us for processing is stored in an external server facility that meets the highest security standards and is subject to multi-level security measures there.
How does the entity ensure the separation of data entrusted by the Controller from data of other entities, including its own data?
Logical data separation is applied in the Vercom systems made available as part of the provided services.
Implementation of the Information Security Management System (ISMS)
Have an Information Security Policy and regulations regarding personal data processing and protection been implemented?
Yes.
Has an IT systems management instruction for personal data processing or other internal regulations regarding IT infrastructure management been implemented?
Yes.
Have the implemented Information Security Policy and regulations regarding personal data protection been approved by senior management?
Yes.
Do you ensure the ability to continuously ensure the confidentiality, integrity, availability, and resilience of processing systems and services?
Yes.
Are the Information Security Policy and regulations regarding personal data protection published and available to Personnel (employees/contractors)?
Yes.
Risk Assessment
Is there an implemented methodology for assessing the risk of infringing upon the rights or freedoms of natural persons?
Yes.
Is risk assessment performed periodically? Please provide the date of the last risk assessment.
Yes, 8 August 2025.
Business Continuity
Are mechanisms applied to monitor and detect activities that may impact information security and business continuity?
Yes, a range of solutions has been deployed to monitor system events and alert on detected anomalies. Additionally, the company maintains an in-house cybersecurity team that conducts regular tests of the implemented solutions.
Is regular testing and assessment of the effectiveness of implemented technical and organizational measures ensuring the security of processing applied?
Yes, as part of annual BCP testing.
Management of Security Incidents and Personal Data Breaches
Has the provider established procedures for handling personal data protection breaches (security incidents)?
Yes, a formal process for handling all personal data breaches and security incidents exists and has been implemented; all personal data breaches and security incidents are reported to senior management, registered, and handled by designated personnel.
What is the number of breaches reported to the Personal Data Protection Office (UODO) within the last 12 months?
None.
Has a breach of personal data protection by the provider ever been established by a final decision of a supervisory authority or a final court judgment?
No.
Information Classification
Is an information classification and categorization scheme based on sensitivity implemented in the organization?
Yes.
Do regulations regarding processed information cover: secure processing, storage, transmission, transport, destruction, and reclassification of information?
Yes.
Are employees informed about the classification methods and information processing procedures in force within the organization?
Yes.
Personnel
Have employees/collaborators been obligated to maintain the confidentiality of personal data?
Yes. Upon employment, every employee and collaborator signs a confidentiality statement (NDA).
Are authorizations issued for employees involved in the personal data processing process?
Yes. Access to data is granted only to duly authorized employees. Access is granted on a strict "need-to-know" basis – solely to the extent necessary to perform duties at a given position.
Do employees receive ID badges and are they required to wear them?
Every employee possesses an access control card and is required to carry it. Each badge is assigned to a specific user and serves to gain access to office premises. Every use of the badge is logged in the system.
Is training organized for newly hired employees before undertaking personal data processing activities?
Yes, the ISO Representative conducts basic training for the newly hired Employee regarding personal data processing in the company and workplace rules (Job Instruction), and familiarizes them with the Information Security Policy.
Does the organization ensure ongoing improvement of its employees'/collaborators' knowledge through cyclical training and other activities aimed at raising awareness regarding personal data protection?
At least once a year, the IMS Representative (Integrated Management System) organizes mandatory training for Employees regarding personal data processing in the Company and workplace rules. Employees participate in training in accordance with procedures PBI 04 Annex 1 "Access and Resource Management Instruction". Last training: 29 December 2025.
Is pre-employment screening conducted?
Yes. A system of employee verification procedures (background checks) has been implemented and is applied.
Does the company collect statements of no criminal record from employees?
Yes, employees sign relevant statements and are obliged to inform the employer in the event of any changes.
Access Control and Management
Does the company have a regulated password policy?
Yes, a consistent password policy has been implemented.
Is there an access and identity management procedure?
Yes, in accordance with PBI - 04 Annex 01 "Access Management Instruction at Vercom S.A."
Do you ensure accountability of persons using IT resources and data through digital identity management and logging of activities assigned to these identities?
Yes.
Does the procedure ensure securing, blocking, or deleting default accounts such as generic accounts (built-in accounts), non-personalized accounts, and guest accounts?
The system does not allow the creation of generic, non-personalized, or guest accounts.
Remote Access
Is remote access to organizational resources regulated by internal procedures?
Yes, in accordance with the documented and implemented Procedure: "Use of IT Resources by Users".
Is remote access authorized by senior management for each individual employee or group of employees?
Yes.
Are security requirements applicable within the organization taken into account for remote access?
Yes.
Are employees informed about the risks associated with work utilizing remote access?
Yes. Every newly hired employee and collaborator undergoes mandatory training in this area.
Portable and Mobile Devices
Are rules for the use of portable devices described, documented, and implemented?
Yes, in the Procedure: "Use of IT Resources by Users".
Is the use of private portable devices regulated in internal instructions?
Yes. The use of private portable devices is regulated, described, documented, and implemented in internal instructions: PBI - 04 "Use of IT Resources by Users".
Are portable devices protected by virus/malware detection software? Is this software and its updates centrally managed?
Yes, in accordance with implemented procedures regarding mobile devices used by employees. Mobile devices have access control configured; they are protected by anti-malware and anti-virus software. This software and its updates are centrally managed.
Are all portable devices used in the organization registered in a central registry?
Yes, a hardware register is maintained.
Are cryptographic techniques applied to mobile devices?
Yes, we have a documented and implemented Procedure for Security and Cryptographic Key Management, which also relates to the security of mobile device usage.
Are only administrator-authorized portable media allowed for use within the organization?
In accordance with our Procedure "Use of IT Resources by Users," there is a strict prohibition on the use of external information storage media. External drives may only be used by selected IT department employees and System Administrators, following the prior consent of the DPO and the IMS Representative. They are subject to detailed guidelines, their number is strictly limited, they are logged, encrypted, and subject to annual reviews. No personal data may be stored on them.
Are rules for the destruction of portable data media, as well as data stored on these media, regulated in internal instructions?
Yes. Everything is conducted in accordance with the documented and implemented Vercom Data Retention Procedure and the IT System Management Instruction, in a manner appropriate to the data category.
Document Destruction
Are printouts managed appropriately within the organization, and does a management procedure exist?
Yes. Handling of printouts is described in the implemented and documented procedure: DO - 02 "IT System Management Instruction". Unnecessary documents are destroyed in a manner that prevents their reading, e.g., using shredders with an appropriate security level (recommended for destroying documents containing personal data such as name, surname, email address, etc.) and by a specialized external company dedicated to document destruction.
Have employees been obligated to immediately collect printouts containing personal data or other confidential information from printers?
Yes. In accordance with the implemented and documented procedure: DO - 02 "IT System Management Instruction".
Server Security
Does the data center possess appropriate security measures?
The facility meets the requirements of the international Tier III standard. The data center is equipped with, among other things, an air conditioning system, an Uninterruptible Power Supply (UPS) system, and a fire suppression system. Redundant power supply systems (e.g., in servers) are utilized. Air conditioning and UPS systems are regularly tested.
Network Security
Do you provide measures for filtering/blocking inbound and outbound network traffic to protect data and resources against intentional or accidental breaches of confidentiality, integrity, or availability?
Yes.
What security measures are implemented at the interface with the public network?
The wireless network is separated from the internal LAN via Firewall rules. Access to the local network and remote networks (e.g., the Internet) is granted based on a request from the employee’s supervisor, submitted via an email ticket to the System Administrator requesting IT resource access and system privileges (login, password, email), or directly by the Department Head. URL Filtering: The organization defines which URLs are blocked and designates those that are permitted.
Physical Security
Are physical security measures implemented in the building (e.g., camera system, secure locks, ID badges, access control)?
Access to the building is granted exclusively to authorized personnel. Security measures include locks on all entrances operated via personalized keycards, CCTV monitoring, and security gates/turnstiles.
Based on risk analysis, have adequate organizational and technical measures been implemented to ensure an appropriate level of security for the confidentiality, integrity, availability, and resilience of systems and services?
Yes.
Is access to premises at the disposal of the Processor impossible for third parties after working hours, and is access for cleaning staff and security detailed and supervised?
Access is restricted to authorized persons only, with personalized keycard locks on all entrances. Personal data entrusted to us for processing is NOT stored in the office buildings where we work. All personal data entrusted to us for processing is stored in an external Data Center that meets the highest security standards and is subject to multi-level security measures there – SOC 2 certification. After working hours, cleaning staff may be present in the office building, or in emergency situations, building security may also have access. This is foreseen in our procedures related to the implemented ISO 27001 standard. We have signed Non-Disclosure Agreements (NDAs) with every individual, including cleaning staff working after hours. However, the specific locations where data is stored are NOT accessible to third parties after working hours.
Cloud Computing
Will personal data entrusted for processing be processed in cloud computing?
Yes. Our service constitutes a specific form of public cloud computing, entirely created and managed by Vercom S.A. – we do not utilize a third-party cloud service provider; we are the provider ourselves. This is understood in the sense that cloud computing is not merely commonly perceived "resources" or "virtual space," but also services, infrastructure, and application development platforms. It should be defined as a hybrid solution, i.e., a combination of service, platform, and infrastructure. The term CPaaS (Communications Platform as a Service) has also become common, denoting a solution dedicated to communication between businesses and their customers via a dedicated platform that organizes this communication process.
Are external audits of provided cloud services conducted?
Yes, a security audit based on OWASP TOP 10 (Open Web Application Security Project TOP 10 vulnerabilities) and the OWASP ASVS methodology. Additionally, an audit is conducted in connection with ISO 27001 and ISO 27018 certification.
Data Protection Measures
Please indicate the organizational measures for Personal Data protection.
Refer to the "Security Measures" section.
Last updated