Self-Assessment Sheet
Evaluation of VERCOM S.A. as a personal data processor. This document has been prepared in response to the most frequently asked questions by Vercom S.A. clients regarding information security and the processing of entrusted personal data.
VAT ID
7811765125
REGON
300061423
KRS (National Court Register)
535618
LEI
259400P9VT804CUH6G16
EUID
PLKRS.0000535618
Scope of Services
Vercom develops global cloud-based communication platforms (CPaaS) that enable companies to build and cultivate lasting relationships with their audiences across multiple communication channels, including SMS, EMAIL, PUSH, and OTT. Our solutions help our clients and partners overcome communication complexities, enabling them to automate and scale operations while maintaining high deliverability and efficiency. All of this is achieved in a fast, secure, and reliable manner.
Within the scope of the services provided, Vercom S.A. acts as a personal data processor. Vercom does not determine the purposes of personal data processing. To the necessary extent, Vercom supports Data Controllers in fulfilling their obligations arising from legal regulations.
FREQUENTLY ASKED QUESTIONS (FAQ)
Data Protection Officer (DPO)
Has the Processor appointed a Personal Data Protection Officer?
Yes, VERCOM S.A. has appointed a Data Protection Officer.
Please provide contact details for the Personal Data Protection Officer.
Marika Rybarczyk - [email protected]
Are the activities of the Data Protection Officer (the person responsible for the personal data protection area) documented?
Yes, the DPO's activities are documented.
Data Controller
Have procedures been implemented for the exercise of data subject rights (right to information, access to data and copies thereof, rectification or completion, erasure, restriction of processing, data portability, objection, and not being subject to automated profiling)?
Yes, to the extent that these obligations rest upon Vercom S.A. as the Data Controller.
Notifications are forwarded to Data Controllers in accordance with procedure DO-01 Att. 10 Procedure for handling Complaints from Data Subjects.
Does the processing entity maintain a registry of requests from data subjects?
As a processor, we do not maintain a registry of requests from data subjects, as these matters are the responsibility of the Data Controller.
All requests received from Data Subjects are immediately forwarded to the Data Controllers in accordance with the Data Processing Agreement (DPA), and the reporting entity is informed that the data has been transferred to the Data Controller. The Processor supports the Data Controllers in fulfilling their obligation to respond to requests from data subjects.
Are there designated persons responsible for maintaining contact with the Controller entrusting the processing?
Yes.
The first line of support is the Business Account Manager and the Customer Service Office; every Data Controller also has the option to contact the DPO directly.
Entrustment and Sub-processing of Personal Data
How many sub-contractors does the processor use and to what extent?
The list of processors may vary depending on the service provided. Details are regulated by the concluded Data Processing Agreement (DPA).
List available in the "Scope and Purpose of Personal Data Processing" tab.
What is the subject matter, nature, and purpose of the personal data processing?
Processing takes place for the purpose of providing the Service to the Client based on the Main Agreement and to fulfill Vercom's obligations under this Data Processing Agreement, particularly regarding data security, including ensuring its integrity and availability.
What is the duration of the processing?
The data processing period shall be the same as the period of Service provision under the Main Agreement, with the proviso that the Data Processing Agreement remains in force until the data is deleted in accordance with its provisions.
What categories of natural persons does the agreement cover?
The processed personal data concerns the following categories of natural persons:
End users β natural persons who are recipients of electronic communication sent by the Client under the Main Agreement.
What types of special categories of personal data are covered by the agreement?
The processed special categories of personal data include the following categories: Not Applicable.
Are there established mechanisms for storage, deletion, and anonymization of personal data?
Yes.
PBI - 01 Att. 07 VERCOM Data Retention Procedure. These issues are additionally regulated in the Data Processing Agreement. Data is deleted within 3 business days of the termination or expiration of the Main Agreement. Personal Data is automatically deleted unless an obligation to retain it arises from applicable laws binding on Vercom. Backup data is deleted after two years.
Have all sub-contractors used during service provision been vetted to ensure an appropriate level of personal data protection?
Yes, sub-contractors are subject to annual assessment.
Is a record kept of suppliers to whom you entrust or sub-entrust personal data processing?
Yes, a detailed list of Vercom S.A. sub-processors is maintained (last update 12 August 2025), as well as a Record of Processing Activities at VERCOM S.A.
Have internal regulations been prepared and implemented regarding supervision and monitoring of personal data processing?
Yes. Periodic internal and external audits are conducted. Testing takes place at least once every 12 months, or more frequently if necessary.
January 2026: internal and external ISO 22301 audit.
September 2025: internal and external ISO 27001 and 27018 audit.
Internal audits concluded with the creation of an audit report and a review of the Information Security Management System's functioning.
Verification of compliance with ISO 22301, ISO 27001, and 27018 was performed.
External audits concluded with obtaining a certificate of compliance.
The audits covered the entire organization and all required standards, as well as the measurement of security safeguard effectiveness.
Where is the entrusted data stored?
All operations performed on personal data take place within the IT system. Data entrusted for processing is not stored on employee computers. Vercom does not process personal data in paper form within the scope of the provided services. All personal data entrusted to us for processing is stored in an external server facility that meets the highest security standards and is subject to multi-level security measures there.
How does the entity ensure the separation of data entrusted by the Controller from data of other entities, including its own data?
Logical data separation is applied in the Vercom systems made available as part of the provided services.
Does the Processor apply an approved code of conduct as referred to in Article 40 of the GDPR?
No.
We are not subject to the requirement of applying approved codes of conduct.
Does storage and processing of data take place only within the EEA?
Yes.
The main server environment within VERCOM CPaaS is located in the EEA. All subsequent sub-processors provide services regionalized within PL (Poland), the EU, or the EEA. We do not process data outside the EEA.
Do you have procedures regarding backups of the processed data?
Yes.
In accordance with the documented and implemented policy, backups are performed once a day; backup copies are stored for 2 years and are encrypted. Backups are kept only within the EEA in external server rooms with the highest security standards, subject to multi-level protection.
Implementation of the Information Security Management System (ISMS)
Have an Information Security Policy and regulations regarding personal data processing and protection been implemented?
Yes.
Implemented and confirmed by ISO 27001, ISO 22301, and ISO 27018 certificates.
PBI - 01 Information Security Process Book
DO-01 Personal Data Security Policy
Has an IT systems management instruction for personal data processing or other internal regulations regarding IT infrastructure management been implemented?
Yes.
Implemented and documented procedure DO-02 IT System Management Instruction
Have the implemented Information Security Policy and regulations regarding personal data protection been approved by senior management?
Yes.
Do you ensure the ability to continuously ensure the confidentiality, integrity, availability, and resilience of processing systems and services?
Yes.
Are the Information Security Policy and regulations regarding personal data protection published and available to Personnel (employees/contractors)?
Yes.
Does the processor implement the principle of Data Protection by Design?
Yes.
We operate in accordance with the Privacy by Design and Privacy by Default principles
Does the processor implement the principle of Data Protection by Default?
Yes.
We operate in accordance with the Privacy by Design and Privacy by Default principles
Risk Assessment
Is there an implemented methodology for assessing the risk of infringing upon the rights or freedoms of natural persons?
Yes.
Implemented procedure DO-03 Personal Data Risk Assessment Methodology
Is there an implemented methodology for Data Protection Impact Assessment (DPIA)?
Yes.
Implemented procedure DO-03 Personal Data Risk Assessment Methodology
Is risk assessment performed periodically? Please provide the date of the last risk assessment.
Yes, 8 August 2025.
In accordance with the implemented and documented Risk Assessment procedure, a Risk Assessment Sheet is maintained in electronic form. Risk assessment is performed once a year, and additionally whenever necessary due to planned actions.
Business Continuity
Are mechanisms applied to monitor and detect activities that may impact information security and business continuity?
Yes, a range of solutions has been deployed to monitor system events and alert on detected anomalies. Additionally, the company maintains an in-house cybersecurity team that conducts regular tests of the implemented solutions.
Has a Business Continuity Plan (BCP) and/or Disaster Recovery Plan (DRP) been implemented?
Yes.
A Business Continuity Plan (BCP) has been developed and implemented, which is regularly tested (at least once a year) PBI - 01 Att. 03 Business Continuity Plan (BCP) scheme; Vercom also has a Disaster Recovery Plan (DRP).
Is regular testing and assessment of the effectiveness of implemented technical and organizational measures ensuring the security of processing applied?
Yes, as part of annual BCP testing.
Management of Security Incidents and Personal Data Breaches
Has the provider established procedures for handling personal data protection breaches (security incidents)?
Yes, a formal process for handling all personal data breaches and security incidents exists and has been implemented; all personal data breaches and security incidents are reported to senior management, registered, and handled by designated personnel.
We have a documented and implemented PBI - 03 Security Incident Management procedure; we possess full documentation, including supervisory documentation, within which PBI-03 Att. 1 Register of Personal Data Breaches and Incidents at VERCOM S.A. is maintained.
What is the number of breaches reported to the Personal Data Protection Office (UODO) within the last 12 months?
None.
Has a breach of personal data protection by the provider ever been established by a final decision of a supervisory authority or a final court judgment?
No.
Information Classification
Is an information classification and categorization scheme based on sensitivity implemented in the organization?
Yes.
Do regulations regarding processed information cover: secure processing, storage, transmission, transport, destruction, and reclassification of information?
Yes.
Are employees informed about the classification methods and information processing procedures in force within the organization?
Yes.
Personnel
Have employees/collaborators been obligated to maintain the confidentiality of personal data?
Yes. Upon employment, every employee and collaborator signs a confidentiality statement (NDA).
Are authorizations issued for employees involved in the personal data processing process?
Yes. Access to data is granted only to duly authorized employees. Access is granted on a strict "need-to-know" basis β solely to the extent necessary to perform duties at a given position.
A register of persons authorized to process personal data is maintained and updated on an ongoing basis.
Do employees receive ID badges and are they required to wear them?
Every employee possesses an access control card and is required to carry it. Each badge is assigned to a specific user and serves to gain access to office premises. Every use of the badge is logged in the system.
Assigned identifiers do not bear the company or employee markings for security reasons, so that in the event of loss, they do not encourage a potential finder to use them.
Is training organized for newly hired employees before undertaking personal data processing activities?
Yes, the ISO Representative conducts basic training for the newly hired Employee regarding personal data processing in the company and workplace rules (Job Instruction), and familiarizes them with the Information Security Policy.
Does the organization ensure ongoing improvement of its employees'/collaborators' knowledge through cyclical training and other activities aimed at raising awareness regarding personal data protection?
At least once a year, the IMS Representative (Integrated Management System) organizes mandatory training for Employees regarding personal data processing in the Company and workplace rules. Employees participate in training in accordance with procedures PBI 04 Annex 1 "Access and Resource Management Instruction".
Last training: 29 December 2025.
In addition to annual mandatory training on both GDPR and ISO, employees and associates participate in additional cybersecurity training conducted by the CISO; as part of good practices, a "Cyber Tuesdays" training cycle operates within the organization. We also enable participation in additional training related to digital threats, and furthermore, every employee familiarizes themselves with the detailed Job Instruction immediately after employment. Specialized IT department training is also cyclical and mandatory, as are training cycles dedicated to Customer Service Office (BOK) employees. We regularly ensure continuous improvement and qualification enhancement of employees and associates by providing them with access to appropriate training dedicated to their department.
Is pre-employment screening conducted?
Yes. A system of employee verification procedures (background checks) has been implemented and is applied.
Verification includes, among others, reviewing employee references, analyzing qualifications, as well as the following aspects:
confirmation of identity based on an appropriate document (ID card or passport)
confirmation of holding appropriate academic qualifications (based on certificates/diplomas/completion certificates)
confirmation of declared professional experience (in the CV and references).
Does the company collect statements of no criminal record from employees?
Yes, employees sign relevant statements and are obliged to inform the employer in the event of any changes.
Access Control and Management
Does the company have a regulated password policy?
Yes, a consistent password policy has been implemented.
Strict rules are established for password creation, transmission, access, storage, rotation, and password history depending on the system and account type. Every employee and associate stores passwords in a password manager (KeePassXC).
Is there an access and identity management procedure?
Yes, in accordance with PBI - 04 Annex 01 "Access Management Instruction at Vercom S.A."
Access granting is based solely on management approval; employees must possess unique identifiers and are prohibited from sharing individual passwords with others. A procedure related to user authentication in the IT system is implemented β IT System Management Instruction. Individual accounts, logins, and passwords for every employee.
Do you ensure accountability of persons using IT resources and data through digital identity management and logging of activities assigned to these identities?
Yes.
Does the procedure ensure securing, blocking, or deleting default accounts such as generic accounts (built-in accounts), non-personalized accounts, and guest accounts?
The system does not allow the creation of generic, non-personalized, or guest accounts.
Remote Access
Is remote access to organizational resources regulated by internal procedures?
Yes, in accordance with the documented and implemented Procedure: "Use of IT Resources by Users".
Is remote access authorized by senior management for each individual employee or group of employees?
Yes.
Are security requirements applicable within the organization taken into account for remote access?
Yes.
Are employees informed about the risks associated with work utilizing remote access?
Yes. Every newly hired employee and collaborator undergoes mandatory training in this area.
Portable and Mobile Devices
Are rules for the use of portable devices described, documented, and implemented?
Yes, in the Procedure: "Use of IT Resources by Users".
Is the use of private portable devices regulated in internal instructions?
Yes. The use of private portable devices is regulated, described, documented, and implemented in internal instructions: PBI - 04 "Use of IT Resources by Users".
The use of private portable devices within the organization is strictly prohibited.
Are portable devices protected by virus/malware detection software? Is this software and its updates centrally managed?
Yes, in accordance with implemented procedures regarding mobile devices used by employees. Mobile devices have access control configured; they are protected by anti-malware and anti-virus software. This software and its updates are centrally managed.
Are all portable devices used in the organization registered in a central registry?
Yes, a hardware register is maintained.
Data entrusted for processing is processed exclusively within the IT system and is not transmitted outside of it.
Are cryptographic techniques applied to mobile devices?
Yes, we have a documented and implemented Procedure for Security and Cryptographic Key Management, which also relates to the security of mobile device usage.
Are only administrator-authorized portable media allowed for use within the organization?
In accordance with our Procedure "Use of IT Resources by Users," there is a strict prohibition on the use of external information storage media. External drives may only be used by selected IT department employees and System Administrators, following the prior consent of the DPO and the IMS Representative. They are subject to detailed guidelines, their number is strictly limited, they are logged, encrypted, and subject to annual reviews. No personal data may be stored on them.
Data entrusted for processing is processed exclusively within the IT system and is not transmitted outside of it.
Are rules for the destruction of portable data media, as well as data stored on these media, regulated in internal instructions?
Yes. Everything is conducted in accordance with the documented and implemented Vercom Data Retention Procedure and the IT System Management Instruction, in a manner appropriate to the data category.
Document Destruction
Are printouts managed appropriately within the organization, and does a management procedure exist?
Yes. Handling of printouts is described in the implemented and documented procedure: DO - 02 "IT System Management Instruction". Unnecessary documents are destroyed in a manner that prevents their reading, e.g., using shredders with an appropriate security level (recommended for destroying documents containing personal data such as name, surname, email address, etc.) and by a specialized external company dedicated to document destruction.
Data entrusted for processing is processed exclusively within the IT system. Vercom does not process Client data in paper form.
Have employees been obligated to immediately collect printouts containing personal data or other confidential information from printers?
Yes. In accordance with the implemented and documented procedure: DO - 02 "IT System Management Instruction".
Vercom does not process Client data in paper form.
Server Security
Does the data center possess appropriate security measures?
The facility meets the requirements of the international Tier III standard. The data center is equipped with, among other things, an air conditioning system, an Uninterruptible Power Supply (UPS) system, and a fire suppression system. Redundant power supply systems (e.g., in servers) are utilized. Air conditioning and UPS systems are regularly tested.
More information regarding the security of the main server room used is available directly at https://www.beyond.pl/centra-danych/beyond-pl-data-center-1/
Network Security
Is the internal network separated from the Internet by Firewall/IPS/IDS devices?
Yes.
PBI - 04 Use of IT Resources by Users 1.2; PBI - 05 Use of Resources - Administrators 1.2
Do you provide measures for filtering/blocking inbound and outbound network traffic to protect data and resources against intentional or accidental breaches of confidentiality, integrity, or availability?
Yes.
What security measures are implemented at the interface with the public network?
The wireless network is separated from the internal LAN via Firewall rules. Access to the local network and remote networks (e.g., the Internet) is granted based on a request from the employeeβs supervisor, submitted via an email ticket to the System Administrator requesting IT resource access and system privileges (login, password, email), or directly by the Department Head. URL Filtering: The organization defines which URLs are blocked and designates those that are permitted.
Logs
How are logs analyzed?
Automatically. Network logs are analyzed automatically, and manually when there is a need to analyze a specific event.
Data Security at Rest and in Transit
Do we have a procedure regulating data encryption at rest and in transit?
In accordance with the implemented policy PBI - 04 Att. 02 Cryptographic Key and Security Management Procedure.
Data in transit is encrypted using the SSL protocol. Long-term data storage in the form of backups is fully encrypted. Operational data is not encrypted due to optimization reasons.
Change Management and Software Development
Do we have implemented procedures and processes regarding infrastructure and software in terms of acquisition, testing, security, maintenance, retirement, and others, based on current best practices in information security and regulatory requirements?
Yes.
Is the software development and management cycle conducted in accordance with a documented procedure accepted by management, enforcing a predefined path for promoting systems and applications (through successive environments and phases during their development)?
Yes.
Does the development and testing of IT systems/applications take place exclusively outside the production environment?
Yes.
Is there a segregation/separation of the production environment from development, test, or acceptance environments?
Yes.
Are solutions such as automatic (static) code review/analysis, dynamic code analysis, vulnerability scanning, penetration testing, and peer code review used for software security testing?
Yes.
Is control ensured over source code developed by the Provider or for the Provider?
Yes.
Code is developed in-house.
Are source code and related elements kept out of the production environment?
Yes.
Source code is stored in an independent environment.
Do we regularly perform penetration tests? With what frequency?
Yes. Vercom performs penetration tests in accordance with the "Vercom Vulnerability Management Process" document β we conduct cyclical internal and external penetration tests of our applications according to an established schedule.
Physical Security
Are physical security measures implemented in the building (e.g., camera system, secure locks, ID badges, access control)?
Access to the building is granted exclusively to authorized personnel. Security measures include locks on all entrances operated via personalized keycards, CCTV monitoring, and security gates/turnstiles.
According to the "Security Measures" tab.
Based on risk analysis, have adequate organizational and technical measures been implemented to ensure an appropriate level of security for the confidentiality, integrity, availability, and resilience of systems and services?
Yes.
Is access to premises at the disposal of the Processor impossible for third parties after working hours, and is access for cleaning staff and security detailed and supervised?
Access is restricted to authorized persons only, with personalized keycard locks on all entrances. Personal data entrusted to us for processing is NOT stored in the office buildings where we work. All personal data entrusted to us for processing is stored in an external Data Center that meets the highest security standards and is subject to multi-level security measures there β SOC 2 certification. After working hours, cleaning staff may be present in the office building, or in emergency situations, building security may also have access. This is foreseen in our procedures related to the implemented ISO 27001 standard. We have signed Non-Disclosure Agreements (NDAs) with every individual, including cleaning staff working after hours. However, the specific locations where data is stored are NOT accessible to third parties after working hours.
Cloud Computing
Will personal data entrusted for processing be processed in cloud computing?
Yes. Our service constitutes a specific form of public cloud computing, entirely created and managed by Vercom S.A. β we do not utilize a third-party cloud service provider; we are the provider ourselves. This is understood in the sense that cloud computing is not merely commonly perceived "resources" or "virtual space," but also services, infrastructure, and application development platforms. It should be defined as a hybrid solution, i.e., a combination of service, platform, and infrastructure. The term CPaaS (Communications Platform as a Service) has also become common, denoting a solution dedicated to communication between businesses and their customers via a dedicated platform that organizes this communication process.
Are external audits of provided cloud services conducted?
Yes, a security audit based on OWASP TOP 10 (Open Web Application Security Project TOP 10 vulnerabilities) and the OWASP ASVS methodology. Additionally, an audit is conducted in connection with ISO 27001 and ISO 27018 certification.
Data Protection Measures
Please indicate the organizational measures for Personal Data protection.
Refer to the "Security Measures" section.
Last updated