By clicking "Accept", you agree to the storage of cookies on your device to improve site navigation, analyze site usage, and support our marketing efforts. See our Privacy Policy for more information.

PreferencesRejectAccept
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Preferences

POL Information security policy

Company Name: Indigo.ai
Effective date: 02/09/2025

Version history

Version: 1.0
Date: 02/09/2025
Description: -- N / D --
Author: Davide Sgro
Approved by: Gianluca Maruzzella

Purpose

The purpose of this policy is to declare and communicate Top Management's commitment to protecting the organization's information assets. This document defines the framework for establishing, implementing, maintaining, and continually improving the Information Security Management System (ISMS), with the aim of protecting the confidentiality, integrity, and availability of information and supporting the company's strategic objectives.

Table of Contents

- Field of Application
- Regulatory References
- Terms and Definitions
- Roles and Responsibilities
- Information Security Objectives
- Fundamental Information Security Principles
- Policy Governance and Review
- Acceptable Use of Information and Associated Resources
- Workplace and Asset Security
- Information Security Event Reporting
- Archiving and Updates
- Reference Documents

Field of Application

This policy establishes the framework for information security at Indigo.ai. It defines the core principles and objectives for managing and protecting the company's information assets. This document applies to all personnel, including employees and contractors, as well as all information, systems, and resources owned, managed, or used by Indigo.ai, in accordance with the requirements of the ISO/IEC 27001 standard.

Regulatory References

- ISO/IEC 27001
- General Data Protection Regulation (EU) 2016/679 (GDPR)

Terms and Definitions

- Availability: The property of being accessible and usable on demand by an authorized entity.
- Confidentiality: The property that information is not made available or disclosed to unauthorized individuals, entities, or processes.
- Information Security Management System (ISMS): A set of policies and procedures for systematically managing an organization's sensitive data. The goal of an ISMS is to minimize risk and ensure business continuity by proactively limiting the impact of a security breach.
- Integrity: The property of accuracy and completeness.
- Risk: The effect of uncertainty on objectives.

Roles and Responsibilities

- Top Management: Responsible for demonstrating leadership and commitment to the ISMS, providing necessary resources, defining security objectives, and approving this policy.
- CPO (ISMS Manager): Responsible for the development, maintenance, and review of this policy, monitoring progress toward information security objectives, and overseeing the management of information security incidents.

Information Security Objectives

Indigo.ai is committed to establishing, implementing, and continually improving an Information Security Management System (ISMS) in accordance with the requirements of ISO/IEC 27001. Top Management shall define and approve the information security objectives, ensuring they are aligned with the company's strategic direction. The CPO (ISMS Manager) shall be responsible for monitoring progress toward these objectives.

The primary objectives of information security at Indigo.ai are to:
- Protect Information Assets: Ensure the confidentiality, integrity, and availability of all corporate, customer, and personnel information.
- Meet Compliance Obligations: Comply with all applicable legal, statutory, regulatory, and contractual requirements related to information security.
- Manage Risks: Implement and maintain a systematic risk management process to identify, assess, and treat information security risks, as detailed in the "PRO Risk management procedure".
- Foster a Security Culture: Promote security awareness and shared responsibility among all personnel to make security an integral part of the company culture.
- Ensure Business Resilience: Maintain business continuity and the ability to recover from disruptions through effective planning and response, as governed by the "PRO Business continuity and disaster recovery procedure".
- Achieve and Maintain Certification: Obtain and maintain certification against internationally recognized standards such as ISO/IEC 27001 to demonstrate commitment to security best practices.

Fundamental Information Security Principles

Indigo.ai's approach to information security is founded on the following core principles:
- Shared Responsibility: Every employee and contractor has a personal responsibility to protect the information assets they handle and to comply with this policy and all related security procedures.
- Top Management Commitment: Top Management shall demonstrate leadership and commitment to the ISMS by providing necessary resources, defining security objectives, and promoting a culture of continuous improvement.
- Risk-Based Approach: Information security decisions and the selection of controls shall be based on the outcomes of a formal risk assessment process, ensuring that protective measures are proportionate to the identified risks.
- Principle of Least Privilege: Access to information, systems, and resources shall be granted based on the specific requirements of an individual's role. Access rights are managed and periodically reviewed as defined in the "PRO Logical access control management procedure".
- Secure by Design and Default: Security requirements shall be integrated into all phases of the development lifecycle for products and services, from design to deployment, as mandated by the "PRO Secure development procedure".
- Continuous Improvement: The ISMS shall be subject to regular monitoring, review, and enhancement to adapt to emerging threats, business changes, and opportunities for improvement.

Policy Governance and Review

This policy and the entire set of topic-specific policies form the foundation of the ISMS.

- Approval: This policy and any subsequent significant changes shall be formally
approved by Top Management.- Ownership and Maintenance: The CPO (ISMS Manager) is the designated owner of this policy and is responsible for its development, review, and maintenance, ensuring it remains relevant and effective.
- Publication and Communication: All information security policies shall be published and made accessible to all personnel via the company's designated internal platforms, such as Notion. Relevant policies may be communicated to external interested parties as required.
- Acknowledgement: All personnel are required to read, understand, and acknowledge their commitment to comply with the information security policies as part of their onboarding and upon significant updates.
- Review: This policy shall be reviewed by the CPO (ISMS Manager) at least annually or when significant changes occur within the organization, its legal or contractual obligations, or the threat landscape. The review shall be part of the formal process described in the "PRO Management Review Process".

Acceptable Use of Information and Associated Resources

All personnel must use Indigo.ai's information and associated resources, including hardware, software, and networks, in a responsible, ethical, and professional manner.
- Purpose of Use: Company resources shall be used for legitimate business purposes.
- Prohibited Activities: The use of company resources for illegal activities, to access or distribute inappropriate content, to introduce malicious code, or to carry out unauthorized activities is strictly prohibited.
- Information Handling: All information must be handled in accordance with its classification level as defined in the "POL Information classification and labelling policy".
- Detailed Rules: Specific rules governing the use of company assets are further detailed in the "POL Operational security policy" and the "Code of conduct".

Workplace and Asset Security

Indigo.ai requires all personnel to protect information and assets in both physical and remote work environments.
- Clear Screen: All user endpoints, including laptops and workstations, shall be configured to automatically lock after a maximum of 5 minutes of inactivity. Personnel shall manually lock their screens whenever they leave their workspace unattended.
- Clear Desk: Sensitive information in physical form, such as paper documents and removable storage media, must be stored in locked cabinets or drawers when not in use, particularly outside of working hours.
- Security of Off-site Assets: Personnel working remotely are responsible for safeguarding all company-provided equipment against loss, theft, damage, or unauthorized access. This is also stipulated in individual remote work agreements.
- Secure Remote Connections: When working off-site, connections to the internet must be established through secure, password-protected networks (e.g., WPA2 or stronger). The use of unsecured public Wi-Fi for accessing company systems is forbidden unless a company-approved VPN is active.

Information Security Event Reporting

Timely reporting of security events is critical to protecting Indigo.ai's information and systems.
- Duty to Report: All personnel shall promptly report any observed or suspected information security events, incidents, weaknesses, or threats.
- Reporting Channels: Events must be reported through the official channels defined in the "PRO Information security incident management procedure".
- Incident Management: The CPO (ISMS Manager) shall ensure that all reported events are logged in the "MOD Log of information security incidents", assessed, and managed in accordance with the "PRO Information security incident management procedure".
- No-Blame Culture: Indigo.ai encourages open reporting and will not take disciplinary action against any individual for reporting a security event or incident in good faith, unless it resulted from a willful violation of security policies.

Archiving and Updates

This document is maintained and archived on designated internal company platforms. It is reviewed at least annually, or more frequently if significant changes occur, by the CPO (ISMS Manager) and approved by Top Management to ensure its continued relevance and effectiveness.


Reference Documents

- Code of conduct
- PRO Risk management procedure
- PRO Business continuity and disaster recovery procedure
- PRO Logical access control management procedure
- PRO Secure development procedure
- PRO Management Review Process
- PRO Information security incident management procedure
- POL Information classification and labelling policy
- POL Operational security policy
- MOD Log of information security incidents
- Individual remote work agreements