Grassfeld Security Policy.
This information security policy describes the relevant measures of Grassfeld B.V. (“Grassfeld”) with respect to information security from a strategic and operational viewpoint. This policy is focused on users of the application and the website of Grassfeld.
Last updated on 14-05-2024
Grassfeld takes information security very seriously to preserve the confidentiality, integrity and availability of information and is confident that risks are adequately managed through high-level security. The policy has been drawn up in accordance with cyber security best practices and standards in reference to relevant ISO-norms. Furthermore, any external party we work with such as a bank, adhere strictly to various norms for instance the ISO20022.
1.
User Access Control.
1.
Registration and Authentication:
External users must register for access through a secure online process that verifies user identity. Each user will be authenticated using a combination of a password and a multi-factor authenticator (MFA).
1.2
Authorization:
Access will be granted strictly based on the user’s necessity to interact with the system. Users are only allowed access to features and data pertinent to their role or transaction requirements.
1.3
Admin Accounts:
The administrative accounts are only used to perform administrative tasks. All unused or unnecessary user accounts, email-addresses, etc., are deleted or disabled by IT administration. Furthermore, upon termination of employment, contract or agreement, user accounts are deleted or disabled by IT administration and are documented accordingly. If employees had access to shared accounts, the login credentials of these accounts are altered by IT administration.
2.
Data Protection.
2.1
Data Encryption:
Data that is stored within the Grassfeld platform and application is high-level encrypted through various encryption technologies. Furthermore, data is monitored 24 hours a day regarding possible attacks and data breaches aiming for an immediate mitigation of a possible attack.
2.2
Data Classification:
All data and information accessed, processed, and stored by Grassfeld are categorized by the Security Officer and periodically reviewed no less than annually. The impact level of each data category is categorized (Reference: NIST Special Publication 800-60 Volume I). Data must be managed, protected, and secured in accordance with the impact level of the data category.
2.3
Data Storage:
Data is stored in a multi-layer secured database with very restricted accessibility. This accessibility is only available for authorized personnel that oblige to strict authentication protocols. If a user removes their account, dedicated data to that account will be destroyed. Grassfeld does not support back-up data, thus previously deleted data cannot be recollected.
2.4
Data Sharing:
Sharing of personal and financial information within the application is governed by strict protocols and only occur with explicit user consent. Grassfeld unequivocally does not sell any data to any third parties.
3.
Employee Responsibility.
3.1
New Employees:
All new (internal and external) employees are informed about the information security policy.
3.2
Policy Guidelines:
Employees are obligated to adhere to the policy guidelines.
4.
User Responsibility.
4.1
Security:
Users are responsible to keep their passwords secreted. Passwords must not be shared or written down. If a password is suspected to have been compromised, it must be changed immediately.
4.2
Secure Devices:
To guarantee the safe use of the application on a user’s phone, users are responsible for ensuring their devices are secure, updated with the latest security patches, and have adequate anti-virus protection.
5.
Security by Design.
5.1
Proactive Protection:
Security measures are proactively incorporated into the design and architecture of Grassfeld, rather than being added reactively. MMOX, the cybersecurity partner of Grassfeld, receives intelligence about threats, vulnerabilities, and their business impact from a variety of sources including internal or external information sharing, as well as non-commercial and commercial entities.
5.2
Minimization of Risk:
The design and implementation of the app follow the principle of least privilege, ensuring users have the minimum level of access necessary for their functionality needs. This reduces potential damage from any breach or misuse. Furthermore, Grassfeld practices Security by Design by implementing an IP check per user session, secure connection with our own servers, and creating a new account by email, password, and SMS verification.
5.3
Pseudonymization:
Users of Grassfeld are pseudonymized in our system as a number. This means that Grassfeld does not see any personal information connected to the account. The user, in this case a pseudonymized number, can only be read in our system through a secure connection specifically designed for the communication with the user. Any information that is added by a user and stored by Grassfeld is only used to finetune our algorithms and cannot be altered.
6.
Incident Management.
6.1
Response:
In case of a security incident Grassfeld manages an immediate and proper response by escalating it to the core team. Grassfeld ensures the isolation of attacked systems and network segments to prevent further damage. Further steps are taken through forensic research and analyzing the scope of the incident. Grassfeld has a cyber team that is available 24 hours a day. Communication with affected persons and stakeholders is practiced through laws and regulations.
7.
Compliance and Legal.
7.1
Regulatory Compliance:
Grassfeld works conform the requirements of the applicable data protection legislation. Information about Grassfeld’s compliance regarding legal issues is addressed in the Privacy and Cookie Policy.
8.
Policy Updates.
8.1
Revisions:
This policy may be updated at any time to reflect changes in legal, technical, or business developments. We recommend that you consult this statement on a regular basis, so that you remain informed of any changes.
