Motivation
Opticon Data Solutions S.r.l. operates in the Legal Tech sector with the goal of supporting companies in their digital transformation and compliance monitoring processes in the fields of Governance and Data Protection.
Given the nature of its activities, Opticon Data Solutions considers information security a primary factor in protecting its informational assets and a strategic value that can easily be turned into a competitive advantage.
The company places particular emphasis on security throughout the design and development lifecycle of its services, which are regarded as valuable assets of the company.
The Information Security Management System (ISMS) applies to all activities related to the development of cloud solutions that support Governance and Data Protection, including the analysis, design, and production of tools, as well as the associated data stored within Opticon Data Solutions’ data centers.
Aware that its services may involve the handling of critical data and information from external entities, the technical organizational unit operates in compliance with internationally recognized security standards.
It is essential to share this “Information Security Policy” with all suppliers, collaborators, partners, and any external entities that could significantly impact the company’s information security. This ensures that, when necessary, appropriate actions are taken to mitigate risks and enhance information security levels.
For these reasons, both technical and organizational measures are adopted to best ensure the integrity, confidentiality, and availability of internal informational assets as well as those entrusted by clients, including personal data.
On this basis, Opticon Data Solutions has decided to implement an Information Security Management System (ISMS), structured according to best practices and international standards, in compliance with the ISO/IEC 27001:2022 framework.
Purpose and Scope
The objective of Opticon Data Solutions’ Information Security Management System (ISMS) is to provide cloud services that support governance and compliance in Data Protection, while ensuring an adequate level of data and information security throughout the design, development, and delivery of these services. This is achieved through the identification, assessment, and treatment of risks to which these services are exposed.
The ISMS of Opticon Data Solutions defines a set of organizational, technical, and procedural measures to guarantee compliance with the following fundamental security requirements:
Furthermore, through this policy, Opticon Data Solutions aims to formalize the following information security objectives:
Policy Content
The ISMS (Information Security Management System) applies to the provision of cloud services supporting governance and compliance in Data Protection and the data associated with them.
All information created or used by the company must be safeguarded and protected according to its assigned classification, from its creation through its use and eventual disposal. Information must be managed securely, accurately, and reliably, and must be readily available for authorized uses.
The “use of information” refers to any form of processing that involves electronic or paper-based media or enables verbal communication in any form.
Regarding consulting activities, the ISMS, in compliance with ISO/IEC 27001:2022, requires the Information Security Officer to periodically conduct a risk analysis that considers the strategic objectives outlined in this policy, security incidents that occurred during the period, and strategic, business, and technological changes that took place. The purpose of this analysis is to evaluate the risks associated with each asset, considering the identified threats.
The Management Team collaborates with the Information Security Officer to define the risk assessment methodology, approving the relevant documentation. In drafting this methodology, the Management Team also participates in defining the scales and parameters used for risk evaluation.
Following the risk analysis, the Management Team evaluates the results, determining the acceptable risk threshold, the risk mitigation strategies for risks exceeding this threshold, and the residual risk after mitigation. This assessment also considers the business value of the assets being protected and clearly identifies necessary actions, prioritized based on company objectives, available budget, and legal and regulatory compliance requirements.
Additionally, this analysis must be conducted whenever events occur that could alter the system’s overall risk profile.
Responsibilities
All personnel who, in any capacity, collaborate with the company are responsible for complying with this policy and reporting any anomalies, even if not formally codified, that they become aware of.
The Management Team and the appointed Information Security Management System Officer, with the possible support of the appointed internal DPO, are responsible for setting objectives, ensuring clear alignment with corporate strategies, and providing visible support for security initiatives. They promote security by ensuring the adequacy of individual security budgets, in line with the defined corporate policies and strategic guidelines.
The Information Security Officer is responsible for designing the Information Security Management System and, in particular, for:
All external entities that engage with Opticon Data Solutions must ensure compliance with the security requirements stated in this security policy, potentially through the signing of specific confidentiality clauses/agreements.
Applicability
This policy applies equally to all corporate bodies within the company. Its implementation is mandatory for all personnel and collaborators of Opticon Data Solutions and must be included in the regulatory framework of agreements with any external entity that, in any capacity, may become aware of the information managed within the company. Opticon Data Solutions allows the communication and dissemination of information externally only for the proper execution of business activities, which must comply with applicable rules and regulations.
Review
Opticon Data Solutions will periodically assess the effectiveness and efficiency of the Information Security Management System, ensuring adequate support for the implementation of necessary improvements. This will enable the activation of a continuous process that monitors changes in surrounding conditions or business objectives to ensure proper adaptation.
Extract from SGSI Manual – Rev. 05 of 10.12.2024
The Executive Board of Opticon Data Solutions Srl
Introduction
This document extends and integrates the content outlined in the “Opticon Information Security Policy” document. It specifies how the management of Opticon Data Solutions S.r.l. is committed to implementing and improving its Management System in accordance with the requirements of the ISO/IEC 27001:2022 standard on Information Security.
Therefore, this document serves as a continuous reference for all subsequent strategic choices and decisions deemed appropriate for the operational context. Its distribution involves all relevant stakeholders through publication on the internal information system and, upon request, is made available to other interested parties, including through publication on the company’s website.
Company managers are familiar with and share the guidelines expressed by management and the policy documents; all personnel are made aware that they operate within a Management System aimed at implementing the company’s documentation.
The entire structure of Opticon Data Solutions S.r.l. is focused, through the commitment of management, on continuous improvement based on the achievement of the following objectives.
Cloud Service Provider (CSP)
Opticon Data Solutions S.r.l. operates as a Cloud Service Provider, offering Software as a Service (SaaS) data management services that facilitate regulatory compliance.
In delivering SaaS services, Opticon Data Solutions S.r.l.:
When delivering SaaS services to its clients, the company periodically evaluates and updates the risks related to information security within cloud services.
PII Processor
If necessary, and in any case within a maximum of 48 hours, Opticon Data Solutions S.r.l. will decide jointly with the relevant party which party is responsible for reporting the data breach. The communication to the Data Protection Authority, as required by EU Regulation 2016/679 – GDPR, must be sent within 72 hours of becoming aware of the incident.
For further details on the technical and organizational measures adopted by Opticon Data Solutions S.r.l. to ensure the security of information and personal data within its proprietary cloud services, please refer to the “ISO 27017-27018 Technical Discipline.”
This document is subject to periodic revisions and updates in order to make corrections, add enhancements, and ensure its adequacy and effectiveness, especially in the case of significant changes concerning information security, in the spirit of continuous improvement. In the interest of maximum transparency and collaboration, this annex to the “Opticon Information Security Policy” is communicated to all employees and made available to stakeholders as deemed necessary.
Milan, 24/10/2024
The management of Opticon Data Solutions S.r.l.
© 2025 Opticon Data Solutions S.r.l. – All rights reserved. Piazza Risorgimento 7, 20129 Milano (MI) ITALY Company register of Milano n. 10580990967 – Capital stock 10.000 i.v. C.F. & VAT number 10580990967