Security β Frequently Asked Questions (FAQ)
Last updated
Last updated
The SMTP server is provided to the Client by a virtual server separated from the physical server belonging to VERCOM, to which is assigned the IP address used for sending e-mail messages. The SMTP server can be shared or dedicated to the client. it is always a VPS (Virtual Private Server).
Diagram of the technical structure of the EmailLabs Service:
I. "Sending" part
The main functionality of the EmailLabs Service is the possibility of mass sending e-mail messages to the address database specified by the customer.
II. Database part
It includes the processing of data on a completed email sent. The data is logically separated.
Therefore, it should be stated that the data contained in e-mail messages sent using the EmailLabs Service are processed on servers belonging to VERCOM.
In the case of backups, the data is encrypted (and stored in this form on servers provided by third parties.
The processing of entrusted data (in the context of the GDPR) distinguishes:
Data in transit: data is encrypted with SSL.
Data at rest: we store only the e-mail addresses of e-mail recipients (e-mail logs in the panel). This data is not encrypted due to the computational overhead of processing such databases. However, in 2024 Quarter 1 there will be a functionality of data anonymization.
Yes, the injected status is processed in the database and a log is saved with the anonymous TO address.
When the final email status is processed (OK, hard bounce, dropped, etc.), the status is saved to the database and the server logs are also anonymized in a similar way to the logs in the database.
Anonymization could involve, for example, leaving the first character and domain, e.g. instead of "john.walk@abcabc.pl" it would be "j***********@abcabc.pl". On the customerβs side, the log of such an email would be precisely identifiable by the message_id.
Yes, VERCOM S.A. has appointed a Data Protection Officer.
Yes, the activities of the DPO are documented.
Yes, to the extent that these obligations rest with Vercom S.A. as the Data Controller. Vercom supports Data Controllers in fulfilling their legal obligations to the necessary extent. Vercom's solutions are not database management systems, so functionalities in this area may be limited.
As a processor, we do not maintain a register of data subject requests, as these matters fall under the responsibility of the Data Controller.
All requests from Data Subjects that we receive are promptly forwarded to the Data Controllers in accordance with the processing agreement, and the requesting party is informed that the data has been forwarded to the Controller. The processor supports the Data Controllers in fulfilling their obligation to respond to data subject requests.
Yes.
The first line of support is the business manager and Customer Service Office. Each Data Controller also has the option to contact the Data Protection Officer (DPO) directly.
Yes, please find the agreement template in the Document Templates for Clients section.
The processing is carried out to provide the Service to the Client based on the Main Agreement and to fulfill Vercom's obligations arising from this Data Processing Agreement, particularly concerning data security, including ensuring their integrity and availability.
The processed personal data concerns the following categories of individuals: End Users - individuals who are recipients of electronic communications sent by the Client based on the Main Agreement.
The processed special categories of personal data include the following categories: Not applicable.
Depending on the service provided, the list of processors may vary. Details are regulated by the personal data processing agreement.
The list is available in the Personal Data Processing in EmailLabs section.
Yes, subcontractors undergo an annual assessment.
Vercom declares that the Processing of Personal Data shall be performed in the territory of the European Union or the European Economic Area, unless the obligation to transfer the Personal Data to the third country, in the meaning of the GPDR, derives from the Law
All operations performed on personal data take place within an IT system. Data entrusted for processing are not stored on employees' computers. Vercom does not process personal data in paper form as part of its services. All personal data entrusted to us for processing are stored in an external data center that meets the highest security standards and undergoes multi-layered security measures.
Yes. Periodic internal and external audits are conducted. Testing occurs at least once every 12 months or more frequently if necessary.
The most recent ISO 22301 audit took place in January 2025. Previous external audits for ISO 27001 and ISO 27018 were conducted in August 2024. These audits covered the entire organization, assessing compliance with all required standards and evaluating the effectiveness of security controls. Compliance with ISO 22301, ISO 27001, and ISO 27018 was verified, resulting in the issuance of a certification of conformity.
Additionally, in 2024, three internal audits were conducted, culminating in an audit report and a review of the Information Security Management Systemβs performance.
Yes, there is a detailed list of further processors used by Vercom S.A., last updated on 20_03_2023, as well as a Register of Processing Activities at VERCOM S.A.
Vercom uses logical separation of data in its systems provided as part of the services rendered.
The main server environment within VERCOM's CPaaS is located within the EEA. All further processors handling personal data provide services covered by regionalization within PL, EU, or EEA territories. We do not process data outside of the EEA.
According to the documented and implemented policy, backups are created daily. Backup copies are stored for 2 years and are encrypted. Backups are maintained only within the EEA in external data centers with the highest security standards, subject to multi-layered security measures.
Yes.
Implemented and confirmed with ISO 27001 and ISO 27018 certification. ISMS-01 Information Security Process Book DP-01 Personal Data Security Policy
Yes.
Implemented and documented procedure DO-02: Instruction for managing IT systems.
Yes.
Yes.
Yes.
Yes.
We operate in accordance with the principles of Privacy by Design and Privacy by Default.
Yes.
We operate in accordance with the principles of Privacy by Design and Privacy by Default.
Yes.
Implemented procedure DO-03: Methodology for Assessing the Risk of Personal Data.
Yes.
Implemented procedure DO-03: Methodology for Assessing the Risk of Personal Data.
Yes, as of April 14, 2023.
According to the implemented and documented Risk Assessment procedure, a Risk Assessment Sheet is maintained electronically. Risk assessment is conducted annually and additionally whenever necessary due to planned activities.
Yes, a variety of monitoring solutions are implemented to monitor system events and alert on detected anomalies. Additionally, the company has an internal cybersecurity team conducting regular tests of deployed solutions.
Yes. A Business Continuity Plan has been developed and implemented, regularly tested (at least once a year). Vercom also maintains a DRP. PBI-01 Appendix 03 Business Continuity Plan Schema (BCP).
Yes, as part of annual BCP tests.
Yes, there is a formal process in place for handling all personal data breaches and security incidents. All breaches of personal data and security incidents are reported to management, recorded, and managed by designated personnel.
We have documented and implemented ISMS-03 Security Incident Management. We maintain full documentation, including supervisory documentation, under which ISMS-03 Appendix 1 Breach and Incident Register for Personal Data Protection at VERCOM S.A.
Yes, we maintain a Register of Security Incidents and Personal Data Protection Incidents.
No.
Yes.
Yes.
Yes.
Yes. Every employee and collaborator signs a confidentiality statement confirming their commitment to maintaining the confidentiality of personal data.
Yes. Only employees appropriately authorized have access to the data. Access is granted based on the principle of limited access ('need to know')βto the extent necessary to perform duties in their respective roles.
A record of individuals authorized to process personal data is maintained and regularly updated.
Yes. Each employee is issued an access control card and is required to carry it at all times. Each identifier is assigned to a specific user and is used to gain access to office spaces. Each use of the identifier is logged in the system.
The assigned identifiers do not display company or employee markings for security reasons, to deter potential misuse if lost.
Yes. Within a maximum of 30 days from the start of employment, the ISO Data Protection Officer conducts basic training with the newly hired employee on the processing of personal data within the company. This training also covers job-specific guidelines (Job Instructions) and familiarizes them with the Information Security Policy.
At least once a year, the Information Security Officer (ISO) organizes mandatory training sessions for employees on personal data processing within the company and job-specific guidelines. Employees participate in these trainings following the procedures outlined in PBI 04 Annex 1 Access and Resource Management Instruction. The last training took place on 25_01_2023.
In addition to the annual mandatory training sessions on GDPR and ISO requirements, employees and collaborators also participate in additional trainings conducted by a Cybersecurity Penetration Tester. As part of best practices, the organization conducts a cycle of 'Cyber Tuesdays' trainings.
We also provide opportunities for additional trainings related to digital threats. Each employee reviews a detailed Job Instruction immediately upon employment. IT department-specific trainings are also mandatory and periodic, along with training cycles tailored for Customer Support department employees.
We consistently strive for continuous improvement and skill enhancement for employees and collaborators, providing them access to specialized trainings relevant to their roles.
Yes. The organization has implemented and follows a system of employment verification procedures.
Verification includes, among other aspects, reviewing employee references, analyzing qualifications, and confirming the following: - Identity verification based on appropriate documentation (ID card or passport) - Confirmation of relevant academic qualifications (based on certificates/diplomas/degree certificates) - Verification of declared professional experience (as stated in the CV and references).
Yes, employees sign relevant declarations and are required to inform the employer of any changes.
Yes, the panel has the ability to manage users and various access levels.
Yes, a consistent password policy has been implemented.
Passwords have a maximum validity period, a minimum length requirement, and a history enforcement. They must not be too easy or obvious, and cannot be dictionary words. Each employee and collaborator stores passwords in a password manager (KeePassXC).
Yes, according to PBI - 04 Annex 01 Access Management Instruction at Vercom S.A.
Access is granted solely upon approval by management. Employees must have unique identifiers and are prohibited from sharing individual passwords with others. There is an implemented procedure for user authentication in the IT system β Instruction for Managing the Information System. Each employee has individual accounts, logins, and passwords.
Yes.
The system does not allow the creation of generic, non-personalized, or guest accounts.
Yes, according to the documented and implemented Procedure for the Use of IT Resources by Users.
Yes. Every newly hired employee and collaborator undergoes mandatory training in this regard.
Yes, in the procedure "Using IT Resources by Users".
Yes. The use of private mobile devices is regulated, described, documented and implemented in PBI's internal instructions - 04 Use of IT resources by users. The organization maintains a strict policy against the use of personal portable devices (PPDs).
Yes, according to the implemented procedures for mobile devices used by employees. Mobile devices are configured with access control, and are protected by anti-malware and antivirus software. The software and its updates are centrally managed.
Yes, there is a hardware register maintained.
Data entrusted for processing are processed exclusively within the IT system and are not transmitted outside of it.
Yes, we have a documented and implemented Procedure for Managing Security and Cryptographic Keys, which also relates to the security of using mobile devices.
According to our Procedure for the Use of IT Resources by Users, there is a total prohibition on using external information media. External drives may only be used by selected IT department employees and system administrators, with prior consent from the Data Protection Officer (DPO) and the Information Security Officer (ISO). They are subject to detailed guidelines, their number is strictly defined, they are registered, encrypted, and undergo annual reviews. No personal data may be stored on them. Data entrusted for processing are processed exclusively within the IT system and are not transmitted outside of it.
Yes. Everything is conducted in accordance with the documented and implemented Data Retention Procedure of VERCOM and the Instruction for Managing the Information System, tailored to the data category.
Yes. The handling of printouts is described in the implemented and documented procedure DO - 02 Information System Management Instruction. Unnecessary documents are destroyed in a manner that makes them unreadable, for example, using shredders with an appropriate security levelβrecommended for destroying documents containing personal data such as names, email addresses, etc., and by a specialized external company that specializes in document destruction.
Data entrusted for processing are processed exclusively within the IT system. Vercom does not process customer data in paper form.
Yes. According to the implemented and documented procedure DO - 02 Information System Management Instruction.
Vercom does not process customer data in paper form.
The facility meets the requirements of the international Tier III standard. The data center is equipped with various systems including air conditioning, Uninterruptible Power Supply (UPS), fire suppression, and uses redundant power systems (e.g., in servers). The air conditioning and UPS systems are regularly tested.
Yes.
PBI - 04 Use of IT Resources by Users 1.2; PBI - 05 Use of Resources - Administrators 1.2.
Yes.
The wireless network is separated from the internal LAN by firewall rules. Access to the local network and remote networks (e.g., the Internet) is granted based on a request from the employee's supervisor, submitted via an email request to the system administrator to assign system permissions and access to IT resources (login, password, email), or directly by the department manager. This includes allowing and blocking access to websites. The organization specifies which URLs are blocked and which are allowed.
Automatically. Network logs are analyzed automatically and manually when an event requires investigation.
Yes, according to the implemented policy PBI - 04 Annex 02 Procedure for Managing Security and Cryptographic Keys. Data in transit is encrypted using the SSL protocol. Long-term data storage in the form of backups is fully encrypted. Operational data is not encrypted for optimization reasons.
Yes.
Yes.
Yes.
Yes.
The code is developed internally.
Yes.
The source code is stored in an independent environment.
Yes. Vercom conducts penetration tests according to the document 'Vercom Vulnerability Management Process.' We perform cyclic penetration tests of our application annually internally by our Pentester, and at least once every two years by an external auditing company (alternating between internal and external tests). The test plan is determined by the test coordinator in consultation with project directors and the CTO. A detailed test plan is established each time based on the suggested schedule.
Yes. Access to the building is restricted to authorized personnel only, with all entrances secured by personal access cards. The building is a Premium class office building.
As outlined in the Technical and Organizational Measures Applied by EmailLabs section.
Yes.
Only authorized personnel have access, with all entrances secured by personal access cards. In the office buildings where we work, no personal data entrusted to us for processing is stored. All personal data entrusted to us is stored in an external data center that meets the highest security standards and is subject to multi-level security - SOC 2 certification. After working hours, cleaning staff or, in exceptional situations, building security may be present in the office building. This is outlined in our procedures related to the implemented ISO 27001. We have NDA agreements signed with all individuals, including cleaning staff who work after hours. However, areas where data is stored are NOT accessible to third parties after working hours.
Yes, our service constitutes a specific form of public cloud computing, entirely created and managed by Vercom S.A. We do not use a third-party cloud service provider; instead, we are the provider. In understanding cloud computing, it encompasses not just commonly known resources or 'virtual space,' but also services, infrastructure, and platforms for application development. It should be identified as a hybrid solution, combining service, platform, and infrastructure. The term CPaaS (Communications Platform as a Service) has also become popular, referring to a solution dedicated to communication between businesses and their customers via a specialized platform that organizes this communication process.
Yes, a security audit based on the OWASP TOP 10 vulnerabilities and the OWASP ASVS methodology is conducted. Additionally, audits are performed in relation to ISO 27001 and ISO 27018 certification.
According to the Technical and Organizational Measures Applied by EmailLabs section.
According to the Technical and Organizational Measures Applied by EmailLabs section.
According to the Technical and Organizational Measures Applied by EmailLabs section.
According to the Technical and Organizational Measures Applied by EmailLabs section.
More information about the security of the main server facility can be found directly on the website: