Skip to Content

Security

Information Security Policy1. Purpose2. Scope3. Security Objectives4. ResponsibilitiesCore Security Measures5A. Access Control5B. Data Protection5C. Secure Development5D. Incident Response5E. Device and Network Security5F. Employee Awareness5G. Third-Party and Cloud Providers5H. Monitoring and AuditingData security measures6. Data Breach ManagementReviews and compliance7. Policy Review and Updates8. Compliance and Enforcement

Information Security Policy

of ELFAPP Technologies (“ELFAPP”, “we”, “us”, “our”)

1. Purpose

This Information Security Policy defines ELFAPP Technologies’ approach to protecting information assets, ensuring confidentiality, integrity, and availability of data processed in its software, consultancy, and IT systems.

The policy supports compliance with the EU GDPR (Art. 32), the Dutch Cybersecurity Guidelines for Businesses (NCSC), and principles of ISO/IEC 27001 (information security management).


2. Scope

This policy applies to:

  • All employees, contractors, and third parties handling ELFAPP data;

  • All systems, applications, and networks owned or operated by ELFAPP;

  • All data processed in the course of providing software development and IT consultancy services.


3. Security Objectives

  • Confidentiality: Prevent unauthorised disclosure of data.

  • Integrity: Prevent unauthorised modification or corruption of data.

  • Availability: Ensure timely access to data and systems for authorised users.


4. Responsibilities

  • Management: Oversees implementation and review of this policy.

  • IT Security Officer / Founder: Coordinates daily security operations and ensures compliance.

  • All Employees: Must follow security guidelines, report incidents, and protect credentials.

  • Third Parties: Must comply with this policy when accessing ELFAPP systems or data.

Core Security Measures

5A. Access Control

  • Use role-based access control (RBAC); grant access on a need-to-know basis.

  • Enforce strong password policies and multi-factor authentication (MFA) for admin and production systems.

  • Disable unused accounts and revoke access promptly after offboarding.

5B. Data Protection

  • Encrypt all personal data in transit (TLS 1.2+) and at rest (AES-256).

  • Store keys securely and rotate them periodically.

  • Use least-privilege database access and parameterised queries to prevent injection attacks.

  • Maintain regular backups and test recovery procedures.

5C. Secure Development

  • Follow secure coding practices (OWASP Top 10).

  • Conduct code reviews and vulnerability scanning (e.g., GitHub Dependabot, Snyk).

  • Separate development, testing, and production environments.

  • Keep all frameworks and dependencies up to date.

5D. Incident Response

  • Establish an incident response plan with clear reporting lines.

  • Investigate and document all security incidents and breaches.

  • Notify clients without undue delay if personal data is affected (per GDPR Art. 33).

5E. Device and Network Security

  • Require full-disk encryption and endpoint protection (antivirus, EDR) on all company devices.

  • Use VPN or zero-trust access for remote work.

  • Maintain firewalls and apply system patches regularly.

  • Prohibit the use of unapproved USB or external drives.

5F. Employee Awareness

  • Provide annual security and privacy training to all staff.

  • Emphasise phishing prevention and secure password habits.

5G. Third-Party and Cloud Providers

  • Use only reputable cloud providers (AWS, Azure, GCP) with EU data centres.

  • Maintain Data Processing Agreements (DPAs) with all sub-processors.

  • Evaluate suppliers for GDPR and ISO 27001 compliance.

5H. Monitoring and Auditing

  • Maintain audit logs of access and system events.

  • Regularly review logs for unusual activity.

  • Conduct annual internal security audits.

Data security measures

6. Data Breach Management

In the event of a suspected data breach:

  1. Immediately notify the Security Officer.

  2. Contain and assess the breach.

  3. Record all findings in the incident log.

  4. Notify affected clients and the Dutch Data Protection Authority (AP) within 72 hours if required.


Reviews and compliance

7. Policy Review and Updates

This Security Policy shall be reviewed annually or after any major change in operations, technology, or legal requirements.

8. Compliance and Enforcement

Non-compliance may result in disciplinary action, including termination of employment or contracts.