Technical and Organisational Measures at Ambassify

Ambassify has appropriate technical and organisational measures (TOMs) in place to prevent data breaches and ensure compliance with data protection by design.

Technical Measures

Measure	Description
Cybersecurity	Firewalls, patching, and keeping systems and software up to date. Read more
Encryption and Pseudonymisation	All data encrypted in transit (TLS) and at rest (AES-256). Data pseudonymized where possible. Read more
Data Isolation	Multi-tenant SaaS with logical data separation using unique customer identifiers across all data stores. No cross-tenant data access possible. Read more
Physical Security	Fully remote company. All infrastructure hosted on AWS with enterprise-grade physical security. Read more
Appropriate Disposal	Devices and data disposed of securely following documented procedures. Certificate of destruction available on request. Read more
Logging and Monitoring	All system, access, and performance logs centralized and backed up to tamper-proof storage. Read more
Passwords and MFA	Strong unique passwords required. Multi-factor authentication enforced. Password manager usage mandatory. Read more
Access Rights	Access granted on a need-to-know basis with role-based controls. Read more
Pseudonymisation and Anonymisation	Data pseudonymised or anonymised where possible. Only synthetic or anonymised data used in non-production environments. Read more
Backup	Daily encrypted backups with 90-day retention and annual restore testing. Read more

Organisational Measures

Measure	Description
Acceptable Use	Clear guidelines for acceptable use of company systems, data, and technology. Read more
Awareness and Training	Regular security and data protection training for all employees. Read more
Breach Notification	Customer notification within 24 hours. Authority notification within 72 hours. Read more
Bug Bounty Program	Responsible disclosure program for external security researchers. View security.txt
Change Management	Formal change management process with peer review, testing, and approval before production deployment. Read more
Clean Desk and Screen Policy	Physical documents secured, screen lock required, precautions during screen sharing. Read more
Data Retention	Data retained only as long as necessary. Clear retention and disposal procedures. Read more
Disaster Recovery	Documented DR plan with defined RTO/RPO. Regular testing. Read more
Due Diligence	Thorough assessment of all vendors and processors before engagement. Read more
External Security Audit	Annual penetration test and security audit by independent external party. Read more
Incident Response	Structured incident response with dedicated team and defined severity levels. Read more
Information Classification	Three-level classification system: Confidential, Restricted, Public. Read more
Information Security Policy	Comprehensive ISMS aligned with ISO 27001:2022. Read more
NDA and Confidentiality	Non-disclosure agreements signed by all employees and contractors. Read more
No Customer Data in Non-Production	Production data never used in development or testing environments. Only anonymised or synthetic data used. Read more
Offboarding Process	Structured offboarding with prompt access revocation and asset return. Read more
Record Retention and Destruction	Secure destruction methods with certificate of destruction available on request. Read more
Risk Management	ISO 27005/31000-based risk assessment and treatment. Read more
System Access	Centralized access management with bi-annual reviews. Read more
Well Defined Roles	Roles and responsibilities for security and privacy are formalized and documented. Read more