Information Security Policy

The careful and targeted use of information is a central part of INCHRON’s business strategy to maintain corporate values, operation, reputation, as well as the protection of business-critical- and personal data. The necessity of information security emerges from the interests of the management and shareholders of the INCHRON AG, as well as our customers and employees.

This Security Statement applies to all INCHRON AG products, services and its affiliates, except where otherwise noted. This Security Statement also forms part of the user agreements for INCHRON AG customers.

Physical security

INCHRON information systems and technical infrastructure are hosted within data centers in the EU that have at least a ISO/IEC 27001 security certification. For INCHRON premises, a TISAX result is available. We employ secure access control and security monitoring.

Access control

Access to INCHRON technology resources is only permitted through secure connectivity (e.g. VPN, SSH). INCHRON’s password policy requires complexity, lockout and disallows reuse. INCHRON grants access on a need-to-know basis of least privilege rules, reviews permissions regularly and revokes access immediately after employee termination.

Security policies

INCHRON maintains and periodically reviews and updates its information security policies, at least on an annual basis. Employees must acknowledge policies on an annual basis and undergo additional training pertaining to job function. Training is designed to adhere to all specifications and regulations applicable to INCHRON.

Personnel

INCHRON conducts background screening at the time of hire (to the extent permitted by applicable laws). In addition, INCHRON communicates its information security policies to all personnel (who must acknowledge this). Furthermore, INCHRON provides ongoing privacy and security training.

Vulnerability management

INCHRON maintains a documented vulnerability management system which includes periodic scans, identification and remediation of security vulnerabilities on servers, workstations, network equipment and applications. All networks are regularly scanned using trusted third party vendors. Critical patches are applied to servers on a priority basis and as mostly automated for all other patches.

Cryptography

INCHRON encrypts sensitive data at rest in the data centers and all in motion in adherence to the cryptography policy.

Development

INCHRON’s development team employs secure coding techniques and best practices. Development, testing and production environments are separated. All changes are peer reviewed and logged for performance, audit and forensic purposes prior to deployment.

Asset management

INCHRON maintains an asset management program which includes identification, classification, retention and disposal of information and assets. Company-issued devices are equipped with full hard disk encryption and up-to-date antivirus software. Only company-issued devices are permitted to access INCHRON networks.

Incident management

INCHRON maintains a security incident management process that covers the initial response, investigation, customer notification, public communication, prudential reporting and remediation.

Breach notification

If INCHRON takes knowledge of a security breach, we will notify affected users so that they can take appropriate protective steps. INCHRON breach notification procedures are consistent with the obligations under applicable laws and regulations, as well as any industry rules or standards applicable to INCHRON. INCHRON is committed to keeping its customers fully informed of any matters relevant to the security of their information and to providing customers all information necessary for them to meet their own regulatory reporting obligations.

Backups

Backups are encrypted to preserve their confidentiality and integrity. We employ a write-only approach as well as geographically separated INCHRON employs a backup strategy to ensure minimum downtime and data loss.

Customer and partner responsibilities

Keeping your data secure requires that you maintain the security of your account by using sufficiently complex passwords and storing them safely. You should also operate in a secure way of working and ensure that you have sufficient security on your own systems.

Logging and monitoring

IT Systems log information to a centrally managed logging system for troubleshooting, security reviews and analysis automatically and by authorized INCHRON personnel. Logs are preserved in accordance with our retention policy. If customers reasonably require log access due to security incidents, INCHRON will assist in the matter.

Compliance

INCHRON has implemented governance, risk management and compliance practices that align with the TISAX information security framework. TISAX results for INCHRON are available at the ENX portal.