The ActivityInfo team achieves ISO 27001 certification

Our team has always considered the security of the information gathered and stored in ActivityInfo as a core element of our mission. We have always developed our processes and the platform with information security in our minds. This year, with our team expanding, we formalized this approach by undergoing an external audit and achieving the ISO 27001 certification.

The ISO 27001 Information Security Management System (ISMS) certificate serves as a testament to the confidentiality, integrity, and availability of the data entrusted to the ActivityInfo platform by more than 20,000 users in humanitarian relief and development assistance. It is a formal assurance that our ISMS is aligned with international information security best practices and certifies that we have the right processes and procedures in place to provide a secure environment for our service.

Data security in ActivityInfo

We have plenty of processes, policies and activities in place to ensure that our system and our team meet a list of criteria for managing risks related to data. Take a look at the list below for some of the main elements of our Information Security strategy. For an in-depth view and documentation of what processes we have in place, you can take a look at our ISO 27001 & Information Security portal.

The following are just a few of the 114 controls mandated by the standard that we have implemented at ActivityInfo:

Security by design

A significant source of risk to data entrusted to our platform lies on the customer side. Such risks range from user error, to insider attacks, to insecure customer networks and devices. We have designed the ActivityInfo software with functionality intended to help customers reduce these risks by providing them with tools to keep their data confidential. Single Sign-On (SSO), highly granular permissions and a comprehensive Audit log are some of the main features that allow organizations to control user access and data security.

Physical Security and Backups

We consider any level of data loss to be unacceptable and have designed our platform accordingly. When using the ActivityInfo SaaS version, your data is stored in servers in multiple, redundant data centers in the EU including Frankfurt, and Belgium, and the Netherlands. By keeping multiple copies of the data in these locations, we make sure we have enough backups in case of a natural disaster or failure of a single data center.

All customer data is stored in Google’s world-class data centers in Europe, which are protected with several layers of security to prevent any unauthorized access to customer data. Google uses secure perimeter defense systems, comprehensive camera coverage, biometric authentication, and a 24/7 guard staff.

The Google Cloud Platform also meets the ISO 27001:2005 standard.

Encryption

All customer data managed with our platform is encrypted both in transit and at rest. All traffic between our users and the platform is encrypted using TLS1.2 or above.

Data management policy

We preserve the integrity, accessibility, and confidentiality of the data by putting this policy in place to classify and safeguard our customer data. To make sure that information is protected to the proper extent, we categorize data and information systems in accordance with legal requirements, sensitivity, and business criticality.

Disaster response plan

We have in place a Business Continuity and Disaster Recovery Plan to ensure that the company is prepared in the event of extended service outages caused by factors beyond our control (e.g., natural disasters, man-made events), and to restore services to the widest extent possible in a minimum time frame.

ActivityInfo team security

We also put in place measures within our team to reduce the risks associated with our work as software managers, developers, and administrators

  • Social engineering training: For this we have regular training sessions where our team can ensure that they are able to recognize and report social engineering attacks via email and other channels.
  • Anti-Virus and Anti-Malware protection: All staff members' devices are required to have adequate Anti-Virus and Anti-Malware protection. Ingoing and outgoing email is automatically scanned for viruses.
  • Security Awareness and Training Policy: We provide security awareness training to all staff members no less than once a quarter, where we cover social engineering awareness and review relevant policies. All new employees receive this training immediately.
  • Background checks for new hires: We conduct employee screening during the hiring process.

Next steps

As our company grows, we formalize the achievement of another milestone in our ongoing commitment to information security with the ISO 27001 certification. This certification acts as additional assurance that with the data protection measures in place, we continuously safeguard data, evaluate potential information security threats, and mitigate them. Moving forward we will continue to review, refine and promote robust information security procedures within our organization.