Security & Privacy at Infolegale.

Privacy

We implement organizational and technical measures designed to protect data from unauthorized access.

Integrity

We are committed to ensuring the reliability, consistency, and protection of data throughout its entire lifecycle.

Availability

Our monitoring, backup, and business continuity systems help ensure the availability of our critical services.

Compliance

Our governance is based on applicable regulatory requirements as well as the international standards ISO/IEC 27001 and ISO/IEC 27701;

Transparency

Personal data is processed in a lawful, fair, and transparent manner.

Minimization

We limit the data we collect to what is strictly necessary for the purposes for which it is collected.

Retention Limit

Data is retained for periods appropriate to legal obligations and operational requirements.

Privacy

Access to data is regulated and restricted to authorized individuals.

Privacy by Design and by Default

Data protection considerations are taken into account by default, starting from the design phase of projects and data processing operations and throughout their entire lifecycle.

Security Governance

Our approach to security and data protection is led by senior management.

Roles and responsibilities are defined to manage the ISMS.

Security measures are subject to reviews, audits, and continuous improvement initiatives.

Risk Management

Security risks are identified, assessed, and monitored on a regular basis.

Control measures are defined based on the identified risk level.

Classification of Assets

Information, technical, and physical assets are inventoried.

Each asset has an identified owner.

Information is classified according to its level of sensitivity.

Protective measures are tailored to the criticality of the assets.

Access Management

Access is granted based on roles and business needs.

The principle of least privilege is applied.

Sensitive and privileged access is subject to specific oversight.

Access reviews are conducted to keep authorizations up to date.

Infrastructure Security

Technical environments are protected by physical, technological, and organizational measures.

The infrastructure is subject to regular monitoring and maintenance.

Application flows are secured using appropriate protocols.

Critical environments are hosted in specialized data centers.

Application Security & Secure Development

Data security and protection are built in from the very beginning of project design.

Security requirements are defined prior to the development or acquisition of solutions.

Security checks are performed before or during deployment, depending on the criticality of the assets.

Identified vulnerabilities are tracked and addressed through corrective actions.

Backup & Archiving

Data is backed up in a manner appropriate to its criticality.

Backups are protected against unauthorized access and accidental loss.

Retention periods are defined in accordance with legal, regulatory, and operational requirements.

Restoration capabilities are tested and monitored.

Business Continuity & Recovery

Business continuity and disaster recovery plans are established for critical services.

Crisis and recovery plans are tested and evaluated based on feedback.

Recovery priorities are defined based on business impacts and stakeholder needs.

Incident Management

Security incidents are managed through a documented process.

Corrective actions are implemented to minimize the risk of recurrence.

Significant incidents may result in internal, external, or regulatory communication, as appropriate.

Monitoring & Logging

Infrastructure and applications are subject to operational monitoring.

Logs help with the detection, analysis, and traceability of events.

Vulnerability and Patch Management

Security monitoring is conducted to identify relevant vulnerabilities and threats.

Security patches are applied based on their severity.

Scans, checks, or audits may be performed on the affected environments.

Action plans resulting from these checks are monitored.

Third-Party Management

Suppliers, service providers, and subcontractors are evaluated based on the associated risks.

Security and data protection requirements are incorporated into contractual relationships.

Sensitive third parties are subject to enhanced monitoring.

Third-party services are monitored throughout their entire lifecycle.

Safety Awareness

Employees are made aware of security and data protection issues.

Best practices are communicated as part of internal policies.

Audit & Continuous Improvement

Annual penetration tests are conducted by companies authorized by ANSSI

Assessments of our cyber risk exposure are conducted on an ongoing basis by specialized firms

The results of these audits inform our security action plans.