Security policy

The security of devices, data and transmissions is our highest priority. Therefore, our Security Policy takes into account the specific nature of our services, and the specific security policies of our customers' IT systems.
Below is the basic security policy document on which our services are based.


SECURITY POLICE DATAHOUSE.PL/ETOP SP. Z O.O.

1. Security Policy Objectives.
1.1 The primary purpose of this document is to outline the basic operating principles for the security of own and entrusted IT resources.
1.2 The primary objectives are considered to be:
                    1.2.2  -Protection against data loss.
                    1.2.3. -Maintaining continuity of services.
                    1.2.3. -Prevent unauthorised access to IT resources.
                    1.2.4. -Maintaining proper procedures in relations with other operators and public authorities.
2. Physical and technical security of resources.

2.1 Principles of physical access to infrasture.
2.1.1 Physical access to the premises and facilities of the data centre shall only be granted to authorised employees with the appropriate authorisations and skills.
2.1.2 Physical access to the premises and facilities of the data centre by third party customers is only possible when assisted by the persons described in 2.1.1.
2.1.3 Physical access to the premises and facilities of the data centre of subcontractors and other persons performing work for the company is possible only on the basis of a contract or authorisation recalling and sanctioning the principles described in this document.
2.1.4 Access to the facilities and premises of the client in question by persons not authorised by the client's representatives is prohibited.Authorisation must be given in written or permanent electronic form. Authorised company employees have access on a general basis.
2.1.5 Physical access to data centre premises and equipment must be recorded in a log in writing. Access to premises and equipment by employees or persons with electronic access cards must be recorded in the electronic logbook.
2.1.6 Detailed rules for physical access are set out in an internal procedure established by the Board.

2.2 Use of technical solutions.
2.2.1. The power supply for the equipment located in the data centre is based on a three-stage redundant power supply system. The power supply system includes a redundant uninterruptible power supply (UPS), a generator system, and a multiplication of external power sources.
2.2.2. The power supply for equipment located in the data centre shall be internally redundant, unless otherwise specified in the specific agreement.
2.2.3. Critical equipment for operational continuity shall have a redundant power supply based on separated power lines.
2.2.4. The data centre premises shall be protected by a fire detection system.
2.2.5. Data centre rooms containing active equipment and equipment critical for the continuity of services are protected by an automatic fire extinguishing system.
2.2.6. The data centre premises and communication ducts are monitored by a video surveillance system with recording.
2.2.7. The data centre premises are protected by an alarm system with a record of events.
2.2.8. Access to the data centre premises is controlled by an access system with event recording.
2.2.9. The primary network equipment works in a redundant cluster or "mesh" system.
2.2.10. The most important network connections for the stability of service provision have internal redundancy (protection).
2.2.11.  In the event that a given component of the system is found to be disposed of in excess of 80%, an upgrade should be undertaken as soon as possible.
2.2.12. The data centre premises are protected 24 hours a day by on-site security agents and intervention crews in the event of an alarm originating from the IT systems.
2.2.13. The external network connections of the data centre are redundantly routed through separate geographical routes.
2.2.14. The building structure of the co-location premises takes into account the need for protection against the effects of possible risks from fire, burglary and flooding, through the use of appropriate materials and specialised technical solutions.
3. Logical security.

3.1 Logical access to the data centre's own equipment is only possible by authorised persons with the appropriate rights and skills.
3.2 Logical access to data located on equipment owned or leased to third parties is only possible under the terms of a contract or order, after the entity that owns or leases the equipment has provided access data in written or electronic form.
3.3 Logical access to IT systems located in the data centre is based on a system of passwords and access lists.
3.4 Access to the configuration and management of systems critical to the continuity of service provision and of logging and monitoring systems is only possible for staff authorised by management. Such systems are considered to be the main power supply, physical access monitoring and logging surveillance systems.
3.5 All data obtained in connection with access to own and customer-owned data are confidential and may not be transferred to third parties under any title whatsoever, unless such transfer is to take place under other legal or contractual provisions.
3.6 If the customer loses access to the data, such access may only be restored on the basis of an order signed by the customer's legally authorised representative or a person authorised by him. Such an order must be in writing or in permanent electronic form.
3.7 The transfer of any access to logical resources to any third party authorised to receive such access must be made in writing or in a durable electronic form on the understanding that the person will immediately change the key, or password, to something other than the one transferred.
3.8 The network connection logic of the data centre shall take account of its redundant nature, through the use of redundant switching systems and dynamic routing protocols.
3.9 Once a particular service has been terminated or a particular proprietary device has been permanently taken out of use, the data contained on the media or configuration data of the excluded device are permanently deleted.
3.10 Details of the handling of logical access issues of the data centre are described in the internal procedures for logical access and handling of start-up and termination of services.
3.11 The configuration of shared resources prevents mutual access to the data on them by different entities.
3.12 Access to the configuration or monitoring of a shared resource is only possible for authorised company employees.
3.13 Monitoring data relating to a customer may only be provided to a person authorised by the customer and only to the extent that it relates exclusively to the customer's service.
3.14 Global monitoring data may only be made available to the public if making it public cannot affect the confidentiality of the monitoring data of the service or customer concerned.
3.15 Network traffic monitoring systems shall be equipped with mechanisms to block malicious external attacks and systems to mitigate interference with internal network systems.
3.16 It is forbidden to provide third parties with access to monitoring equipment shared by several entities.Access to such systems or their configurations is only possible for equipment wholly used by, or owned by, one customer.
3.17 The management network is separate from the production network and limited to the data centre.
3.18 Key data is protected by cyclical backup. The number of copies and how they are stored are defined by internal procedures.
3.19 Customer data is subject to security copy systems on a contractual basis.

4. Principles of event handling in IT systems.

4.1 The basic priorities of the event handling procedures are, in order of importance:
4.1.1 -Securing data against loss
4.1.2 -Protect data from unauthorised access
4.1.3 -Maintaining or restoring the system or service in question
4.1.4 -Snforming those involved (customers or other persons affected by the incident)
4.1.5 -Analysing the causes of the incident and eliminating them or reducing the likelihood of their occurrence in the future

4.2 Types of events.
4.2.1 Unplanned events have priority over planned events.
4.2.2 Critical events i.e. those that prevent the proper operation of the service are given priority over all other event types.
4.2.3 Planned events shall be handled in consultation with those who may be adversely affected and at times that are least annoying to them.
4.3 Other event handling rules.
4.3.1 Critical events globally affecting the operation of the data centre system shall be immediately communicated to the data centre management.
4.3.2 If the possibility of a critical incident is identified, the data centre management is obliged to take immediate action to protect data against loss, including cutting off access to the threatened device or system.
4.3.3 Until such time as a supervisor or the management of the data centre designates a person in charge, the employee who first became aware of the incident shall be responsible for handling the incident.
4.3.4. The details of how the event is handled are set out in internal procedures and in the contract with individual clients.

5. Principles of cooperation with other operators and State authorities.

5.1 Rules for cooperation with other operators.
5.1.1 The data centre has an open traffic exchange policy with external operators.
5.1.2 If the integrity of connections is found or used in a way that may compromise network security, such connections are blocked until clarification.
5.2 Rules for cooperation with state authorities.
5.2.1 In its relations with State authorities, the data centre, as a legal entity and telecommunications operator, provides data on the basis of legal grounds arising from relevant laws and regulations or court or prosecutor's orders.
5.2.2 The data centre excludes the transfer of confidential data or access to data on any other basis than 5.2.1.

6. Other

6.1 Any other specific rules are defined in internal procedures. Due to their level of confidentiality, they may be shown to third parties.
6.2 Any disclosure of the content of internal procedures to third parties shall be authorised by the Board of Directors.
6.3 All procedures concerning security issues are in accordance with the ISO 27001 standard.