Information Security Policy (ISP)

Last Updated: 06 March 2026

1. Purpose

This Information Security Policy (ISP) defines Scalyz’s principles and commitments regarding the protection of:

• Confidentiality
• Integrity
• Availability
• Traceability of information

It applies to all systems, infrastructures, employees, and partners involved in the operation of the Scalyz platform.

2. Security Governance

Scalyz has implemented an internal security governance framework including:

• A designated Security Lead
• An internal Security Committee composed of executive leadership, security lead, production lead, and development lead
• Quarterly security reviews
• A documented risk assessment and risk management process

Security-related decisions are validated by the Security Committee following technical review.

3. Access Management

Scalyz applies the principle of least privilege.

• Centralized identity management
• Mandatory Multi-Factor Authentication (MFA)
• Quarterly access rights review
• Formal onboarding and offboarding procedures
• Immediate removal of access upon employee departure

Access to production environments is strictly limited to authorized personnel.

4. Asset Management & Data Classification

A technical asset inventory is maintained.

Data processed by Scalyz is classified as Confidential by default, unless otherwise explicitly authorized by executive management.

Environment separation is enforced between:

• Development
• Pre-production
• Production

5. Application Security & DevSecOps

Scalyz adopts an integrated DevSecOps approach:

• Automated vulnerability analysis within the development pipeline
• Peer code review
• Testing in an isolated pre-production environment
• Controlled production releases

Critical vulnerabilities are addressed immediately.
Minor vulnerabilities are corrected within a maximum period of two weeks.

6. Vulnerability & Patch Management

Scalyz applies a patch management policy based on severity:

• Critical: immediate remediation (hotfix)
• High/Important: remediation in the next release cycle
• Minor: planned correction

Dependencies are regularly updated within structured release cycles.

7. Incident Management

Scalyz maintains an internal incident register.

A classification model is applied:

• Critical
• Important
• Minor

Each incident is subject to:

• Prioritized handling
• Post-incident analysis
• Continuous improvement tracking

Major incidents are communicated to affected clients in accordance with applicable regulatory obligations.

8. Business Continuity & Resilience

Scalyz maintains an internal Business Continuity procedure enabling:

• Full infrastructure redeployment
• Cross-region recovery capability

Recovery objectives:

• RTO (Recovery Time Objective): 24 hours
• RPO (Recovery Point Objective): 24 hours

Backups are:

• Encrypted
• Stored separately
• Immutable
• Periodically tested

An annual disaster recovery exercise is conducted.

9. Third-Party & Supplier Management

Scalyz selects its service providers based on:

• Reliability
• Compliance posture
• Reputation
• Security standards

Where required, contractual commitments are established, including Data Processing Agreements (DPAs).

10. Awareness & Accountability

All employees:

• Are bound by confidentiality clauses
• Sign non-disclosure agreements (NDAs)
• Receive annual security awareness training

Any intentional violation of security policies may result in disciplinary measures in accordance with internal regulations and applicable law.

11. Continuous Improvement

Scalyz is committed to continuous security improvement through:

• Quarterly risk reviews
• Vulnerability monitoring
• Documented security improvement plans
• Regular internal assessments

ISO 27001 certification is targeted by 2026.

Commitment

Scalyz is committed to maintaining an appropriate level of security aligned with operational risks and regulatory requirements in order to protect client and user data.