COMPLIANCE & SOVEREIGNTY
Security & data protection at efficy group
Security and data protection are fundamental to how efficy group designs, builds and operates software solutions across its portfolio of companies. This Security Hub provides an overview of our approach to protecting systems, data and personal information at group level.
Our security & data protection approach
Our approach to security and data protection is built into our products, processes and operations by design. As an international software group, we are committed to ensuring the confidentiality, integrity and availability of data across all group companies.
We continuously review and improve our practices to align with regulatory requirements, industry standards and evolving security and privacy expectations.
Key focus areas
Information security
Protecting systems, infrastructure and data against unauthorized access and security threats across the group.
Data protection & privacy
Ensuring personal data is processed lawfully, transparently and securely, in line with data protection laws.
Compliance & risk management
Identifying and managing security and privacy risks while aligning with regulatory and industry standards.
Business continuity
Ensuring service reliability, resilience and continuity to support customers and partners over time globally.
Our ISPMS & certifications
A structured security and data protection framework at group level
| Our Information Security & Privacy Management System (ISPMS) provides a structured framework for managing information security risks across efficy group. We align with internationally recognized standards and regularly undergo audits and assessments to ensure compliance and continuous improvement. Our ISPMS is the foundation of how security and data protection are managed across efficy group. |
Our Information Security & Privacy Management System (ISPMS) provides a structured framework for managing information security risks across efficy group. We align with internationally recognized standards and regularly undergo audits and assessments to ensure compliance and continuous improvement. Our ISPMS is the foundation of how security and data protection are managed across efficy group.
 |  |  |  |  |
|
|
PRIVACY & DATA PROTECTION (GDPR)
efficy group is committed to protecting personal data in compliance with the EU General Data Protection Regulation (GDPR). In our role as a data processor, we ensure that personal data is processed lawfully, transparently and securely, while our customers remain the data controllers of their information.
DATA PROTECTION IN PRACTICE
Our data protection practices include measures such as data encryption, access controls, defined data retention periods, secure data deletion processes, audit trails and careful management of third-party vendors involved in data processing.
Our ISPMS framework
Below is a high-level overview of the main pillars that structure efficy group’s Information Security & Privacy Management System (ISPMS).
Security for our products
Security is embedded into the design and development of our products to protect data, systems and customer information throughout the product lifecycle.
Business continuity
We implement measures to ensure the availability and resilience of systems and services, minimizing disruption to business operations.
Risk management
We continuously identify, assess and manage information security risks to reduce potential impacts on our systems, customers and operations.
Vendor & third-party management
We assess and monitor third-party vendors to ensure they meet our information security and data protection requirements.
Asset management
We maintain an up-to-date inventory of information assets and ensure they are appropriately classified, protected and managed across the group.
Awareness & training
We promote security awareness through regular training and communication, ensuring employees understand their responsibilities.
Access control
Access to systems and data is restricted to authorized users only, based on defined roles, responsibilities and security requirements.
Monitoring & continuous improvement
We monitor security controls and regularly review our practices to continuously improve our information security posture.
Incident management
We have defined processes to detect, respond to and manage security incidents in a structured and timely manner.
To learn more about these practices Visit our trust center
Governance & responsibility
Security and data protection across efficy group are supported by clear governance structures and defined responsibilities at group level.
We ensure consistent oversight, accountability and alignment across all group companies, while continuously reviewing and improving our practices to meet regulatory requirements, industry standards and stakeholder expectations.
Contact the Data Protection Officer (DPO)
If you have questions related to personal data processing, data protection rights, or need to raise a concern related to data privacy within efficy group, you can contact our Data Protection Officer. Our DPO acts as an independent point of contact to ensure transparency, compliance and the protection of personal data across the group.
Privacy & data protection FAQs
Is efficy GDPR compliant?
Yes. Efficy group complies with the EU General Data Protection Regulation (GDPR) and implements appropriate technical and organizational measures to protect personal data.
What is efficy’s role under GDPR?
Efficy generally acts as a data processor, processing personal data on behalf of its customers, who remain the data controllers.
Where is personal data stored?
Personal data processed by efficy is stored in secure environments, primarily within the European Union, in accordance with applicable data protection regulations.
Does efficy work with third-party processors?
Yes. Efficy may engage carefully selected third-party processors who are subject to contractual obligations and data protection requirements.
How does efficy handle data breaches?
Efficy has established procedures to detect, assess and manage data security incidents in line with regulatory requirements and contractual obligations.
How can data subjects exercise their rights?
Data subjects can exercise their rights, such as access, rectification or deletion, by contacting the relevant data controller or, where applicable, efficy’s Data Protection Officer.
Does efficy have a Data Protection Officer (DPO)?
Yes. Efficy group has appointed a Data Protection Officer to oversee data protection matters and act as an independent point of contact.
Report a vulnerability
We encourage external researchers, partners, and the public to report security vulnerabilities to the efficy security team via security@efficy.com.
For more information about the process, please refer to Responsible Disclosure Policy.
Researchers who contribute through this process can also be publicly acknowledged on our Hall of Fame.