This document outlines the IT and data security information and controls related to data processing and the Zoios platform. The document was prepared for Zoios clients and future clients with the intention of clarifying information and data processing related to using the Zoios platform. This document lists the current sub-processors and controls. Going forward, all controls, sub-processors, policies and procedures must be approved by management, reviewed and updated to remain compliant with applicable law and current industry practices.

Zoios ApS was established in February 2021 and currently employs 11 people all based in Denmark.

Zoios’ clients use the Zoios Platform to gain insights on employee wellbeing, stress and satisfaction to improve the everyday of employees. The Zoios platform helps clients collect, store, structure, anonymize, unify, analyze and display employee data. Additionally, the platform offers operational workflows for running 1-on-1 conversations.

Zoios has a diverse customer base consisting mostly of NGOs, information, technology and professional services companies. Zoios clients are data controllers, and Zoios is the data processor. Zoios processes personal data on behalf of its clients for the purpose of sending personalized emails and text messages to the clients' employees.

The Zoios platform is created, developed, and operated by the company itself. The day-to-day operations and software development follow commonly established software and product development patterns, industry best practices and internal codes of conduct, ensuring a secure SaaS platform.

Zoios’s security policies and processes are based on the relevant SOC2 controls and the requirements deriving from the Data processor agreements (DPAs) between Zoios ApS and the clients.

The Zoios platform is a Software-as-a-Service (SaaS) solution hosted in data centres operated by Zoios’s hosting providers.

Sub-processors are already covered elsewhere in the document, but embedded below:

Zoios has designed the core data model to be used by the client. This requires an email or phone number on the user to send surveys necessary for the platform to work. Apart from the employee’s e-mail the client can decide which data they wish to provide in the platform. The client is expected to pursue the necessary clearance in order to share this data on the Zoios platform.

The type of personal data being processed is primarily general personal data including identification data such as email address, first name, last name, year of birth, job start date, and language. Other data can be, personality profile, salary range, department, team, gender, civil status, etc..

Zoios performed a risk assessment focusing on business impact and continuity, as well as privacy impact. The risk assessment is based on the information assets and processes that pose a potential risk to the business and/or the privacy of the data subjects, i.e., the recipients’ personal data, including the risk of a potential data breach and unauthorized access to personal data.

Zoios has performed the risk assessment by assessing each of the assets for adversarial or accidental threats. Each risk is recorded in the “Asset and Risk Register” and assessed by a risk scoring system based on likelihood, business impact and privacy impact. The risks are reassessed for residual risk upon risk treatment, e.g., controls, mitigation, transfer, etc. The final classification results in a severity score that must be acceptable.

At Zoios we document and enforce all policies and procedures that regulate the use of information in the normal course of our business, including the processing, receipt, transmission, storage, distribution, access, and deletion of such information.

All policies and procedures are to be approved by management and reviewed periodically and updated to remain compliant with applicable law and current industry practices.

Control objective:

Procedures and controls are complied with to ensure that instructions for the processing of personal data are complied with consistently in relation to the data processing agreement entered into.

Zoios has data processing agreements (DPA) in place with all our clients. Zoios has a standard DPA that is compliant with Danish and EU Guidelines, and updated from time to time. In case the specific DPA with a client deviates from the Zoios standard, we make sure to specify the deviations so that we can be sure to comply with the agreement.

Zoios also has data processing agreements with sub-processors. Zoios does not enter into any agreement which conflicts with Danish law and/or EU regulations.

Control objective

Procedures and controls are complied with to ensure that the data processor has implemented technical measures to safeguard relevant security of processing.

Our data is fully encrypted at rest using AES 256, or better, with symmetric keys. These data keys are themselves encrypted using a key stored in a secure keystore, and changed regularly.

This is all managed by Google as part of the GCP infrastructure.

Google encrypts and authenticates all data in transit at one or more network layers when data moves outside physical boundaries not controlled by Google or on behalf of Google. Data in transit inside a physical boundary controlled by or on behalf of Google is generally authenticated but might not be encrypted by default.

We connect using a public ip address and will be using SSL/TLS certificates for increased security. When our applications communicate to the database, the data is always encrypted in transit.

Access levels in the Zoios platform (logical controls).

There are 5 basic access levels in the Zoios platform. These are:

The concept behind the levels is that they are cumulative accesses. Meaning that a given user can have multiple access that accumulates their privileges accordingly.

Direct access to our database is a tightly controlled process and only available to a very limited number of employees. The access is only deemed acceptable if there is a relevant business justification for such.

Changes to the database setup and database scheme are all tracked in our change management system (Linear) as well as in our CVS system (Github).

All users with direct access to the database are required to do so using google reverse proxy using IAP permission setup from Google Cloud which allows improved logging and permission controls for each access. No users at Zoios have superadmin access at the database level as per default on Google Cloud SQL databases.

Additionally no user has a password for direct access to the database to prevent bypassing the reverse proxy.

All data tests, development tests, data analysis, etc. is done through our test instances in order to limit as much as possible the use and the risk thereof towards our production data.

At the time of the writing of this document, only limited members of the Tech team have access to the database instances.

All accesses are reviewed quarterly.

After data is not in current use anymore, it gets anonymised through an automated process.

Data is considered not anymore in use in two circumstances:

The anonymisation process goes through all the data that can be used to, directly or indirectly, identify a user or company and changes it into generic anonymous data. Some examples of what is anonymised are (non-exhaustive):

At Zoios we continuously gather and analyze information regarding new and existing threats and vulnerabilities, actual attacks on the institution or others, and the effectiveness of the existing security controls.

Monitoring controls include related policy and procedure, event state monitoring, monitoring of the health state of the cloud providers in use as well as continuous update and patching of our systems.

Related logging process provides an effective control to highlight and investigate security events as well as to identify patterns.

We also perform automatic vulnerability scans to all of the code deployed in our platform as well as the assets stored in our asset storage cloud services.

We keep our whole infrastructure up-to-date continuously.

Servers are updated on a regular basis based on the LTS versions of the frameworks we use.

Personal use devices such as laptops are kept on an automatic update schedule.

Spot checks on servers and personal use devices are performed by the tech team on a regular basis.

Any deviation found as part of our monitoring is logged and promptly prioritized in our change management system (Linear). The priority determines the urgency and therefore the timeline for remediation.

Control objective

Procedures and controls are complied with to ensure that the data processor has implemented organizational measures to safeguard relevant security of processing.

All access from Zoios employees in systems used for our work undergo a quarterly access review. The access review is aimed at having every access assessed under the following guidelines:

Upon appointment, employees sign a confidentiality agreement and non-disclosure agreement (NDA).

Upon onboarding a new employee a work laptop is issued. That is either a Macbook or a Windows laptop.

The person will then proceed to get initial access to our productivity suite of apps (Google workspaces). All accounts at Zoios are required to use 2 factor authentication and that includes email and calendar access.

From this point forward, the new employee will then receive access to the remaining systems that are required for work as well as the necessary training for such.

An IT security introduction is also performed as part of the onboarding programme.

On the last day of work, the employee hands over all the hardware that was received. Usually only the work laptop.

Every laptop is then reset and all information is promptly deleted before the offboarding is completed.

At the same day, all the accounts associated with the former employee must be disabled or deleted as applicable.

For people working in the sales and consulting departments it is acceptable that the emails remain operational for a period of time to allow for emails forwarding and customer communication to be maintained. It is required though that the former employee’s access be removed immediately upon leaving.

At Zoios we will get an annual SOC-2 audit starting 2024. This is a process where a professional partner will audit, review and evaluate our processes and protocols over the course of three months to audit our proficiency in the area.