[av_one_full first min_height=\’\’ vertical_alignment=\’\’ space=\’\’ row_boxshadow=\’\’ row_boxshadow_color=\’\’ row_boxshadow_width=\’10\’ custom_margin=\’\’ margin=\’0px\’ mobile_breaking=\’\’ border=\’\’ border_color=\’\’ radius=\’0px\’ padding=\’0px\’ column_boxshadow=\’\’ column_boxshadow_color=\’\’ column_boxshadow_width=\’10\’ background=\’bg_color\’ background_color=\’\’ background_gradient_color1=\’\’ background_gradient_color2=\’\’ background_gradient_direction=\’vertical\’ src=\’\’ background_position=\’top left\’ background_repeat=\’no-repeat\’ highlight=\’\’ highlight_size=\’\’ animation=\’\’ link=\’\’ linktarget=\’\’ link_hover=\’\’ title_attr=\’\’ alt_attr=\’\’ mobile_display=\’\’ id=\’\’ custom_class=\’\’ aria_label=\’\’ av_uid=\’av-30acp9\’]
[av_textblock fold_type=\’\’ fold_height=\’\’ fold_more=\’Read more\’ fold_less=\’Read less\’ fold_text_style=\’\’ fold_btn_align=\’\’ textblock_styling_align=\’\’ textblock_styling=\’\’ textblock_styling_gap=\’\’ textblock_styling_mobile=\’\’ size=\’\’ av-desktop-font-size=\’\’ av-medium-font-size=\’\’ av-small-font-size=\’\’ av-mini-font-size=\’\’ font_color=\’\’ color=\’\’ fold_overlay_color=\’\’ fold_text_color=\’\’ fold_btn_color=\’theme-color\’ fold_btn_bg_color=\’\’ fold_btn_font_color=\’\’ size-btn-text=\’\’ av-desktop-font-size-btn-text=\’\’ av-medium-font-size-btn-text=\’\’ av-small-font-size-btn-text=\’\’ av-mini-font-size-btn-text=\’\’ fold_timer=\’\’ z_index_fold=\’\’ id=\’\’ custom_class=\’\’ template_class=\’\’ element_template=\’\’ one_element_template=\’\’ av_uid=\’av-kdpy278m\’ sc_version=\’1.0\’ admin_preview_bg=\’\’]

AppCan Policies & Certifications

[/av_textblock]
[/av_one_full]

[av_one_full first min_height=\’\’ vertical_alignment=\’av-align-top\’ space=\’\’ row_boxshadow=\’\’ row_boxshadow_width=\’10\’ row_boxshadow_color=\’\’ custom_margin=\’\’ margin=\’0px\’ av-desktop-margin=\’\’ av-medium-margin=\’\’ av-small-margin=\’\’ av-mini-margin=\’\’ mobile_breaking=\’\’ mobile_column_order=\’\’ border=\’\’ border_style=\’solid\’ border_color=\’\’ radius=\’\’ min_col_height=\’\’ padding=\’\’ av-desktop-padding=\’\’ av-medium-padding=\’\’ av-small-padding=\’\’ av-mini-padding=\’\’ svg_div_top=\’\’ svg_div_top_color=\’#333333\’ svg_div_top_width=\’100\’ svg_div_top_height=\’50\’ svg_div_top_max_height=\’none\’ svg_div_top_flip=\’\’ svg_div_top_invert=\’\’ svg_div_top_front=\’\’ svg_div_top_opacity=\’\’ svg_div_top_preview=\’\’ svg_div_bottom=\’\’ svg_div_bottom_color=\’#333333\’ svg_div_bottom_width=\’100\’ svg_div_bottom_height=\’50\’ svg_div_bottom_max_height=\’none\’ svg_div_bottom_flip=\’\’ svg_div_bottom_invert=\’\’ svg_div_bottom_front=\’\’ svg_div_bottom_opacity=\’\’ svg_div_bottom_preview=\’\’ fold_type=\’\’ fold_height=\’\’ fold_more=\’Read more\’ fold_less=\’Read less\’ fold_text_style=\’\’ fold_btn_align=\’\’ column_boxshadow=\’\’ column_boxshadow_width=\’10\’ column_boxshadow_color=\’\’ background=\’bg_color\’ background_color=\’\’ background_gradient_direction=\’vertical\’ background_gradient_color1=\’#000000\’ background_gradient_color2=\’#ffffff\’ background_gradient_color3=\’\’ src=\’\’ background_position=\’top left\’ background_repeat=\’no-repeat\’ highlight=\’\’ highlight_size=\’\’ fold_overlay_color=\’\’ fold_text_color=\’\’ fold_btn_color=\’theme-color\’ fold_btn_bg_color=\’\’ fold_btn_font_color=\’\’ size-btn-text=\’\’ av-desktop-font-size-btn-text=\’\’ av-medium-font-size-btn-text=\’\’ av-small-font-size-btn-text=\’\’ av-mini-font-size-btn-text=\’\’ animation=\’\’ animation_duration=\’\’ animation_custom_bg_color=\’\’ animation_z_index_curtain=\’100\’ parallax_parallax=\’\’ parallax_parallax_speed=\’\’ av-desktop-parallax_parallax=\’\’ av-desktop-parallax_parallax_speed=\’\’ av-medium-parallax_parallax=\’\’ av-medium-parallax_parallax_speed=\’\’ av-small-parallax_parallax=\’\’ av-small-parallax_parallax_speed=\’\’ av-mini-parallax_parallax=\’\’ av-mini-parallax_parallax_speed=\’\’ fold_timer=\’\’ z_index_fold=\’\’ css_position=\’\’ css_position_location=\’\’ css_position_z_index=\’\’ av-desktop-css_position=\’\’ av-desktop-css_position_location=\’\’ av-desktop-css_position_z_index=\’\’ av-medium-css_position=\’\’ av-medium-css_position_location=\’\’ av-medium-css_position_z_index=\’\’ av-small-css_position=\’\’ av-small-css_position_location=\’\’ av-small-css_position_z_index=\’\’ av-mini-css_position=\’\’ av-mini-css_position_location=\’\’ av-mini-css_position_z_index=\’\’ link=\’\’ linktarget=\’\’ link_hover=\’\’ title_attr=\’\’ alt_attr=\’\’ mobile_display=\’\’ mobile_col_pos=\’0\’ id=\’\’ custom_class=\’\’ template_class=\’\’ aria_label=\’\’ element_template=\’\’ one_element_template=\’\’ show_locked_options_fakearg=\’\’ av_uid=\’av-2hwz8n\’ sc_version=\’1.0\’]
[av_textblock fold_type=\’\’ fold_height=\’\’ fold_more=\’Read more\’ fold_less=\’Read less\’ fold_text_style=\’\’ fold_btn_align=\’\’ textblock_styling_align=\’\’ textblock_styling=\’\’ textblock_styling_gap=\’\’ textblock_styling_mobile=\’\’ size=\’\’ av-desktop-font-size=\’\’ av-medium-font-size=\’\’ av-small-font-size=\’\’ av-mini-font-size=\’\’ font_color=\’\’ color=\’\’ fold_overlay_color=\’\’ fold_text_color=\’\’ fold_btn_color=\’theme-color\’ fold_btn_bg_color=\’\’ fold_btn_font_color=\’\’ size-btn-text=\’\’ av-desktop-font-size-btn-text=\’\’ av-medium-font-size-btn-text=\’\’ av-small-font-size-btn-text=\’\’ av-mini-font-size-btn-text=\’\’ fold_timer=\’\’ z_index_fold=\’\’ id=\’\’ custom_class=\’\’ template_class=\’\’ element_template=\’\’ one_element_template=\’\’ av_uid=\’av-libsimgc\’ sc_version=\’1.0\’ admin_preview_bg=\’\’]

AppCan Policy Documentation

[/av_textblock]

[av_toggle_container faq_markup=\’\’ initial=\’0\’ mode=\’accordion\’ sort=\’\’ styling=\’\’ colors=\’\’ font_color=\’\’ background_color=\’\’ border_color=\’\’ toggle_icon_color=\’\’ colors_current=\’\’ font_color_current=\’\’ toggle_icon_color_current=\’\’ background_current=\’\’ background_color_current=\’\’ background_gradient_current_direction=\’vertical\’ background_gradient_current_color1=\’#000000\’ background_gradient_current_color2=\’#ffffff\’ background_gradient_current_color3=\’\’ hover_colors=\’\’ hover_font_color=\’\’ hover_background_color=\’\’ hover_toggle_icon_color=\’\’ size-toggle=\’\’ av-desktop-font-size-toggle=\’\’ av-medium-font-size-toggle=\’\’ av-small-font-size-toggle=\’\’ av-mini-font-size-toggle=\’\’ size-content=\’\’ av-desktop-font-size-content=\’\’ av-medium-font-size-content=\’\’ av-small-font-size-content=\’\’ av-mini-font-size-content=\’\’ heading_tag=\’\’ heading_class=\’\’ alb_description=\’\’ id=\’\’ custom_class=\’\’ template_class=\’\’ element_template=\’\’ one_element_template=\’\’ av_uid=\’av-ltrpmw17\’ sc_version=\’1.0\’ admin_preview_bg=\’\’]
[av_toggle title=\’Business Continuity & Security\’ tags=\’\’ custom_id=\’Business-Continuity\’ element_template=\’\’ one_element_template=\’\’ av_uid=\’av-hoou2f\’ sc_version=\’1.0\’]
Please click here: https://appcan.help/business-continuity-security-policy/
[/av_toggle]
[av_toggle title=\’Privacy Policy\’ tags=\’\’ custom_id=\’\’ element_template=\’\’ one_element_template=\’\’ av_uid=\’av-fhkr7b\’ sc_version=\’1.0\’]
Please click here: https://appcan.help/privacy-policy
[/av_toggle]
[av_toggle title=\’Cookie Policy\’ tags=\’\’ custom_id=\’\’ element_template=\’\’ one_element_template=\’\’ av_uid=\’av-57upz\’ sc_version=\’1.0\’]
Please click here: https://appcan.help/cookie-policy/
[/av_toggle]
[av_toggle title=\’User Terms\’ tags=\’\’ custom_id=\’\’ element_template=\’\’ one_element_template=\’\’ av_uid=\’av-cejevr\’ sc_version=\’1.0\’]
Please click here: https://appcan.help/user-terms/
[/av_toggle]
[av_toggle title=\’Licence Agreement\’ tags=\’\’ custom_id=\’\’ element_template=\’\’ one_element_template=\’\’ av_uid=\’av-bjdl2v\’ sc_version=\’1.0\’]
Please click here: https://appcan.help/licence-agreement/
[/av_toggle]
[av_toggle title=\’Acceptable Use Policy\’ tags=\’\’ custom_id=\’\’ element_template=\’\’ one_element_template=\’\’ av_uid=\’av-9m65pz\’ sc_version=\’1.0\’]
Please click here: https://appcan.help/acceptable-use-policy/
[/av_toggle]
[av_toggle title=\’Support Management (SLAs)\’ tags=\’\’ custom_id=\’\’ element_template=\’\’ one_element_template=\’\’ av_uid=\’av-88dw47\’ sc_version=\’1.0\’]

AppCan provide telephone, email support services during normal business hours of 09:00 to 17:00 Monday to Friday (excluding public holidays).

Support Process

AppCan will provide technical support for issues identified in the Mobile Application (AppCan Mobile), Web portal (AppCan Cloud), AppCan Data Warehouse & APIs

End Users of the AppCan Platform will raise an identified issue with their relevant internal support service (formalised user, technical support and admin support services).

The internal support service will assess the relevant issue and determine the following course of action for the AppCan Platform:

Training issue – resolve as required through internal process
Hardware issue – resolve as required through internal processes.
Connectivity issue – resolve as required through internal processes.
Application logon – reset and check user details on the portal to resolve activation.
Application functionality issue – confirm with relevant business sponsor / project manager that the functionality is not performing as expected. Raise a formal support with AppCan if issue cannot be resolved.
Application data upload issue – internal support services to determine if the issue is not being caused by network, phone or phone data allowance issue. Raise a formal support with AppCan if issue cannot be resolved.

Raising a formal technical support request with AppCan by emailing our support desk (the following minimum information is required):

Date / time issue raised.
User details.
Details of issue being experienced.
Details of remedial action already taken.
User contact details (if required)
AppCan will respond to the customer by confirming receipt of the within the timescales as shown.
AppCan will determine the severity level of the issue.
If multiple issues are raised, priority for resolution will be given to the highest level priorities.
AppCan will provide and estimated time for resolution.
AppCan will provide regular updates to the Company contact during resolution if the expected time for resolution cannot be met.
AppCan will provide the resolution or proposed resolution in the form of a code fix to the Customer contact once the issue has been resolved.

Support Levels

SEVERITY	ACKNOWLEDGEMENT OF ISSUE	COMMUNICATION OF PLAN AND ESTIMATED TIME-LINE TO RESOLVE
Critical	2 business hours	3 business hours
High	1 business day	2 business days
Medium	2 business days	5 business days
Low	3 business days	5 business days

Critical Severity

Definition: A Critical Severity issue has critical business impact on a production system, resulting in a Customer’s production system being unavailable for all users with significant impact on business process.

Response: AppCan will provide a response by a qualified member of its staff to begin to diagnose the fault within 2 business hours after notification. Critical issues can be raised by telephone, email or the web based support, but we ask that in the event of a critical issue that you contact us by telephone as well in order to expedite the response.

AppCan will use commercially reasonable efforts to provide a resolution plan which includes timescales and a communication plan for regular updates within two (2) business hours. The resolution plan may include a work-around/mitigation or as an emergency software fix. If AppCan delivers an acceptable work-around/mitigation, the severity classification will drop to a lower severity level determined by the residual business impact.

High Severity

Definition: A High Severity issue has high business impact on a production system, resulting in significant core functionality loss on Customer’s production system for all or most users..

Response: AppCan will provide a response by a qualified member of its staff to begin to diagnose the fault within one (1) business day after notification. High severity issues can be raised by telephone, email or the web based support portal, but we ask that in the event of a high severity issue that you contact us by telephone as well in order to expedite the response.

AppCan will use commercially reasonable efforts to provide a resolution plan which includes timescales and a communication plan for regular updates within two (2) business days. The resolution plan may include a work-around/mitigation or as an emergency software fix. If AppCan delivers an acceptable work-around/mitigation, the severity classification will drop to a lower severity level determined by the residual business impact.

Medium Severity

Definition: A Medium Severity issue has moderate business impact on a production system, resulting in some functionality loss on Customer’s production system of non-core functionality. The Software is usable, but does not provide a function in the most convenient or expeditious manner. For example: partial loss of functionality for significant portion of users, or significant loss of functionality for subset of users

Response: AppCan will provide an initial response by a qualified member of its staff to begin to diagnose a Medium Severity fault within two (2) business day of notification by Customer via telephone, email or the web based support portal.

AppCan will use commercially reasonable efforts to provide a resolution plan which includes timescales and a communication plan for regular updates within five (5) business days. The resolution plan may include a work-around/mitigation or as an emergency software fix. If AppCan delivers an acceptable work-around/mitigation, the severity classification will drop to a lower severity level determined by the residual business impact. For medium severity issues the resolution plan may target a fix in the next scheduled release of the software.

Low Severity

Definition: A Low Severity issue is for issues only affecting a small number of users or widespread issues affecting minor app functionality, non-production questions including general usage questions, issues related to a non-production environment, or feature requests. There is minimal impact on the quality, performance or functionality on Customer’s production system.

Response: AppCan will provide an initial response by a qualified member of its staff to begin to diagnose a Low Severity fault within three (3) business days of notification by Customer. AppCan does not guarantee a resolution time for Low Severity incidents.

3rd Party Services

Please note – AppCan cannot take responsibility for availability of 3^rdparty services in line with this agreement. This would cover, but is not limited to, the iOS Apple App Store and Google Play Store.

[/av_toggle]
[av_toggle title=\’Security Policy\’ tags=\’\’ custom_id=\’\’ element_template=\’\’ one_element_template=\’\’ av_uid=\’av-5uqh13\’ sc_version=\’1.0\’]
Please click here: https://appcan.help/appcan-security-policy/
[/av_toggle]
[av_toggle title=\’Disaster Recovery\’ tags=\’\’ custom_id=\’\’ element_template=\’\’ one_element_template=\’\’ av_uid=\’av-4qjpp3\’ sc_version=\’1.0\’]
Please click here: https://appcan.help/disaster-recovery/
[/av_toggle]
[av_toggle title=\’Backups & Replication\’ tags=\’\’ custom_id=\’\’ element_template=\’\’ one_element_template=\’\’ av_uid=\’av-311umf\’ sc_version=\’1.0\’]
Please click here: https://appcan.help/backups-replication/
[/av_toggle]
[/av_toggle_container]
[/av_one_full]

[av_one_full first min_height=\’\’ vertical_alignment=\’av-align-top\’ space=\’\’ row_boxshadow=\’\’ row_boxshadow_width=\’10\’ row_boxshadow_color=\’\’ custom_margin=\’\’ margin=\’0px\’ av-desktop-margin=\’\’ av-medium-margin=\’\’ av-small-margin=\’\’ av-mini-margin=\’\’ mobile_breaking=\’\’ mobile_column_order=\’\’ border=\’\’ border_style=\’solid\’ border_color=\’\’ radius=\’\’ min_col_height=\’\’ padding=\’\’ av-desktop-padding=\’\’ av-medium-padding=\’\’ av-small-padding=\’\’ av-mini-padding=\’\’ svg_div_top=\’\’ svg_div_top_color=\’#333333\’ svg_div_top_width=\’100\’ svg_div_top_height=\’50\’ svg_div_top_max_height=\’none\’ svg_div_top_flip=\’\’ svg_div_top_invert=\’\’ svg_div_top_front=\’\’ svg_div_top_opacity=\’\’ svg_div_top_preview=\’\’ svg_div_bottom=\’\’ svg_div_bottom_color=\’#333333\’ svg_div_bottom_width=\’100\’ svg_div_bottom_height=\’50\’ svg_div_bottom_max_height=\’none\’ svg_div_bottom_flip=\’\’ svg_div_bottom_invert=\’\’ svg_div_bottom_front=\’\’ svg_div_bottom_opacity=\’\’ svg_div_bottom_preview=\’\’ fold_type=\’\’ fold_height=\’\’ fold_more=\’Read more\’ fold_less=\’Read less\’ fold_text_style=\’\’ fold_btn_align=\’\’ column_boxshadow=\’\’ column_boxshadow_width=\’10\’ column_boxshadow_color=\’\’ background=\’bg_color\’ background_color=\’\’ background_gradient_direction=\’vertical\’ background_gradient_color1=\’#000000\’ background_gradient_color2=\’#ffffff\’ background_gradient_color3=\’\’ src=\’\’ background_position=\’top left\’ background_repeat=\’no-repeat\’ highlight=\’\’ highlight_size=\’\’ fold_overlay_color=\’\’ fold_text_color=\’\’ fold_btn_color=\’theme-color\’ fold_btn_bg_color=\’\’ fold_btn_font_color=\’\’ size-btn-text=\’\’ av-desktop-font-size-btn-text=\’\’ av-medium-font-size-btn-text=\’\’ av-small-font-size-btn-text=\’\’ av-mini-font-size-btn-text=\’\’ animation=\’\’ animation_duration=\’\’ animation_custom_bg_color=\’\’ animation_z_index_curtain=\’100\’ parallax_parallax=\’\’ parallax_parallax_speed=\’\’ av-desktop-parallax_parallax=\’\’ av-desktop-parallax_parallax_speed=\’\’ av-medium-parallax_parallax=\’\’ av-medium-parallax_parallax_speed=\’\’ av-small-parallax_parallax=\’\’ av-small-parallax_parallax_speed=\’\’ av-mini-parallax_parallax=\’\’ av-mini-parallax_parallax_speed=\’\’ fold_timer=\’\’ z_index_fold=\’\’ css_position=\’\’ css_position_location=\’\’ css_position_z_index=\’\’ av-desktop-css_position=\’\’ av-desktop-css_position_location=\’\’ av-desktop-css_position_z_index=\’\’ av-medium-css_position=\’\’ av-medium-css_position_location=\’\’ av-medium-css_position_z_index=\’\’ av-small-css_position=\’\’ av-small-css_position_location=\’\’ av-small-css_position_z_index=\’\’ av-mini-css_position=\’\’ av-mini-css_position_location=\’\’ av-mini-css_position_z_index=\’\’ link=\’\’ linktarget=\’\’ link_hover=\’\’ title_attr=\’\’ alt_attr=\’\’ mobile_display=\’\’ mobile_col_pos=\’0\’ id=\’\’ custom_class=\’\’ template_class=\’\’ aria_label=\’\’ element_template=\’\’ one_element_template=\’\’ show_locked_options_fakearg=\’\’ av_uid=\’av-218ml3\’ sc_version=\’1.0\’]
[av_textblock fold_type=\’\’ fold_height=\’\’ fold_more=\’Read more\’ fold_less=\’Read less\’ fold_text_style=\’\’ fold_btn_align=\’\’ textblock_styling_align=\’\’ textblock_styling=\’\’ textblock_styling_gap=\’\’ textblock_styling_mobile=\’\’ size=\’\’ av-desktop-font-size=\’\’ av-medium-font-size=\’\’ av-small-font-size=\’\’ av-mini-font-size=\’\’ font_color=\’\’ color=\’\’ fold_overlay_color=\’\’ fold_text_color=\’\’ fold_btn_color=\’theme-color\’ fold_btn_bg_color=\’\’ fold_btn_font_color=\’\’ size-btn-text=\’\’ av-desktop-font-size-btn-text=\’\’ av-medium-font-size-btn-text=\’\’ av-small-font-size-btn-text=\’\’ av-mini-font-size-btn-text=\’\’ fold_timer=\’\’ z_index_fold=\’\’ id=\’\’ custom_class=\’\’ template_class=\’\’ element_template=\’\’ one_element_template=\’\’ av_uid=\’av-libsiz8p\’ sc_version=\’1.0\’ admin_preview_bg=\’\’]

AppCan Certifications

[/av_textblock]

AppCan Ltd hold Cyber Essentials certification.

Certificate No: 92aebOef-84dc-4bb3-8110-edbe26931b11

Date of Certification 14/03/2024

Profile Version: 3.1 (Montpellier)

Certification Body: Argon

$\"\"$

[/av_toggle]
[av_toggle title=\’Certifications\’ tags=\’\’ custom_id=\’\’ element_template=\’\’ one_element_template=\’\’ av_uid=\’av-1tlulz\’ sc_version=\’1.0\’ title__locked=\’\’ content__locked=\’\’ tags__locked=\’\’]

Microsoft

AppCan use the Microsoft Azure platform for all hosting.

The link below provides details of compliance:

https://docs.microsoft.com/en-us/compliance/regulatory/offering-home

The compliances which are most important to AppCan are:

CIS Benchmark
ISO 20000-1:2011
ISO 22301
ISO 27001
ISO 27017
ISO 27018
ISO 9001

AppCan Development Partner

Our development partner hold the following certifications:

Microsoft Partner:

Our development partner is a Gold Microsoft Partner. They have achieved multiple competencies including Gold Application Development, Gold Application Integration, Gold Data Platform, Gold Data Analytics, and Gold Cloud Platform. As well as being a certified Microsoft Cloud Solution Provider.

Only the top 1% of Microsoft Partners have attained Microsoft Gold competencies, meeting extensive technology requirements and demonstrating expertise through rigorous exams. As a Microsoft Partner we benefit from specialised technical support and services from Microsoft, which means we can serve you better.

Crown Commercial Service Supplier:

Our development partner is an official supplier for the Crown Commercial Service for the ‘Digital Outcomes and Specialists 4’ framework. This service aids the research, designing, building, testing and delivery of software applications and digital services within the public sector. The framework has been agreed between the government and our development partner to offer custom software development to public sector organisations.

Quality Management ISO 9001:2015:

ISO (International Organization for Standardization) provide guidance and tools to ensure our products and services consistently meet client requirements. ISO 9001 is the only ISO standard that requires certification. As an ISO 9001:2008 certified organisation, audited by Quality Management Systems (QMS), our development partner measures their performance on an ongoing basis and strive to consistently improve it.

Quality Management ISO 27001:2013:

ISO 27001:2013 details the requirements for establishing, executing, upholding and refining an information security management system within the framework of the organization. Our development partner’s certification proves our security measures are perfected to keep up with changes in security threats, weaknesses and business impact.

Cyber Essentials Certified:

In line with the UK National Cyber Security Strategy, our development partner’s Cyber Essentials certification demonstrates their commitment to compliance with Government-backed and industry-supported cyber security standards. In order to achieve certification, they were required to demonstrate adherence to best practice against the five basic security controls defined by the scheme.

London Digital Security Centre Members:

Our development partner is accredited by and is a member of the London Digital Security Centre. A not for profit joint venture between the Mayor of London, the Metropolitan Police Service and the City of London Police. London Digital Security Centre’s role is to help businesses to grow and innovate through operating in a secure digital environment.

[/av_toggle]
[/av_toggle_container]
[/av_one_full]

[av_textblock fold_type=\’\’ fold_height=\’\’ fold_more=\’Read more\’ fold_less=\’Read less\’ fold_text_style=\’\’ fold_btn_align=\’\’ textblock_styling_align=\’\’ textblock_styling=\’\’ textblock_styling_gap=\’\’ textblock_styling_mobile=\’\’ size=\’\’ av-desktop-font-size=\’\’ av-medium-font-size=\’\’ av-small-font-size=\’\’ av-mini-font-size=\’\’ font_color=\’\’ color=\’\’ fold_overlay_color=\’\’ fold_text_color=\’\’ fold_btn_color=\’theme-color\’ fold_btn_bg_color=\’\’ fold_btn_font_color=\’\’ size-btn-text=\’\’ av-desktop-font-size-btn-text=\’\’ av-medium-font-size-btn-text=\’\’ av-small-font-size-btn-text=\’\’ av-mini-font-size-btn-text=\’\’ fold_timer=\’\’ z_index_fold=\’\’ id=\’\’ custom_class=\’\’ template_class=\’\’ element_template=\’\’ one_element_template=\’\’ av_uid=\’av-ltrpk4v8\’ sc_version=\’1.0\’ admin_preview_bg=\’\’]

GDPR

[/av_textblock]

1.1 This procedure addresses complaints from data subject(s) related to the processing of their personal data, AppCan\’s handling of requests from data subjects, and appeals from data subjects on how complaints have been handled.

2. Responsibilities

2.1 All employees are responsible for ensuring any complaints made in relation to the scope of this procedure are reported to the Data Protection Officer.
2.2 The Data Protection Officer is responsible for dealing with all complaints in line with this procedure.

3. Procedure

3.1 AppCan Ltd, as data controller, will supply the contact details of our Data Protection Officer on our website which is clearly defined.

3.2 AppCan Ltd has clear guidelines in the GDPR Policy and any complaint is sent directly to the Data Protection Officer\’s mailbox, to enable the data subject to lodge a formal complaint.

3.3 The council provides data subject(s) with details of our privacy notice and we have published this document on our help site.

3.4 Data subjects are able to complain to AppCan Ltd about:

how their personal data has been processed;
how their request for access to their data has been handled;
how their complaint has been handled;
how to appeal against any decision made following a complaint.

3.5 Data subject(s) seeking to lodge a complaint are able to do so direct to the Data Protection Officer whose email details are boyd.neal@appcan.co.uk

Complaints received are directed to the Data Protection Officer for resolution.
AppCan Ltd will endeavour to resolve any complaints received wherever possible within one month.
Appeals on the handling of complaints are to be resolved where possible within ten (10) working days.

3.6 In the event that AppCan Ltd should fail to act on a data subject\’s access request within one month, or refuses the request, it will set out in clear and plain language the reasons it took no action or refused the request.

3.7 AppCan Ltd will also inform the data subject(s) at that time of their right to complain directly to the supervisory authority. In doing so, AppCan Ltd will provides the data subject(s) with the contact details of the supervisory authority, (the Information Commissioners Office) and will inform the data subject of their right to seek judicial remedy.
[/av_toggle]
[av_toggle title=\’Data Subject Rights Policy\’ tags=\’\’ custom_id=\’Data-Subject-Rights-Policy\’ element_template=\’\’ one_element_template=\’\’ av_uid=\’av-ltrr9h6a\’ sc_version=\’1.0\’]
1. Introduction

This Data Subject Rights Policy outlines how AppCan Ltd handles requests from individuals (data subjects) regarding their personal data. It explains the rights of data subjects under applicable data protection laws, including the General Data Protection Regulation (GDPR).

2. Data Subject Rights

2.1 Right to Access

Data subjects have the right to obtain confirmation as to whether or not their personal data is being processed and, if so, access to that data. We will respond to access requests within 10 days and provide relevant information, including:

The purposes of processing
Categories of personal data
Recipients of the data
Retention periods
The right to rectification or erasure

2.2 Right to Rectification

Data subjects have the right to request the correction of inaccurate or incomplete personal data. We will promptly update any incorrect information upon receiving a valid request.

2.3 Right to Erasure (Right to Be Forgotten)

Data subjects can request the deletion of their personal data under certain circumstances, such as when the data is no longer necessary for the original purpose or when consent is withdrawn. We will assess each request and comply if legally permissible.

2.4 Right to Restrict Processing

Data subjects can request the restriction of processing in specific situations, such as during a dispute over data accuracy or while evaluating an erasure request. We will limit processing during the assessment period.

2.5 Right to Data Portability

Data subjects have the right to receive their personal data in a structured, commonly used, and machine-readable format. We will provide this data upon request, allowing data subjects to transfer it to another controller.

2.6 Right to Object

Data subjects can object to the processing of their personal data for specific reasons, including direct marketing. We will cease processing unless we have compelling legitimate grounds.

3. How to Exercise Rights

Data subjects can exercise their rights by contacting our Data Protection Officer (DPO) (boyd.neal@appcan.co.uk).

We will verify their identity before responding to requests.

4. Timelines and Fees

We will respond to data subject requests within 10 days. In most cases, there is no fee for exercising these rights. However, excessive or repetitive requests may incur a reasonable administrative fee.
[/av_toggle]
[/av_toggle_container]

[/av_one_full][av_one_full first min_height=\’\’ vertical_alignment=\’av-align-top\’ space=\’\’ row_boxshadow=\’\’ row_boxshadow_width=\’10\’ row_boxshadow_color=\’\’ custom_margin=\’\’ margin=\’0px\’ av-desktop-margin=\’\’ av-medium-margin=\’\’ av-small-margin=\’\’ av-mini-margin=\’\’ mobile_breaking=\’\’ mobile_column_order=\’\’ border=\’\’ border_style=\’solid\’ border_color=\’\’ radius=\’\’ min_col_height=\’\’ padding=\’\’ av-desktop-padding=\’\’ av-medium-padding=\’\’ av-small-padding=\’\’ av-mini-padding=\’\’ svg_div_top=\’\’ svg_div_top_color=\’#333333\’ svg_div_top_width=\’100\’ svg_div_top_height=\’50\’ svg_div_top_max_height=\’none\’ svg_div_top_flip=\’\’ svg_div_top_invert=\’\’ svg_div_top_front=\’\’ svg_div_top_opacity=\’\’ svg_div_top_preview=\’\’ svg_div_bottom=\’\’ svg_div_bottom_color=\’#333333\’ svg_div_bottom_width=\’100\’ svg_div_bottom_height=\’50\’ svg_div_bottom_max_height=\’none\’ svg_div_bottom_flip=\’\’ svg_div_bottom_invert=\’\’ svg_div_bottom_front=\’\’ svg_div_bottom_opacity=\’\’ svg_div_bottom_preview=\’\’ fold_type=\’\’ fold_height=\’\’ fold_more=\’Read more\’ fold_less=\’Read less\’ fold_text_style=\’\’ fold_btn_align=\’\’ column_boxshadow=\’\’ column_boxshadow_width=\’10\’ column_boxshadow_color=\’\’ background=\’bg_color\’ background_color=\’\’ background_gradient_direction=\’vertical\’ background_gradient_color1=\’#000000\’ background_gradient_color2=\’#ffffff\’ background_gradient_color3=\’\’ src=\’\’ background_position=\’top left\’ background_repeat=\’no-repeat\’ highlight=\’\’ highlight_size=\’\’ fold_overlay_color=\’\’ fold_text_color=\’\’ fold_btn_color=\’theme-color\’ fold_btn_bg_color=\’\’ fold_btn_font_color=\’\’ size-btn-text=\’\’ av-desktop-font-size-btn-text=\’\’ av-medium-font-size-btn-text=\’\’ av-small-font-size-btn-text=\’\’ av-mini-font-size-btn-text=\’\’ animation=\’\’ animation_duration=\’\’ animation_custom_bg_color=\’\’ animation_z_index_curtain=\’100\’ parallax_parallax=\’\’ parallax_parallax_speed=\’\’ av-desktop-parallax_parallax=\’\’ av-desktop-parallax_parallax_speed=\’\’ av-medium-parallax_parallax=\’\’ av-medium-parallax_parallax_speed=\’\’ av-small-parallax_parallax=\’\’ av-small-parallax_parallax_speed=\’\’ av-mini-parallax_parallax=\’\’ av-mini-parallax_parallax_speed=\’\’ fold_timer=\’\’ z_index_fold=\’\’ css_position=\’\’ css_position_location=\’\’ css_position_z_index=\’\’ av-desktop-css_position=\’\’ av-desktop-css_position_location=\’\’ av-desktop-css_position_z_index=\’\’ av-medium-css_position=\’\’ av-medium-css_position_location=\’\’ av-medium-css_position_z_index=\’\’ av-small-css_position=\’\’ av-small-css_position_location=\’\’ av-small-css_position_z_index=\’\’ av-mini-css_position=\’\’ av-mini-css_position_location=\’\’ av-mini-css_position_z_index=\’\’ link=\’\’ linktarget=\’\’ link_hover=\’\’ title_attr=\’\’ alt_attr=\’\’ mobile_display=\’\’ mobile_col_pos=\’0\’ id=\’\’ custom_class=\’\’ template_class=\’\’ aria_label=\’\’ element_template=\’\’ one_element_template=\’\’ show_locked_options_fakearg=\’\’ av_uid=\’av-34z3hz\’ sc_version=\’1.0\’]

[av_heading heading=\’Working towards ISO 27001\’ tag=\’h3\’ style=\’blockquote modern-quote\’ subheading_active=\’\’ show_icon=\’\’ icon=\’ue800\’ font=\’entypo-fontello\’ size=\’\’ av-desktop-font-size-title=\’\’ av-medium-font-size-title=\’\’ av-small-font-size-title=\’\’ av-mini-font-size-title=\’\’ subheading_size=\’\’ av-desktop-font-size=\’\’ av-medium-font-size=\’\’ av-small-font-size=\’\’ av-mini-font-size=\’\’ icon_size=\’\’ av-desktop-font-size-1=\’\’ av-medium-font-size-1=\’\’ av-small-font-size-1=\’\’ av-mini-font-size-1=\’\’ color=\’\’ custom_font=\’\’ subheading_color=\’\’ seperator_color=\’\’ icon_color=\’\’ margin=\’5px\’ margin_sync=\’true\’ av-desktop-margin=\’\’ av-desktop-margin_sync=\’true\’ av-medium-margin=\’\’ av-medium-margin_sync=\’true\’ av-small-margin=\’\’ av-small-margin_sync=\’true\’ av-mini-margin=\’\’ av-mini-margin_sync=\’true\’ headline_padding=\’\’ headline_padding_sync=\’true\’ av-desktop-headline_padding=\’\’ av-desktop-headline_padding_sync=\’true\’ av-medium-headline_padding=\’\’ av-medium-headline_padding_sync=\’true\’ av-small-headline_padding=\’\’ av-small-headline_padding_sync=\’true\’ av-mini-headline_padding=\’\’ av-mini-headline_padding_sync=\’true\’ padding=\’10\’ av-desktop-padding=\’\’ av-medium-padding=\’\’ av-small-padding=\’\’ av-mini-padding=\’\’ icon_padding=\’10\’ av-desktop-icon_padding=\’\’ av-medium-icon_padding=\’\’ av-small-icon_padding=\’\’ av-mini-icon_padding=\’\’ link=\’\’ link_target=\’\’ title_attr=\’\’ id=\’\’ custom_class=\’\’ template_class=\’\’ element_template=\’\’ one_element_template=\’\’ av_uid=\’av-1h7nsd3\’ sc_version=\’1.0\’ admin_preview_bg=\’\’][/av_heading]

Scope

The ISMS applies to the entire AppCan Ltd organisation, covering all processes, systems, and assets that are relevant for ensuring the confidentiality, integrity, and availability of information. This includes, but is not limited to:

– All locations and departments of AppCan Ltd
– All information systems and networks owned or operated by AppCan Ltd
– All data processed by AppCan Ltd, regardless of the medium
– All employees and third parties who have access to AppCan Ltd information or information processing facilities

Exclusions

Any exclusions to the ISMS scope are justified and documented here. For example, certain systems or locations might be excluded if they are not under the direct control of AppCan Ltd.

Justification for Inclusions

The reasons for including certain elements within the scope are documented here. This could include legal and regulatory requirements, business needs, contractual obligations, etc.

Approval

This ISMS Scope Document is approved by the Director\’s of AppCan Ltd.
[/av_toggle]
[av_toggle title=\’Information Security Policy (5.2)\’ tags=\’\’ custom_id=\’Information-Security-Policy\’ element_template=\’\’ one_element_template=\’\’ av_uid=\’av-ldnklj\’ sc_version=\’1.0\’]

Introduction

This Data Security Policy is AppCan Ltd’s (hereafter referred to as “us”, “we”, or “our”) policy regarding the safeguarding and protection of sensitive personal information and confidential information as is required by law.

Purpose

The purpose of this document is to outline how we prevent data security breaches and how we react to them when prevention is not possible. By data breach we mean a security incident in which the confidentiality, integrity or availability of data is compromised. A breach can either be purposeful or accidental.

This Data Security Policy covers:
Physical Access procedures;
Digital Access procedures;
Access Monitoring procedures;
Data Security Audit procedures;
Data Security Breach procedures.

Scope

This policy includes in its scope all data which we process either in hardcopy or digital copy, this includes special categories of data.
This policy applies to all staff, including temporary staff and contractors.

Physical Access Procedures

Physical access to records shall only be granted on a strict ‘Need to Know’ basis.
During their induction each staff member who requires access to confidential information for their job role will be trained on the safe handling of all information and will be taught the procedures which govern how data is used, stored, shared and organised in our organisation.
Our staff must retain personal and confidential data securely in locked storage when not in use and keys should not be left in the barrels of filing cabinets and doors.
All offices, when left unoccupied, must be locked unless all personal and confidential information has first been cleared off work stations/desks and secured in locked storage.

Digital Access Procedures

Access shall be granted using the principle of ‘Least Privilege’. This means that every program and every user of the system should operate using the least set of privileges necessary to complete their job.
We will ensure that each user is identified by a unique user ID so that users can be linked to and made responsible for their actions.
During their induction each staff member who requires access to digital systems for their job role will be trained on the use of the system, given their user login details.
In the instance that there are changes to user access requirements, these can only be authorised by an AppCan Ltd Director.
As soon as an employee leaves, all their system logons are revoked.
As part of the employee termination process the AppCan Directors are responsible for the removal of access rights from the computer system.
The AppCan Directors will review all access rights on a regular basis, but in any event at least once a year. The review is designed to positively confirm all system users. Any lapsed or unwanted logons which are identified are disabled immediately and deleted unless positively reconfirmed.
When not in use all screens will be locked.

Access Monitoring Procedures

The management of digital access rights is subject to regular compliance checks to ensure that these procedures are being followed and that staff are complying with their duty to use their access rights in an appropriate manner.
Areas considered in the compliance check include whether:
Allocation of administrator rights is restricted;
Access rights are regularly reviewed;
Whether there is any evidence of staff sharing their access rights;
Staff are appropriately logging out of the system;
Our password policy is being followed;
Staff understand how to report any security breaches.

Data Security Breach Procedures

In order to mitigate the risks of a security breach we will:
- Follow the Physical Access, Digital Access, Access Monitoring and Data Security Procedures;
- Ensure our staff are trained to recognise a potential data breach whether it is a confidentiality, integrity or availability breach;
- Ensure our staff understand the procedures to follow and how to escalate a security incident to the correct person in order to determine if a breach has taken place.
In the instance that it appears that a data security breach has taken place:
- The staff member who notices the breach, or potential breach, will inform an AppCan Director without delay;
- The AppCan Director will conduct a thorough investigation into the breach;
- In the instance that the breach is a personal data breach and it is likely that there will be a risk to the rights and freedoms of an individual then the Information Commissioner’s Office (ICO) will be informed as soon as possible, but at least within 72 hours of our discovery of the breach;
- As part of our report we will provide the following details:
  - The nature of the personal data breach (i.e. confidentiality, integrity, availability);
  - The approximate number of individuals concerned and the category of individual (e.g. employees, mailing lists, service users);
  - The categories and approximate number of personal data records concerned;
  - The name and details of our Directors;
  - The likely consequences of the breach;
  - A description of the measures taken, or which we will take, to mitigate any possible adverse effects.
- The Director(s) will inform any individual that their personal data has been breached if it is likely that there is a high risk to their rights and freedoms. We will inform them directly and without any undue delay;
- A record of all personal data breaches will be kept including those breaches which the ICO were not required to be notified about.

Responsibilities

The AppCan Directors are responsible for:

physical security;
digital access;
managing breaches;

[/av_toggle]
[av_toggle title=\’Information Security Risk Assessment Process (6.1.2)\’ tags=\’\’ custom_id=\’\’ element_template=\’\’ one_element_template=\’\’ av_uid=\’av-jau8pz\’ sc_version=\’1.0\’]
Information Security Risk Assessment Process Policy

Purpose
The purpose of this policy is to establish a systematic process for identifying, assessing, and managing information security risks in accordance with ISO 27001 Clause 6.1.2.

Scope
This policy applies to all information assets of AppCan Ltd.

Policy

Risk Identification
Identify the risks to the confidentiality, integrity, and availability of information. This includes identifying assets, threats, vulnerabilities, impacts, likelihoods, and risk levels.

Risk Assessment
Assess the identified risks based on the risk acceptance criteria defined by AppCan Ltd. The assessment should consider the potential consequences and likelihood of the risks.

Risk Treatment
Determine appropriate responses to the assessed risks. This could include avoiding the risk, accepting the risk, transferring the risk, or applying security controls to mitigate the risk.

Risk Acceptance
Define the level of risk that is acceptable to AppCan Ltd. Any risk that is assessed above this level must be treated.

Risk Communication and Consultation
Communicate and consult with stakeholders throughout the risk management process. This includes reporting on risk assessment results and treatment plans.

Monitoring and Review
Monitor and review the risk management process on a regular basis to identify changes in the risk context, effectiveness of the policy, and to ensure continuous improvement.

Roles and Responsibilities
Define the roles and responsibilities for the risk management process. This includes roles for risk identification, assessment, treatment, acceptance, communication, and monitoring.

Review and Update
This policy will be reviewed and updated regularly to ensure it remains effective and aligned with the strategic direction of the organization.

Approval
This policy is approved by the Directors of AppCan Lts.
[/av_toggle]
[av_toggle title=\’Statement of Applicability (6.1.3)\’ tags=\’\’ custom_id=\’\’ element_template=\’\’ one_element_template=\’\’ av_uid=\’av-ht0nmv\’ sc_version=\’1.0\’]

Scope

The scope of this SoA includes all processes, technology, and locations of AppCan Ltd, unless explicitly stated otherwise.

Risk Assessment

The risk assessment process has identified several risks to the confidentiality, integrity, and availability of information within the scope. These risks have been evaluated based on their potential impact and likelihood of occurrence.

Control Selection

The following controls have been selected from Annex A to mitigate the identified risks:

A.5: Information security policies
A.6: Organization of information security
A.7: Human resource security
A.8: Asset management
A.9: Access control
A.10: Cryptography
A.11: Physical and environmental security
A.12: Operations security
A.13: Communications security
A.14: System acquisition, development and maintenance
A.15: Supplier relationships
A.16: Information security incident management
A.17: Information security aspects of business continuity management
A.18: Compliance

[/av_toggle]
[av_toggle title=\’Information Security Risk Assessment Process (6.1.3)\’ tags=\’\’ custom_id=\’\’ element_template=\’\’ one_element_template=\’\’ av_uid=\’av-fv0ibr\’ sc_version=\’1.0\’]

Purpose

The purpose of this process is to identify, assess, and prioritise risks to the confidentiality, integrity, and availability of information.

Scope

This process applies to all information assets of AppCan Ltd.

Process

Risk Identification: Identify potential threats and vulnerabilities that could impact information assets. This could include factors such as natural disasters, malicious attacks, and human error.
Risk Analysis: Analyze the potential impact and likelihood of each identified risk. This should consider factors such as the value of the information asset, the potential damage that could be caused by the risk, and the probability of the risk occurring.
Risk Evaluation: Evaluate the risks based on their potential impact and likelihood. This will help to prioritize the risks and determine the most appropriate response.
Risk Treatment: Determine the most appropriate response to each risk. This could include avoiding the risk, transferring the risk, mitigating the risk, or accepting the risk.
Monitoring and Review: Regularly monitor and review the risks and the effectiveness of the risk treatment measures. This should be done on a regular basis and when significant changes occur in the organization or its environment.

Roles and Responsibilities

Information Security Manager: Responsible for overseeing the risk assessment process and ensuring it is conducted in accordance with this policy.
Risk Owners: Responsible for managing the risks within their area of responsibility. This includes identifying risks, implementing risk treatment measures, and monitoring the effectiveness of these measures.

Enforcement

Failure to comply with this process may result in disciplinary action, up to and including termination of employment.

[/av_toggle]
[av_toggle title=\’Information Security (6.2)\’ tags=\’\’ custom_id=\’\’ element_template=\’\’ one_element_template=\’\’ av_uid=\’av-ltrr5ywv\’ sc_version=\’1.0\’]
Not yet published
[/av_toggle]
[av_toggle title=\’Evidence of Competence (7.2)\’ tags=\’\’ custom_id=\’\’ element_template=\’\’ one_element_template=\’\’ av_uid=\’av-er3tnb\’ sc_version=\’1.0\’]
Not yet published
[/av_toggle]
[av_toggle title=\’Operational planning and control (8.1)\’ tags=\’\’ custom_id=\’\’ element_template=\’\’ one_element_template=\’\’ av_uid=\’av-btmvtz\’ sc_version=\’1.0\’]
Not yet published
[/av_toggle]
[av_toggle title=\’Asset Management Policy\’ tags=\’\’ custom_id=\’Asset-Management-Policy\’ element_template=\’\’ one_element_template=\’\’ av_uid=\’av-atz8ev\’ sc_version=\’1.0\’]

1. Purpose

The purpose of this policy is to establish guidelines for the effective management, protection, and utilisation of information assets within AppCan Ltd. Proper asset management ensures the confidentiality, integrity, and availability of critical resources.

2. Scope

This policy applies to all employees, contractors, and third parties who interact with our information assets.

3. Definitions

Information Assets: Any tangible or intangible resource used to create, process, store, or transmit information. Examples include hardware (servers, laptops, mobile devices), software, data, intellectual property, and network infrastructure.
Asset Owner: The individual or department responsible for an asset’s management, maintenance, and security.
Asset Custodian: The person responsible for day-to-day management, maintenance, and protection of a specific asset.

4. Responsibilities

4.1 Asset Owners

Asset owners are responsible for:

Identifying and classifying assets based on their criticality and sensitivity.
Ensuring proper access controls are in place.
Regularly reviewing asset inventories and updating ownership details.
Approving changes to asset configurations.
Monitoring asset performance and compliance.

4.2 Asset Custodians

Asset custodians are responsible for:

Safeguarding assets against unauthorized access, loss, or damage.
Implementing security controls (physical and logical) to protect assets.
Reporting any incidents or vulnerabilities related to assets.
Maintaining accurate records of asset locations, configurations, and maintenance schedules.
Coordinating with asset owners for disposal or decommissioning.

5. Asset Lifecycle

5.1 Acquisition

Asset acquisition must follow established procurement processes.
Asset owners must approve acquisitions based on business needs.
Proper documentation (purchase orders, invoices) should be maintained.

5.2 Deployment

Assets must be deployed securely, following configuration standards.
Asset custodians ensure proper installation and setup.

5.3 Usage

Users must adhere to acceptable use policies for assets.
Regular monitoring ensures assets are used efficiently and effectively.

5.4 Maintenance

Regular maintenance (patching, updates) is essential for asset health.
Asset custodians schedule and perform maintenance tasks.

5.5 Disposal

Assets must be disposed of securely (data wiping, physical destruction).
Asset owners authorize disposal based on end-of-life or obsolescence.

6. Inventory Management

Maintain an accurate inventory of all assets.
Conduct periodic audits to verify asset existence and status.
Retire or decommission assets promptly when no longer needed.

7. Security Controls

Apply appropriate security controls to protect assets.
Encrypt sensitive data on storage devices.
Implement access controls based on the principle of least privilege.
Regularly assess and address vulnerabilities.

8. Compliance

Ensure asset management practices comply with legal, regulatory, and contractual requirements.
Document and retain evidence of compliance.

[/av_toggle]
[av_toggle title=\’Risk assessment results (8.3)\’ tags=\’\’ custom_id=\’\’ element_template=\’\’ one_element_template=\’\’ av_uid=\’av-9gfyvr\’ sc_version=\’1.0\’]
Not yet published
[/av_toggle]
[av_toggle title=\’Metrics (9.1)\’ tags=\’\’ custom_id=\’\’ element_template=\’\’ one_element_template=\’\’ av_uid=\’av-7fo5lz\’ sc_version=\’1.0\’]
Not yet published
[/av_toggle]
[av_toggle title=\’ISMS internal audits (9.2)\’ tags=\’\’ custom_id=\’\’ element_template=\’\’ one_element_template=\’\’ av_uid=\’av-67wsnb\’ sc_version=\’1.0\’]
Not yet published
[/av_toggle]
[av_toggle title=\’ISMS management reviews (9.3)\’ tags=\’\’ custom_id=\’\’ element_template=\’\’ one_element_template=\’\’ av_uid=\’av-4kanuf\’ sc_version=\’1.0\’]
Not yet published
[/av_toggle]
[av_toggle title=\’Nonconformities and corrective actions (10.1)\’ tags=\’\’ custom_id=\’\’ element_template=\’\’ one_element_template=\’\’ av_uid=\’av-1y13mv\’ sc_version=\’1.0\’]
Not yet published
[/av_toggle]
[/av_toggle_container]

[av_textblock fold_type=\’\’ fold_height=\’\’ fold_more=\’Read more\’ fold_less=\’Read less\’ fold_text_style=\’\’ fold_btn_align=\’\’ textblock_styling_align=\’\’ textblock_styling=\’\’ textblock_styling_gap=\’\’ textblock_styling_mobile=\’\’ size=\’\’ av-desktop-font-size=\’\’ av-medium-font-size=\’\’ av-small-font-size=\’\’ av-mini-font-size=\’\’ font_color=\’\’ color=\’\’ fold_overlay_color=\’\’ fold_text_color=\’\’ fold_btn_color=\’theme-color\’ fold_btn_bg_color=\’\’ fold_btn_font_color=\’\’ size-btn-text=\’\’ av-desktop-font-size-btn-text=\’\’ av-medium-font-size-btn-text=\’\’ av-small-font-size-btn-text=\’\’ av-mini-font-size-btn-text=\’\’ fold_timer=\’\’ z_index_fold=\’\’ id=\’\’ custom_class=\’\’ template_class=\’\’ element_template=\’\’ one_element_template=\’\’ av_uid=\’av-qpfajr\’ sc_version=\’1.0\’ admin_preview_bg=\’\’]
Annex A
[/av_textblock]

You may not use, or facilitate or allow others to use, the Services or the AppCan Platform:

for any illegal or fraudulent activity;
to violate the rights of others;
to threaten, incite, promote, or actively encourage violence, terrorism, or other serious harm;
for any content or activity that promotes child sexual exploitation or abuse;
to violate the security, integrity, or availability of any user, network, computer or communications system, software application, or network or computing device;
to distribute, publish, send, or facilitate the sending of unsolicited mass email or other messages, promotions, advertising, or solicitations (or “spam”).

Investigation and Enforcement

We may investigate any suspected violation of this Policy, and remove or disable access to any content or resource that violates this Policy. You agree to cooperate with us to remedy any violation.

When determining whether there has been a violation of this Policy, we may consider your ability and willingness to comply with this Policy, including the policies and processes you have in place to prevent or identify and remove any prohibited content or activity.
[/av_toggle]
[av_toggle title=\’Access Control Policy\’ tags=\’\’ custom_id=\’Access-Control-Policy\’ element_template=\’\’ one_element_template=\’\’ av_uid=\’av-f97m5j\’ sc_version=\’1.0\’]

Purpose

The purpose of this policy is to establish a framework for access control within AppCan Ltd. This policy outlines the requirements for access control, including the procedures for granting, managing, and revoking access to AppCan’s resources.

Scope

This policy applies to all employees, consultants, partners, and stakeholders who access organisational resources, including but not limited to information systems, applications, data, and physical facilities.

Policy

Access control is one of the most critical components of information security. To ensure authorized access, the following policy statements must be adhered to:

1. Access control shall be implemented based on the principle of “least privilege,” which means that individuals should only have access to the resources necessary to perform their job functions. This principle shall be applied to all access to organizational resources.

2. Access to organizational resources shall be granted based on the “Need to Know” principle. This principle mandates that individuals shall only access those resources that are necessary to perform their specific job functions.

3. All access to organizational resources shall be assigned, managed, and revoked based on a formalized procedure. Access requests shall be approved by a formal authorization process that ensures compliance with the principles outlined in this policy.

4. Access shall be granted based on job roles and duties, which shall be documented in an official job description. The supervisor of the requesting individual shall verify that the access requested is necessary for the job role and then approve the request. Any deviation from the organizational job role shall require approval by the Information Security Officer.

5. Strong authentication mechanisms, such as passwords, multifactor authentication, and biometric authentication, shall be implemented to authenticate users accessing the organization’s resources.

6. Access control systems, including access control lists and firewalls, shall be implemented to control access to information systems and resources.

7. Access control logs shall be generated and monitored periodically to detect and investigate any unusual access activity.

8. Access to physical facilities shall be monitored and controlled, and access control logs shall be generated and monitored.

9. The organization shall periodically review and update access control procedures to ensure they remain current, relevant, and effective.

Exceptions

Exceptions to this policy shall be approved by the Information Security Officer or their designee. Approved exceptions shall be documented and reviewed annually.

Enforcement

Any employee, contractor, vendor, or stakeholder found to violate this policy shall be subject to disciplinary action, up to and including termination of employment or contractual relationship with the organization.

Implementation

The Chief Information Officer is responsible for implementing the Access Control Policy.

[/av_toggle]
[av_toggle title=\’Backup Policy\’ tags=\’\’ custom_id=\’\’ element_template=\’\’ one_element_template=\’\’ av_uid=\’av-drfj2v\’ sc_version=\’1.0\’]
Please click here: https://appcan.help/backups-replication/
[/av_toggle]
[av_toggle title=\’Clear Desk & Clear Screen Policy\’ tags=\’\’ custom_id=\’Clear-Desk-Policy\’ element_template=\’\’ one_element_template=\’\’ av_uid=\’av-cglcx3\’ sc_version=\’1.0\’]
Objective: The aim of this policy is to maintain a safe and secure workplace by ensuring that all employees maintain a clear and tidy desk at the end of each workday.

Scope: This policy applies to all employees who work on-site or remotely for the organization.

Policy:

1. All employees are required to maintain a clear and clutter-free desk at the end of each workday.
2. Employees must properly store all work-related documents, folders, files, and other materials in their designated cabinets, shelves, or drawers. This includes confidential or sensitive information that should be locked away securely.
3. Computers, laptops, and other electronic devices must be logged off, shut down, and stored securely in the designated areas.
4. All non-work-related material should be kept off the work area. This includes personal documents, magazines, books, food, and drinks.
5. Meeting rooms should also be left clean and tidy after use. All equipment, including whiteboards, projectors, and teleconferencing equipment, should be turned off and put away in their designated storage areas.
6. The clear desk policy must be adhered to by all employees, including management and executives.

Enforcement:

AppCan Ltd will conduct regular checks to ensure compliance with the clear desk policy. Failure to comply with the policy may result in disciplinary action, up to and including termination of employment or consequences as determined by AppCan

Exceptions:

There may be exceptions to the clear desk policy for employees who are working on confidential or sensitive assignments that require them to keep their materials on their desks. In such cases, employees must ensure that they securely store and lock away all materials at the end of each workday.

Conclusion:

By adhering to the clear desk policy, we can ensure a clean, safe, and organized workplace that promotes productivity and reduces the risk of lost, stolen, or misplaced information. The cooperation and support of all employees in maintaining a clear desk policy are appreciated.
[/av_toggle]
[av_toggle title=\’Cryptographic Controls Policy\’ tags=\’\’ custom_id=\’\’ element_template=\’\’ one_element_template=\’\’ av_uid=\’av-atzg4n\’ sc_version=\’1.0\’]

Purpose:

The purpose of this Cryptographic Controls Policy is to ensure the confidentiality, integrity, and authenticity of our organization’s data and communications by outlining the proper use and management of cryptographic controls.

Scope:

This policy applies to all employees, contractors, and third-party vendors who have access to our organization’s information and communication technologies.

Policy:

1. Cryptographic Controls Selection:

a) Cryptographic controls shall be selected based on their appropriateness to maintain the confidentiality, integrity, and authenticity of the data they protect.

b) Cryptographic controls shall be selected based on industry-standard algorithms and protocols, and their security, reliability, and interoperability factors shall be taken into account.

2. Cryptographic Controls Usage:

a) Cryptographic controls shall be used to protect data that is sensitive, confidential, or critical.

b) Cryptographic controls shall be used to secure communications that contain sensitive information.

c) Cryptographic controls shall be used in conjunction with other security measures such as access controls, firewalls, and intrusion detection systems.

d) Cryptographic controls shall be used only by authorized personnel with a need-to-know to access the information.

e) Cryptographic keys shall be generated, stored, and managed securely.

f) Cryptographic controls shall not be used to mask or conceal errors in other security measures or to circumvent other security controls.

3. Cryptographic Controls Management:

a) Cryptographic controls shall be managed by the designated IT security personnel.

b) Cryptographic keys shall be created and distributed by authorized personnel and shall be protected with appropriate safeguards.

c) Cryptographic keys shall be changed regularly to ensure the confidentiality, integrity, and authenticity of the data they protect.

d) Cryptographic controls shall be monitored regularly to ensure they are effective and are providing the appropriate level of protection.

e) Cryptographic controls shall be reviewed periodically to assess compliance with this policy and ensure they fulfill the organization’s security requirements.

Implementation:

This Cryptographic Controls Policy shall be implemented by all employees, contractors, and third-party vendors who have access to our organization’s information and communication technologies.

Non-Compliance:

Non-compliance with this Cryptographic Controls Policy shall result in disciplinary action, up to and including termination.

Policy Review and Revision:

This policy shall be reviewed and revised annually or as needed to reflect changes in technology, security risks, or other factors that may affect the organization’s information security.

[/av_toggle]
[av_toggle title=\’Information Deletion Policy\’ tags=\’\’ custom_id=\’\’ element_template=\’\’ one_element_template=\’\’ av_uid=\’av-9j8pfb\’ sc_version=\’1.0\’]
Purpose

The purpose of this policy is to establish guidelines for the secure deletion of information within AppCan Ltd.

Scope

This policy applies to all employees, contractors, and third parties who handle information on behalf of AppCan Ltd.

Policy

Deletion Criteria: Information should be deleted when it is no longer needed for business or legal purposes, or meets our archiving policies.
Secure Deletion: Information must be deleted in a manner that ensures it cannot be recovered. This includes overwriting data, degaussing, or physically destroying storage media.
Deletion of Sensitive Information: Sensitive information must be deleted in a manner that meets or exceeds the requirements of applicable laws, regulations, and standards.
Record Keeping: A record of all deletions should be kept, including the date of deletion, the reason for deletion, and the method of deletion.
Responsibility: The responsibility for deleting information lies with the individual who owns or controls the information.
Training: All employees must receive training on this policy and the secure deletion of information.

Enforcement

Failure to comply with this policy may result in disciplinary action, up to and including termination of employment.
[/av_toggle]
[av_toggle title=\’Information Security for use of Cloud Services\’ tags=\’\’ custom_id=\’\’ element_template=\’\’ one_element_template=\’\’ av_uid=\’av-7eokqv\’ sc_version=\’1.0\’]
Purpose
The purpose of this policy is to establish guidelines for the secure use of cloud services and protect AppCan Ltd information assets.

Scope
This policy applies to all employees, contractors, and third parties who use cloud services to store, process, or transmit AppCan Ltd information.

Policy

Cloud Service Selection
Cloud services must be selected based on the security measures they offer, their compliance with relevant regulations, and the needs of AppCan Ltd.

Data Protection
Data stored in the cloud must be protected in accordance with AppCan Ltd data protection policy. This includes encryption of sensitive data and implementation of access controls.

User Access Management
Access to cloud services must be managed in accordance with AppCan Ltd user access control policy. This includes the use of strong authentication methods and regular review of access rights.

Incident Response
Incidents involving cloud services must be reported and managed according to AppCan Ltd incident management procedure.

Service Level Agreements (SLAs)
SLAs with cloud service providers must include provisions for security, availability, and data protection.

Monitoring and Review
The use of cloud services must be monitored and reviewed regularly to ensure compliance with this policy and to identify potential security risks.

Policy Compliance
Failure to comply with this policy may result in disciplinary action and potential legal consequences.

Review and Update
This policy will be reviewed and updated regularly to ensure it remains effective and aligned with the strategic direction of AppCan Ltd.

Approval
This policy is approved by the Directors of AppCan Ltd.
[/av_toggle]
[av_toggle title=\’Information Transfer Policy\’ tags=\’\’ custom_id=\’Information-Transfer-Policy\’ element_template=\’\’ one_element_template=\’\’ av_uid=\’av-25oo7\’ sc_version=\’1.0\’]

Purpose

The purpose of this policy is to establish guidelines for the secure transfer of information within AppCan Ltd and with external parties.

Scope

This policy applies to all employees, contractors, and third parties who handle information on behalf of AppCan Ltd.

Policy

Secure Transfer: All information transfers must be conducted in a secure manner that preserves the confidentiality, integrity, and availability of the information.
Encryption: Sensitive information must be encrypted during transmission. The encryption method used should meet or exceed the company’s minimum security standards.
Physical Transfers: Physical transfers of information must be conducted in a secure manner. This includes the use of secure couriers for the transfer of sensitive documents.
Email: Sensitive information must not be sent via email unless it is encrypted or sent via a secure email service.
Third Parties: Information transfers to third parties must be governed by a signed agreement that specifies the responsibilities of each party in handling the information.
Compliance: All information transfers must comply with applicable laws, regulations, and standards.
Incident Reporting: Any suspected or actual breaches of this policy must be reported to the Information Security Manager immediately.

Enforcement

Failure to comply with this policy may result in disciplinary action, up to and including termination of employment.

[/av_toggle]
[av_toggle title=\’Key Management Policy\’ tags=\’\’ custom_id=\’\’ element_template=\’\’ one_element_template=\’\’ av_uid=\’av-488uk7\’ sc_version=\’1.0\’]

Introduction:

This Key Management Policy sets out the guidelines and procedures for the management of cryptographic keys used for protecting sensitive data in AppCan Ltd. This policy applies to all employees, consultants, and third-party partners that have access to the cryptographic keys.

Purpose:

The purpose of this policy is to ensure the confidentiality, integrity, and availability of AppCan’s sensitive information by establishing proper procedures for key management.

Policy:

1. Cryptographic keys must be generated, distributed, and stored in a secure manner.

2. Each employee responsible for the generation, distribution, or storage of the cryptographic key must be properly trained on the procedures.

3. The organization must maintain an accurate inventory of all cryptographic keys.

4. Cryptographic keys must be rotated on a periodic basis, according to a schedule established by the organization.

5. The organization must have a procedure for the revocation and replacement of cryptographic keys.

6. The organization must have a backup plan for cryptographic keys, including a secure off-site storage location.

7. Cryptographic keys must be protected by multi-factor authentication.

8. The organization must ensure that the cryptographic keys are not vulnerable to weak encryption algorithms or other known vulnerabilities.

9. The organization must conduct an annual review of its key management procedures and update them as necessary.

Enforcement:

Any employee who violates this policy may be subject to disciplinary action, up to and including termination. Consultants and third-party vendors who violate this policy may have their contracts terminated.

Conclusion:

Proper key management is critical for the protection of sensitive information. By adhering to this Key Management Policy, AppCan can protect its information assets and minimise the risk of a data breach or loss.

[/av_toggle]
[av_toggle title=\’Risks of Supplier’s Products or Services\’ tags=\’\’ custom_id=\’\’ element_template=\’\’ one_element_template=\’\’ av_uid=\’av-25bg2v\’ sc_version=\’1.0\’]
Purpose

The purpose of this policy is to establish guidelines for managing the risks associated with the use of suppliers’ products and services.

Scope

This policy applies to all employees, contractors, and third parties who are involved in the procurement and use of suppliers’ products and services.

Policy

Risk Assessment: Before engaging with a supplier, a risk assessment must be conducted to identify potential risks associated with the supplier’s products or services. The risk assessment should consider factors such as the supplier’s security practices, compliance with relevant standards, and the sensitivity of the data that will be handled by the supplier.
Supplier Agreements: All supplier agreements must include clauses that address information security requirements. This includes the right to audit the supplier’s security practices, requirements for data protection, and the responsibilities of each party in the event of a security incident.
Monitoring and Review: The performance and security practices of suppliers should be regularly monitored and reviewed. Any changes in the supplier’s practices that could impact information security must be addressed promptly.
Incident Management: Suppliers must report any security incidents that could impact the company’s information. The company must have a process in place to manage and respond to such incidents.
Termination of Agreement: When a supplier agreement is terminated, the supplier must return or securely destroy all company information in their possession.

Enforcement

Failure to comply with this policy may result in disciplinary action, up to and including termination of employment.
[/av_toggle]
[av_toggle title=\’Secure Development Policy\’ tags=\’\’ custom_id=\’\’ element_template=\’\’ one_element_template=\’\’ av_uid=\’av-lt67mij4\’ sc_version=\’1.0\’]

Purpose

Scope

Policy

Access control is one of the most critical components of information security. To ensure authorized access, the following policy statements must be adhered to:

5. Strong authentication mechanisms, such as passwords, multifactor authentication, and biometric authentication, shall be implemented to authenticate users accessing the organization’s resources.

6. Access control systems, including access control lists and firewalls, shall be implemented to control access to information systems and resources.

7. Access control logs shall be generated and monitored periodically to detect and investigate any unusual access activity.

8. Access to physical facilities shall be monitored and controlled, and access control logs shall be generated and monitored.

9. The organization shall periodically review and update access control procedures to ensure they remain current, relevant, and effective.

Exceptions

Exceptions to this policy shall be approved by the Information Security Officer or their designee. Approved exceptions shall be documented and reviewed annually.

Enforcement

Implementation

The Chief Information Officer is responsible for implementing the Access Control Policy.

[/av_toggle]
[/av_toggle_container]

[av_textblock fold_type=\’\’ fold_height=\’\’ fold_more=\’Read more\’ fold_less=\’Read less\’ fold_text_style=\’\’ fold_btn_align=\’\’ textblock_styling_align=\’\’ textblock_styling=\’\’ textblock_styling_gap=\’\’ textblock_styling_mobile=\’\’ size=\’\’ av-desktop-font-size=\’\’ av-medium-font-size=\’\’ av-small-font-size=\’\’ av-mini-font-size=\’\’ font_color=\’\’ color=\’\’ fold_overlay_color=\’\’ fold_text_color=\’\’ fold_btn_color=\’theme-color\’ fold_btn_bg_color=\’\’ fold_btn_font_color=\’\’ size-btn-text=\’\’ av-desktop-font-size-btn-text=\’\’ av-medium-font-size-btn-text=\’\’ av-small-font-size-btn-text=\’\’ av-mini-font-size-btn-text=\’\’ fold_timer=\’\’ z_index_fold=\’\’ id=\’\’ custom_class=\’\’ template_class=\’\’ element_template=\’\’ one_element_template=\’\’ av_uid=\’av-5f2k3r\’ sc_version=\’1.0\’ admin_preview_bg=\’\’]
Other Policies
[/av_textblock]

Purpose
The purpose of this policy is to establish guidelines for employees who work from home or other remote locations.

Scope
This policy applies to all employees of AppCan Ltd who fulfil the eligibility criteria for home working.

Policy

Work Hours
Home & remote working employees must comply with AppCan\’s work hours, leave, and overtime policies.

Workspace
Employees are responsible for providing a suitable workspace that is free from distractions and hazards.

Equipment and Technology
AppCan Ltd will determine what equipment will be provided to the employee for home & remote working.

Data Security
Home & remote working employees must ensure the security and confidentiality of AppCan Ltd data in accordance with AppCan\’s IT security policies.

Communication
Employees must remain responsive to communication during work hours.

Policy Compliance
Failure to comply with this policy may result in disciplinary action.

Review and Update
This policy will be reviewed and updated regularly to ensure it remains effective and aligned with the strategic direction of AppCan Ltd.

Approval
This policy is approved by the Directors of AppCan Ltd.
[/av_toggle]
[av_toggle title=\’Bring your own Device policy (BYOD)\’ tags=\’\’ custom_id=\’BYOD-Policy\’ element_template=\’\’ one_element_template=\’\’ av_uid=\’\’ sc_version=\’1.0\’ ]

Device Requirements: All devices must meet the company’s minimum security standards before they can access the network. This includes having up-to-date antivirus software and operating systems.
Security: Employees are responsible for the security of their devices. They should use strong, unique passwords and enable lock screens.
Data Management: Company data stored on personal devices should be segregated from personal data. Employees should use company-provided or approved applications for accessing company data.
Lost or Stolen Devices: Employees must report lost or stolen devices immediately. The company reserves the right to wipe company data from such devices.
Privacy: The company respects the privacy of the employee and will only access company data on the device.
Exit Policy: Upon termination of employment, employees must remove all company data from their personal devices.
Acceptable Use: Devices should not be used in a way that could harm the company or infringe on the rights of others. This includes respecting copyright laws, not engaging in illegal activities, and not using the device for harassing or offensive behavior.

[/av_toggle]
[av_toggle title=\’Password Policy\’ tags=\’\’ custom_id=\’Password-Policy\’ element_template=\’\’ one_element_template=\’\’ av_uid=\’\’ sc_version=\’1.0\’ ]
Purpose
The purpose of this policy is to establish a standard for the creation of strong passwords, the protection of those passwords, and the frequency of change.

Scope
This policy applies to all personnel who have or are responsible for an account (or any form of access that supports or requires a password) on any system that resides at any company facility, has access to the company network, or stores any non-public company information.

Policy
1. Password Complexity: All passwords must meet the following complexity requirements:
– At least 8 characters long.
– Include a combination of uppercase and lowercase letters.
– Include at least one numerical digit.
– Include at least one special character (e.g., !@#$%^&*).

2. Password Change: Passwords must be changed at least every 60 days.

3. Password Protection: Passwords must not be shared with anyone. All passwords are to be treated as sensitive, confidential company information.

4. Password Storage: Passwords must not be written down or stored without encryption.

5. Default Passwords: If a system has a default password, it must be changed immediately after the system is installed.

Compliance
Failure to comply with this policy may result in disciplinary action, up to and including termination of employment.
[/av_toggle]
[av_toggle title=\’Suppliers Information Security Policy\’ tags=\’\’ custom_id=\’Suppliers-Info-Security-Policy\’ element_template=\’\’ one_element_template=\’\’ av_uid=\’\’ sc_version=\’1.0\’ ]
Purpose
The purpose of this policy is to ensure the protection of the AppCan Ltd\’s information assets that are accessed, processed, or managed by external suppliers.

Scope
This policy applies to all suppliers that have access to the AppCan Ltd\’s information assets.

Policy
1. Supplier Selection: Suppliers must be selected based on their ability to meet the security requirements stipulated in this policy.

2. Security Requirements: Suppliers must comply with all applicable laws, regulations, and standards related to information security.

3. Contractual Obligations: All security requirements must be addressed in contracts with suppliers. Contracts must include clauses that allow the company to audit the supplier\’s compliance with the security requirements.

4. Access Control: Suppliers must implement appropriate access control measures to ensure that only authorized individuals have access to the company\’s information assets.

5. Incident Management: Suppliers must have procedures in place for managing information security incidents and must report any incidents affecting the company\’s information assets to the company as soon as possible.

6. Business Continuity: Suppliers must have business continuity plans in place to ensure the continued availability of the company\’s information assets.

7. Termination of Contract: Upon termination of the contract, suppliers must return all of the company\’s information assets and delete any copies of the information assets in their possession.

Compliance
Failure to comply with this policy may result in termination of the contract and legal action.
[/av_toggle]
[av_toggle title=\’Data Sharing & Transfer Policy\’ tags=\’\’ custom_id=\’Data-Sharing-Transfer-Policy\’ element_template=\’\’ one_element_template=\’\’ av_uid=\’\’ sc_version=\’1.0\’ ]

AppCan Ltd recognises the importance of responsible data sharing. This policy ensures that personal information is handled transparently, securely, and in compliance with data protection laws.

2. Purpose

The purpose of this policy is to:

Establish guidelines for data sharing.
Safeguard individuals’ privacy rights.
Promote accountability and transparency.

3. Scope

This policy applies to all employees, contractors, and third parties involved in data sharing on behalf of AppCan Ltd.

4. Principles of Data Sharing

4.1. Lawfulness and Fairness

Data sharing must comply with applicable laws and regulations.
Individuals’ rights regarding their personal data must be respected.

4.2. Transparency

Clear notices should inform individuals about data collection and sharing practices.
Data subjects should know where their information will be transferred.

4.3. Purpose Limitation

Data should only be shared for legitimate purposes.
Avoid sharing data beyond the intended purpose.

4.4. Data Minimization

Share only necessary data.
Limit the scope of shared information.

4.5. Security

Implement appropriate security measures to protect shared data.
Use secure data transfer methods (e.g., encryption).

4.6. Accountability

Designate responsible individuals for data sharing.
Maintain records of data sharing activities.

5. Data Transfer Procedures

5.1. Legal Right and Data Access Agreement

Personal information will only be transferred to individuals outside of AppCan Ltd if they have a legal right to access the data.
Data access agreements must be in place before any transfer occurs.

5.2. Secure Data Transfers

Data will be transferred securely using approved encryption services.
Data files will be encrypted and password protected during transfer.

6. Review and Updates

Regularly review and update this policy to align with legal requirements and AppCan Ltd changes.
Communicate any revisions to relevant stakeholders.

7. Training and Awareness

Provide training to personnel involved in data sharing.
Foster awareness of data protection responsibilities.

[/av_toggle]
[/av_toggle_container]

[/av_one_full]

AppCan Support

AppCan Policies & Certifications

AppCan Policy Documentation

AppCan Certifications

Microsoft

AppCan Development Partner

GDPR

Introduction

Purpose

Scope

Physical Access Procedures

Digital Access Procedures

Access Monitoring Procedures

Data Security Breach Procedures

Responsibilities