Privacy Policy

version 1.0 – updated May 19, 2025

Introduction
Management Commitment
Scope
Information Security Objectives
ISMS Overview and Themes
Roles and Responsibilities
Compliance and Continuous Improvement
Version History

1. Introduction

This information security policy defines how Metatavu ensures the confidentiality, integrity, and availability of information assets and systems. It describes the commitment of top management, establishes the foundation for our Information Security Management System (ISMS), supports compliance with NIS2, GDPR, and cybersecurity law requirements, and promotes the continuous improvement of our cybersecurity practices. Detailed operational procedures and responsibilities are defined in the internal Security Playbook, which supports the implementation of this policy. This document is publicly available and reviewed annually.

2. Management Commitment

Metatavu’s top management is fully committed to information security. This includes ensuring adequate resources, setting objectives, communicating the importance of security, and regularly reviewing the ISMS for improvement and development. Management has defined the framework for setting information security objectives at strategic and operational levels.

Management commits to:

Maintaining and reviewing this policy
Setting measurable security objectives aligned with strategy
Ensuring that personnel are aware of and responsible for security
Supporting continuous improvement and regular review of security practices
Resourcing the implementation and practices of the ISMS

3. Scope

This information security policy applies to all Metatavu’s operations, personnel, systems, and services. It is mandatory for all employees, trainees, subcontractors, and partners who process, use, or manage information or systems under Metatavu’s responsibility.

The policy and its associated Information Security Management System (ISMS) cover:

All business functions, including software development, consulting, service delivery, internal operations, and continuous services
All client projects and environments, regardless of whether they are located in Metatavu-managed or client-owned infrastructure (AWS, Azure, GCP, on-premise)
All Metatavu-managed or maintained devices and information assets, including remote work and the use of personal devices where work-related information is processed
All data types, including personal data, source codes, documentation, credentials, logs, and client-specific materials

Security controls apply to both digital and physical assets, data in transit and at rest, and are implemented through technical, administrative, and procedural measures defined in the Security Playbook.

Our ISMS is company-wide and currently excludes no areas or functions. Should exceptions be considered in the future, they will be justified, documented, and reviewed by top management based on risks and regulatory compliance requirements.

4. Information Security Objectives

Security objectives are defined by top management and are based on legal requirements, risk assessments, and business needs. They are communicated, measurable, regularly reviewed, and include responsible owners and resources.

Strategic objectives:

Build a strong information security awareness culture
Ensure compliance with NIS2, GDPR, and cybersecurity law requirements
Protect client data through Data Processing Agreements (DPA) and internal controls
Integrate information security into all development projects
Monitor third-party and supplier risks
Leverage information security as a competitive advantage
Deliver and operate services securely

5. ISMS Overview and Themes

The ISMS consists of policies, procedures, and responsibilities that ensure information security in daily operations. Each area has an owner responsible for implementation and improvement. Each thematic area of the ISMS is supported by detailed procedures and guidelines defined in the internal Security Playbook. This includes role-specific responsibilities, technical controls, and practical instructions.

Themes and Owners:

Risk Management and Leadership – CEO
Development and Cloud Services – CTO
Data Sets and IT Systems Management – CTO
Remote Work, Communication, and Device Security – CTO
Incident Management – Data Protection and Security Working Group
Data Protection and Privacy – Data Protection Officer (DPO)
Partner Management – Head of Service Delivery
Personnel Security – HR / Personnel Security
Physical Security – HR / Personnel Security

6. Roles and Responsibilities

Clear roles ensure accountability and operations.

Chief Executive Officer (CEO): Defines the information security strategy and ensures management oversight and commitment.
Chief Technology Officer (CTO): Leads the implementation of technical and organizational security measures, coordinates the ISMS, and ensures continuous improvement.
Head of Service Delivery: Responsible for secure service operations and the integrity of the client environment.
Data Protection Officer (DPO): Ensures compliance with data protection laws (e.g., GDPR, DPA) and advises on privacy-related risks.
HR / Personnel Security: Manages secure onboarding and offboarding and ensures physical access control.
Data Protection and Security Working Group: A cross-functional team that supports policy implementation, internal communication, information security training, and awareness-raising.

7. Compliance and Continuous Improvement

Metatavu is committed to fulfilling legal, regulatory, and contractual obligations related to security. The ISMS is regularly reviewed through internal audits and management reviews. Feedback, incidents, and risk assessments drive continuous improvement.

8. Version History

Version	Date	Description
–	1 December 2023	Initiation of ISMS work
1.0	19.5.2025	First published version of the Information Security Policy. Approved by management.

Metatavu Ltd | version 1.0 – updated May 19, 2025