{"id":595,"date":"2025-10-29T13:55:04","date_gmt":"2025-10-29T10:55:04","guid":{"rendered":"https:\/\/metatavu.fi\/privacy-policy\/"},"modified":"2025-11-04T12:15:31","modified_gmt":"2025-11-04T09:15:31","slug":"privacy-policy","status":"publish","type":"page","link":"https:\/\/metatavu.fi\/en\/privacy-policy\/","title":{"rendered":"Privacy Policy"},"content":{"rendered":"\t\t<div data-elementor-type=\"wp-page\" data-elementor-id=\"595\" class=\"elementor elementor-595 elementor-287\" data-elementor-post-type=\"page\">\n\t\t\t\t<div data-particle_enable=\"false\" data-particle-mobile-disabled=\"false\" class=\"elementor-element elementor-element-2446d84 e-flex e-con-boxed e-con e-parent\" data-id=\"2446d84\" data-element_type=\"container\" data-e-type=\"container\">\n\t\t\t\t\t<div class=\"e-con-inner\">\n\t\t<div data-particle_enable=\"false\" data-particle-mobile-disabled=\"false\" class=\"elementor-element elementor-element-7eaa33e e-con-full e-flex e-con e-child\" data-id=\"7eaa33e\" data-element_type=\"container\" data-e-type=\"container\" data-settings=\"{&quot;background_background&quot;:&quot;classic&quot;}\">\n\t\t\t\t<div class=\"elementor-element elementor-element-a154bdf elementor-widget__width-initial elementor-widget elementor-widget-heading\" data-id=\"a154bdf\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t\t<h1 class=\"elementor-heading-title elementor-size-default\">Privacy Policy<\/h1>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t<div data-particle_enable=\"false\" data-particle-mobile-disabled=\"false\" class=\"elementor-element elementor-element-8670709 e-flex e-con-boxed e-con e-parent\" data-id=\"8670709\" data-element_type=\"container\" data-e-type=\"container\">\n\t\t\t\t\t<div class=\"e-con-inner\">\n\t\t\t\t<div class=\"elementor-element elementor-element-239e975 elementor-widget elementor-widget-text-editor\" data-id=\"239e975\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t\t\t\t\t\t<style>\nh1, h2, h3, h4, h5, h6 {\n    font-family: 'Playfair Display', serif;\n}\np, li, td, th, span, div, a, strong, em {\n    font-family: 'Poppins', sans-serif;\n}\ntable {\n    width: 100%;\n    border-collapse: collapse;\n    margin: 20px 0;\n}\nth, td {\n    border: 1px solid #ddd;\n    padding: 12px;\n    text-align: left;\n}\nth {\n    background-color: #f5f5f5;\n}\n\n\/* Mobiilioptimoidut taulukot *\/\n@media screen and (max-width: 768px) {\n    table {\n        border: 0;\n    }\n    \n    table thead {\n        display: none;\n    }\n    \n    table tr {\n        margin-bottom: 15px;\n        display: block;\n        border: 1px solid #ddd;\n        border-radius: 8px;\n        background: #fff;\n        box-shadow: 0 2px 4px rgba(0,0,0,0.05);\n    }\n    \n    table td {\n        display: block;\n        text-align: right;\n        border: none;\n        border-bottom: 1px solid #f0f0f0;\n        padding: 12px 15px;\n        position: relative;\n        padding-left: 50%;\n    }\n    \n    table td:last-child {\n        border-bottom: none;\n    }\n    \n    table td:before {\n        content: attr(data-label);\n        position: absolute;\n        left: 15px;\n        font-weight: 600;\n        text-align: left;\n        color: #333;\n    }\n}\n<\/style>\n\n<p><strong>version 1.0 \u2013 updated May 19, 2025<\/strong><\/p>\n\n<h2>Table of Contents<\/h2>\n<ol>\n    <li>Introduction<\/li>\n    <li>Management Commitment<\/li>\n    <li>Scope<\/li>\n    <li>Information Security Objectives<\/li>\n    <li>ISMS Overview and Themes<\/li>\n    <li>Roles and Responsibilities<\/li>\n    <li>Compliance and Continuous Improvement<\/li>\n    <li>Version History<\/li>\n<\/ol>\n\n<hr>\n\n<h2>1. Introduction<\/h2>\n<p>This information security policy defines how Metatavu ensures the confidentiality, integrity, and availability of information assets and systems. It describes the commitment of top management, establishes the foundation for our Information Security Management System (ISMS), supports compliance with NIS2, GDPR, and cybersecurity law requirements, and promotes the continuous improvement of our cybersecurity practices. Detailed operational procedures and responsibilities are defined in the internal Security Playbook, which supports the implementation of this policy. This document is publicly available and reviewed annually.   <\/p>\n\n<h2>2. Management Commitment<\/h2>\n<p>Metatavu&#8217;s top management is fully committed to information security. This includes ensuring adequate resources, setting objectives, communicating the importance of security, and regularly reviewing the ISMS for improvement and development. Management has defined the framework for setting information security objectives at strategic and operational levels.  <\/p>\n\n<p><strong>Management commits to:<\/strong><\/p>\n<ul>\n    <li>Maintaining and reviewing this policy<\/li>\n    <li>Setting measurable security objectives aligned with strategy<\/li>\n    <li>Ensuring that personnel are aware of and responsible for security<\/li>\n    <li>Supporting continuous improvement and regular review of security practices<\/li>\n    <li>Resourcing the implementation and practices of the ISMS<\/li>\n<\/ul>\n\n<h2>3. Scope<\/h2>\n<p>This information security policy applies to all Metatavu&#8217;s operations, personnel, systems, and services. It is mandatory for all employees, trainees, subcontractors, and partners who process, use, or manage information or systems under Metatavu&#8217;s responsibility. <\/p>\n\n<p><strong>The policy and its associated Information Security Management System (ISMS) cover:<\/strong><\/p>\n<ul>\n    <li>All business functions, including software development, consulting, service delivery, internal operations, and continuous services<\/li>\n    <li>All client projects and environments, regardless of whether they are located in Metatavu-managed or client-owned infrastructure (AWS, Azure, GCP, on-premise)<\/li>\n    <li>All Metatavu-managed or maintained devices and information assets, including remote work and the use of personal devices where work-related information is processed<\/li>\n    <li>All data types, including personal data, source codes, documentation, credentials, logs, and client-specific materials<\/li>\n<\/ul>\n\n<p>Security controls apply to both digital and physical assets, data in transit and at rest, and are implemented through technical, administrative, and procedural measures defined in the Security Playbook.<\/p>\n\n<p>Our ISMS is company-wide and currently excludes no areas or functions. Should exceptions be considered in the future, they will be justified, documented, and reviewed by top management based on risks and regulatory compliance requirements. <\/p>\n\n<h2>4. Information Security Objectives<\/h2>\n<p>Security objectives are defined by top management and are based on legal requirements, risk assessments, and business needs. They are communicated, measurable, regularly reviewed, and include responsible owners and resources. <\/p>\n\n<p><strong>Strategic objectives:<\/strong><\/p>\n<ul>\n    <li>Build a strong information security awareness culture<\/li>\n    <li>Ensure compliance with NIS2, GDPR, and cybersecurity law requirements<\/li>\n    <li>Protect client data through Data Processing Agreements (DPA) and internal controls<\/li>\n    <li>Integrate information security into all development projects<\/li>\n    <li>Monitor third-party and supplier risks<\/li>\n    <li>Leverage information security as a competitive advantage<\/li>\n    <li>Deliver and operate services securely<\/li>\n<\/ul>\n\n<h2>5. ISMS Overview and Themes<\/h2>\n<p>The ISMS consists of policies, procedures, and responsibilities that ensure information security in daily operations. Each area has an owner responsible for implementation and improvement. Each thematic area of the ISMS is supported by detailed procedures and guidelines defined in the internal Security Playbook. This includes role-specific responsibilities, technical controls, and practical instructions.   <\/p>\n\n<p><strong>Themes and Owners:<\/strong><\/p>\n<ul>\n    <li><strong>Risk Management and Leadership<\/strong> \u2013 CEO<\/li>\n    <li><strong>Development and Cloud Services<\/strong> \u2013 CTO<\/li>\n    <li><strong>Data Sets and IT Systems Management<\/strong> \u2013 CTO<\/li>\n    <li><strong>Remote Work, Communication, and Device Security<\/strong> \u2013 CTO<\/li>\n    <li><strong>Incident Management<\/strong> \u2013 Data Protection and Security Working Group<\/li>\n    <li><strong>Data Protection and Privacy<\/strong> \u2013 Data Protection Officer (DPO)<\/li>\n    <li><strong>Partner Management<\/strong> \u2013 Head of Service Delivery<\/li>\n    <li><strong>Personnel Security<\/strong> \u2013 HR \/ Personnel Security<\/li>\n    <li><strong>Physical Security<\/strong> \u2013 HR \/ Personnel Security<\/li>\n<\/ul>\n\n<h2>6. Roles and Responsibilities<\/h2>\n<p>Clear roles ensure accountability and operations.<\/p>\n<ul>\n    <li><strong>Chief Executive Officer (CEO):<\/strong> Defines the information security strategy and ensures management oversight and commitment.<\/li>\n    <li><strong>Chief Technology Officer (CTO):<\/strong> Leads the implementation of technical and organizational security measures, coordinates the ISMS, and ensures continuous improvement.<\/li>\n    <li><strong>Head of Service Delivery:<\/strong> Responsible for secure service operations and the integrity of the client environment.<\/li>\n    <li><strong>Data Protection Officer (DPO):<\/strong> Ensures compliance with data protection laws (e.g., GDPR, DPA) and advises on privacy-related risks.<\/li>\n    <li><strong>HR \/ Personnel Security:<\/strong> Manages secure onboarding and offboarding and ensures physical access control.<\/li>\n    <li><strong>Data Protection and Security Working Group:<\/strong> A cross-functional team that supports policy implementation, internal communication, information security training, and awareness-raising.<\/li>\n<\/ul>\n\n<h2>7. Compliance and Continuous Improvement<\/h2>\n<p>Metatavu is committed to fulfilling legal, regulatory, and contractual obligations related to security. The ISMS is regularly reviewed through internal audits and management reviews. Feedback, incidents, and risk assessments drive continuous improvement.  <\/p>\n\n<h2>8. Version History<\/h2>\n<table>\n<thead>\n<tr>\n<th>Version<\/th>\n<th>Date<\/th>\n<th>Description<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td data-label=\"Versio\">&#8211;<\/td>\n<td data-label=\"P\u00e4iv\u00e4m\u00e4\u00e4r\u00e4\">1 December 2023<\/td>\n<td data-label=\"Kuvaus\">Initiation of ISMS work<\/td>\n<\/tr>\n<tr>\n<td data-label=\"Versio\">1.0<\/td>\n<td data-label=\"P\u00e4iv\u00e4m\u00e4\u00e4r\u00e4\">19.5.2025<\/td>\n<td data-label=\"Kuvaus\">First published version of the Information Security Policy. <em>Approved by management.<\/em><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n\n<hr>\n\n<small>Metatavu Ltd | version 1.0 \u2013 updated May 19, 2025<\/small>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t","protected":false},"excerpt":{"rendered":"<p>Privacy Policy version 1.0 \u2013 updated May 19, 2025 Table of Contents Introduction Management Commitment Scope Information Security Objectives ISMS Overview and Themes Roles and Responsibilities Compliance and Continuous Improvement Version History 1. Introduction This information security policy defines how Metatavu ensures the confidentiality, integrity, and availability of information assets and systems. It describes the [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":0,"parent":0,"menu_order":0,"comment_status":"closed","ping_status":"closed","template":"elementor_header_footer","meta":{"_acf_changed":false,"_improvement_type_select":"improve_an_existing","_thumb_yes_seoaic":false,"_frame_yes_seoaic":false,"seoaic_generate_description":"","seoaic_improve_instructions_prompt":"","seoaic_rollback_content_improvement":"","seoaic_idea_thumbnail_generator":"","thumbnail_generated":false,"thumbnail_generate_prompt":"","seoaic_article_description":"","footnotes":""},"class_list":["post-595","page","type-page","status-publish","hentry"],"acf":[],"_links":{"self":[{"href":"https:\/\/metatavu.fi\/en\/wp-json\/wp\/v2\/pages\/595","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/metatavu.fi\/en\/wp-json\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/metatavu.fi\/en\/wp-json\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/metatavu.fi\/en\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/metatavu.fi\/en\/wp-json\/wp\/v2\/comments?post=595"}],"version-history":[{"count":0,"href":"https:\/\/metatavu.fi\/en\/wp-json\/wp\/v2\/pages\/595\/revisions"}],"wp:attachment":[{"href":"https:\/\/metatavu.fi\/en\/wp-json\/wp\/v2\/media?parent=595"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}