<aside> 💡 Last modified: 29 January, 2024

</aside>

The purpose of this document is to provide high-level principles and concepts related to data and information security in Ignite Procurement (the “Company”) including the spend management solution (the “Platform” or “Service”).

For more information visit our trust center at https://ignite-procurement.secureframetrust.com/

1 Governance and management

1.1 Information security management system

Information security management describes controls that an organization needs to implement to ensure that it is sensibly protecting the confidentiality, availability, and integrity of assets from threats and vulnerabilities.

1.1.1 The Information Security Organization

The roles of the Information Security Organization mainly have to govern and control security tasks that help enforce the main goal of protecting the confidentiality, availability, and integrity of the Platform from threats and vulnerabilities. Responsibility involves arranging for proper work execution, as well as developing governing documents within preventive security. The persons who hold the roles shall have deputies and must have an overview of who their deputies are and what security responsibilities the deputies should perform. All role owners must have the necessary skills to perform the tasks and be given the appropriate time and resources to perform the tasks.

The Chief Executive Officer is mainly responsible for the data and information security at the Company.

The Chief Technology Officer (CTO)

The CTO is the delegated authority and is responsible for the IT Security at the Company including the Platform. This includes responsibility for:

Ensuring that all company security policies undergo an annual audit and are formally approved by the Chief Executive Officer.
Ensuring that applicable routines and procedures exist in order to follow up the guidelines of our company security policies.
Ensuring there exists an annual plan for information and data security work and that statuses are reported in line with the routines for business reporting in the organization.

Engineering Managers

Engineering managers are responsible for ensuring that security policies and guidelines are enforced within their product groups through coaching, security training and code reviews.

Tech Lead

Employees holding the position of Tech Lead in the Company are responsible for making sure that the security guidelines described in our company security policies **are met within their areas of responsibility.

1.1.2 Information Security Risk Assessment

Information Security Risk Assessments are used to identify, estimate and prioritize risks to information technology systems. The Company has implemented a continuous risk assessment, “Security Risk Assessment”, which is updated and revised on a quarterly basis. The assessment consists of a risk assessment matrix, a prioritized list of current risks, and a risk mitigation action plan.