Last modified January 25, 2024
This document is the Information Security Policy of SQUAKE.earth GmbH (SQUAKE), Brunnenstraße 19-21, 10119 Berlin.
It represents binding rules for us, the employees of SQUAKE, with regards to:
The mission statement of SQUAKE is:
Striving toward sustainability and bringing down carbon emissions has become a priority on many levels in recent times. At SQUAKE, we support companies to reach their goals on the way toward operating in a CO2-reduced way.Our focus is to decarbonize the travel & transport sector and foster sustainably operating businesses in travel and transport.Founded in the heart of Berlin, we are on the way of becoming the go-to tech solution for businesses who want to act in an impactful way today. We are trusted by clients, partners, and venture capital.
From our mission statement, we have the following external and internal context to consider:
We consider information security to be an essential value that we want to offer. Much depends on the information security (confidentiality, integrity and availability) of information processed by our solutions. The market is strictly regulated, security and trust are highest good. As a tech organization, IS is a strategic component, we need to provide big players that are our clients.
We express this through the following voluntary commitment:
We provide resources and an information security management system according to the international norm ISO/IEC 27001:2022 for the above.
We improve our information security using an overall approach which works as follows:
Based on our context, we have the following parties interested in information security:
Interested Party | Expectations regarding... | Relevant Requirements | ||
---|---|---|---|---|
Confidentiality | Integrity | Availability | ||
Clients who use SQUAKE’s services (external) | Data provided by clients reg. emissions as well as API usage statistics may, if not protected, lead to insights into company secrets. It is an imperative that this shall not happen. | Part of our offering (such as company emission data) is used as steering measures for top management; other information informs invoices. It is necessary that all data is always 100% correct. This means, it shall not be corrupted by unauthorized access and be changed in order to compromise it. | In many cases, our API is built into our clients' online services. If our service fails due to unavailable content, the client cannot provide its service properly either. Furthermore, clients need to retrieve company emissions data and usage statistics for management reviews or ad hoc questions. | GTC that cover i.a. confidentiality aspects & integrity, SLA agreement, DPA if required by client. |
Customers of our clients, especially end-customers (external) | End-customers interact directly with us a merchant of record; protection of the highly sensitive data used for identification and/or payments must clearly be ensured. | End-customers will see information on compensation projects as well as prices for these compensations. Self-evidently, this information needs to be accurate and correspond to the customer’s request. Confirmations sent to end-customers need to match actual purchases. This means, it shall not be corrupted by unauthorized access and be changed in order to compromise it. | A customer journey should not be disrupted nor noticeably decelerated by our services; minimal latency and consistent uptime is required. | GDPR compliance, special care regarding PCI data in case it is processed. |
Shareholders (external & internal) | In our own interest and that of our shareholders, assets that constitute competitive advantages must be kept secret. | Shareholders and potential investors want to see performance KPIs. These should reflect the real performance of the company. This means, it shall not be corrupted by unauthorized access and be changed in order to compromise it. | Shareholders and potential investors want to see performance KPIs from time to time. | Awareness to protect IP engrained in team. |
Management (internal) | Our software solution will only be accepted in the market if it does not inadvertently or through targeted hacking reveal information that would be better left confidential. | Our software solution will only be accepted on the market if it is not possible to unintentionally or through targeted hacking change information that should better be secured against it. | Our software solution will only be accepted on the market if all the information constituting our service as well as information processed in it is constantly available to our clients. | Security standards brought to live by effective management procedures; ISO 27001 certifications as per its marketing effect. |
Employees (internal), applicants, former employees | It is harmful to the company's business, and therefore to job security, if our software unintentionally or through targeted hacking exposes information that would be better left confidential. Employee data may under no circumstances be leaked, as publicity around that would negatively impact willingness to apply for jobs at SQUAKE. | Performance KPIs need to be accurate to enable steering the business on strategic, tactical and operational levels. This means, it shall not be corrupted by unauthorized access and be changed in order to compromise it. | Performance KPIs need to be available on ad hoc basis on all management levels. | GDPR compliance regarding personnel data.Effective IP clauses in employee contracts. |
Contractors and service providers such as Traction Engineering (external & internal)* | Copyrights must be preserved in both directions according to contracts. | To prevent unnecessary work, the right version of the code should be worked on. | Tools used for collaboration must be retrievable for effective service provision. | Effective IP clauses in agency contracts. |
Suppliers (external) | Suppliers regularly share prices and inventory information with us, which under no circumstances should be viewed by competitors (potentially also partners of us). | Suppliers use our digital platform as a sales channel. Information provided by us will inform business steering and thus needs to be secured against unintentional or hacked changes. | Suppliers have an economical interest that our digital services keep on being available, as we represent one sales channel for them. | Confidentiality established either via GTC or NDA. |
Other partners, e.g. data merchants, rating agencies, business intelligence, landlord (external) | In case we partner with vendors with whom we have agreed on NDA, disclosed information categorized as confidential needs to be kept confidential. | License agreements, clear requirements from SQUAKE towards them, NDAs in some cases. | ||
Certifiers, verifiers, auditors, advisers (external) | - | Information architecture shall enable checks of veritable information logged, to undertake certification, e.g. TN-CC 020. This means, it shall not be corrupted by unauthorized access and be changed in order to compromise it. | Information architecture shall enable regular checks, mostly announced, to undertake certification, e.g. TN-CC 020. | Clauses around acceptable use of assets towards the service provided. |
Legislator, Judiciary, Executive force | Compliance with all applicable data protection and copyright laws. | Compliance with all applicable data protection laws. | Compliance with all applicable data protection laws. | All applicable laws. |
Cyber criminal | Cyber criminals may want to hack our systems and attack confidentiality in a harmful way by leaking information. (This means, we need to equip our systems against it.) | Cyber criminals may want to hack our systems and attack data integrity in a harmful way by changing it. (This means, we need to equip our systems against it.) | Cyber criminals may want to hack our systems and impact system availability in a harmful way. (This means, we need to equip our systems against it.) | Effective protection established by SQUAKE. |
* Upon building and expanding our services, we closely work together with external contractors and service providers. Internally set rules need to be applied by them, in order for us to credibly vouch for it. The table highlights the expectations from them to us. SQUAKE takes all needs and expectations seriously and addresses them.
Derived from stakeholder interests, we have the following information security goals:
Derived from the information security objectives defined above, the scope of our information security management system is:
Development, hosting and operation of sustainability applications and adjacent services
Adjacent services are constantly extended and enhanced over time. They can be static or dynamic. For now, they include (but are not limited to):
Essential roles in the scope of our information security management system are:
Role | Name(s) | Responsibility & Authority |
---|---|---|
Managing Directors | Philipp von Lamezan (CEO) @Dan Kreibich (CPO) | Communicate externally on all information security matters. Overall responsibility for information security; responsible for and owner of all information security risks. |
Chief Information Security Officer (CISO) | Antonia Adamik | Implementation and maintenance of the information security management system, competence development in the field of information security, support and first point of contact on all information security issues. |
Internal Auditor | External provider | Execution of internal audits. |
Lead Software Developer | Ludwig Reinmiedl | Information secure software development, operation and hosting as well as risk management in this area. |
Product Manager | Nicolai Brunner | Continuous high quality delivery and improvement of features throughout touchpoints. |
Head of Operations | Antonia Adamik | Ensuring that business operations at SQUAKE are adequately implemented and interlock, from client integration throughout data retrieval to provision of supply. |
Chief of Staff | Christopher Tyrock | Ensuring that all employee-related data processing and storage is compliant with requirements from GDPR and ISO 27001. |
All other roles and responsibilities result from the individual processes.
Communication on the topic of information security takes place at SQUAKE as follows:
All other communications are described in more detail in the process descriptions or SQUAKE’s ISMS.
The requirements of ISO/IEC 27001:2022 are covered in this information security management system as follows:
Standard section | Covered by |
---|---|
4.1 Understanding the organization and its context | This document |
4.2 Understanding the needs and expectations of interested parties | This document |
4.3 Defining the scope of the ISMS | This document |
4.4 ISMS | This document |
5.1 Leadership and commitment | This document Statement from Management towards ISMS |
5.2 Policy | This document |
5.3 Roles, responsibilities and authorities in the organization | This document All process descriptions |
6.1 Measures to deal with risks and opportunities | SOP Information Security Risk Management |
6.2 IS goals and planning to achieve them | This document SOP Management Review |
7.1 Resources | This document SOP Management Review |
7.2 Competence | SOP Training |
7.3 Awareness | SOP Training |
7.4 Communication | This document |
7.5 Documented information | SOP Document Control |
8.1 Operational planning and control | All process descriptions |
8.2 IS risk assessment | SOP Information Security Risk Management |
8.3 IS risk treatment | SOP Information Security Risk Management |
9.1 Monitoring, measurement, analysis and evaluation | SOP Performance Measurement |
9.2 Internal audit | SOP Internal Audit |
9.3 Management evaluation | SOP Management Review |
10.1 Non-conformity and corrective actions | SOP Corrective and Preventive Action (CAPA) |
10.2 Continuous improvement | SOP Information Security Event and Incident Management |
Annex A | Statement of Applicability |