Introduction

This data security policy outlines Lemonsoft Oyj’s data security principles, implementation and objectives. The data security policy is the main operating principle that informs data security. It defines the data security objectives as well as the way data is protected. A dedicated policy is drawn up for the different areas of data security to complement the data security policy. There is a separate privacy policy for personal data protection.

All of the employees of Lemonsoft and its subsidiary are obligated by the data security policy. To the necessary extent, the requirements of the data security policy and management system must be included in Lemonsoft’s contractual requirements.

The scope of the certified data security management system is separately defined in specifying the scope of application of the management system document.

The data security policy is a public document. The data security policy is maintained in accordance with the annual data security planning cycle. Any changes to it must be approved by Lemonsoft’s Management Team.

Data security management system

Lemonsoft’s data security management system is designed in accordance with the ISO/IEC 27001:2023 standard. The management system is based on Lemonsoft’s data security goals, risk management and continuous improvement. The data security management tools are built in a documented manner and on the basis of risk management. Any data security deviations or vulnerabilities are processed in accordance with the data security deviation process and vulnerability management process.

The management system is audited, measured and improved on an ongoing basis. Any detected deviations in the management system are processed in accordance with the deviations and corrective measures operating principle.

Lemonsoft’s data security objectives

Data security is aimed at protecting the 1) confidentiality, 2) integrity and 3) availability of data in different formats. Lemonsoft’s data security objectives derive from the operating environment, statutory obligations, stakeholder expectations and business continuity requirements. Lemonsoft’s data security objectives are:

  • to ensure business continuity
  • to protect the personal data used in our operations
  • to protect our and our contract partners’ business secrets processed in our operations
  • to ensure customer satisfaction and compliance with data security requirements
  • to ensure compliance with legal obligations
  • to integrate data security into our operating culture

Data security roles and responsibilities

The CEO and the Management Team are responsible for Lemonsoft’s data security. The data security management system is owned by the Chief Technology Officer and its main user is the Information Security Manager. Supervisors are responsible for monitoring, supervising and instructing their subordinates.

Each employee is responsible for data security and following the data security instructions in their work.

In terms of procurement, contract owners are responsible for taking the data security policy obligations into account and including them in supplier contracts.

The data security roles are specified in detail in the separate organisational roles, responsibilities and obligations document.

Operating principles of the data security policy

The steering of the data security policy is complemented by operating principles. The purpose of an operating principle is to outline a specific area of data security in greater detail. Operating principles are discussed and approved by the Data Security Team. An operating principle should always be assigned a dedicated owner. All of the relevant parties should be notified of an approved operating principle.

The Lemonsoft Management Team approved the data security policy on 16 February 2024.