Context and regulatory compliance

Introduction

We perform context and stakeholder analyses, monitor relevant laws and regulations, and apply threat analysis processes. Developments are translated into measures through defined procedures within the Information Security Management System (ISMS). Procedures are also in place for the protection of intellectual property, document management, information classification, data retention, and guidelines for the use of AI tools.

Detailed explanation

Context and stakeholder analysis

We periodically perform a structured context analysis and maintain a stakeholder overview. In doing so, we assess internal and external factors that influence information security and privacy, such as technological developments, customer expectations, and dependencies with other parties. The context and stakeholder analysis is evaluated annually.

Compliance with laws and regulations

We have a procedure in place to remain compliant with relevant laws and regulations and any changes thereto, including guidelines from supervisory authorities. New or amended requirements are assessed for impact and translated into measures such as updates to policy, procedures, contractual agreements, terms and conditions, privacy statements, or operational working methods through a formal change process. The overview of relevant laws and regulations is assessed during management review.

Threat intelligence / threat analysis

We follow a defined threat analysis process with steps including identification (e.g. through context analysis, stakeholder overview, external sources, patch monitoring, risk analysis, and audits), collection and initial assessment, registration (e.g. in ticketing/Jira), analysis, and recording of actions or improvement measures. Where necessary, relevant information is shared with employees, customers, or suppliers (e.g. via awareness sessions or service level discussions). We also take into account that certain customer segments (e.g. in an NIS2 or DORA context) may have additional agreements or reporting expectations.

Information classification

Information is classified based on availability, integrity, confidentiality, and privacy impact as part of the risk assessment process (business impact analysis). Classification is determined by the information owner (system owner), who is responsible for assigning the appropriate classification and defining handling requirements.

We use defined classification categories (such as sensitive/personal, corporate confidential, corporate internal, and public) to ensure that information is handled in a consistent and appropriate manner. Access, sharing, modification, and deletion of classified information are subject to defined controls and responsibilities.

Data retention

We apply defined retention periods for different types of information, based on applicable laws and regulations (including GDPR and PDPA) and internal requirements. Retention periods vary depending on the type of data and jurisdiction, and are linked to events such as creation, termination of employment, or completion of contractual relationships.

Personal data is retained only for as long as necessary for the purpose for which it was collected, in line with data minimization and storage limitation principles. Logging data, documentation, and employee-related records are retained for defined periods to support compliance, auditability, and operational needs.

Document management

A document management procedure is in place to control ISMS documentation. This includes defined document types, central storage in an intranet environment, controlled access, structured change management, and version control. HR-related documentation is stored in a separate system.

Documents are uniquely identified through naming conventions, and only published documents are considered the current version. This ensures consistency, traceability, and auditability of ISMS documentation.

Intellectual property (IP)

We have a procedure in place to protect intellectual property while remaining compliant with external licensing terms. Internally, the emphasis is on protecting source code: source code is classified as confidential, managed in a controlled repository environment with personalised access, and changes are made via the change management process. When external parties are involved, contracts must state that ownership of the code produced belongs to Fellow Digitals. Project plans for new projects should include details of measures to ensure both Fellow Digitals’ intellectual property rights and compliance with relevant third-party intellectual property rights.

Artificial intelligence (AI)

We have internal guidelines for the responsible use of AI tooling, with an emphasis on confidentiality and information security. This includes, among other things, ensuring that sensitive, confidential, or internal information and personal data are not processed via AI tools, and that output is checked before it is used or shared internally or externally. AI tooling is included in the processing register where applicable.