Context and regulatory compliance

Introduction

We perform context and stakeholder analyses, monitor relevant laws and regulations, and apply threat analysis processes. Developments are translated into measures through defined procedures within the Information Security Management System (ISMS). Procedures are also in place for the protection of intellectual property, document management, information classification, data retention, and guidelines for the use of AI tools.

Detailed explanation

Context and stakeholder analysis

We periodically perform a structured context analysis and maintain a stakeholder overview. In doing so, we assess internal and external factors that influence information security and privacy, such as technological developments, customer expectations, and dependencies with other parties. The context and stakeholder analysis is evaluated annually.

Compliance with laws and regulations

We have a procedure in place to remain compliant with relevant laws and regulations and any changes thereto, including guidelines from supervisory authorities. New or amended requirements are assessed for impact and translated into measures such as updates to policy, procedures, contractual agreements, terms and conditions, privacy statements, or operational working methods through a formal change process. 

Threat intelligence / threat analysis

We follow a defined threat analysis process, including identification, assessment, registration, analysis, and follow-up actions. Relevant information may be shared with employees, customers, or suppliers when needed. We also consider additional agreements or reporting requirements for specific customer segments (e.g. NIS2 or DORA).

Information classification

Information is classified based on availability, integrity, confidentiality, and privacy impact as part of the risk assessment process (business impact analysis). Classification is determined by the information owner (system owner), who is responsible for assigning the appropriate classification and defining handling requirements.

We use defined classification categories (such as sensitive/personal, corporate confidential, corporate internal, and public) to ensure that information is handled in a consistent and appropriate manner. Access, sharing, modification, and deletion of classified information are subject to defined controls and responsibilities.

Data retention

We apply defined retention periods in accordance with applicable laws and regulations, including GDPR, as well as internal requirements. Personal data is retained only for as long as necessary for its intended purpose, in line with data minimization and storage limitation principles. Retention periods vary by data type and lifecycle events, supporting compliance, auditability, and operational needs.

Document management

We maintain a structured document management process, including defined document types, central storage in an intranet environment, controlled access, change management, and version control. Documents are uniquely identified through naming conventions, and only approved versions are used, ensuring consistency, traceability, and auditability. HR-related documentation is managed separately in a dedicated system.

Intellectual property (IP)

We protect intellectual property through defined procedures and ensure compliance with external licensing terms. Source code is treated as confidential, stored in controlled environments with restricted access, and managed via change processes. Contracts with external parties ensure code ownership remains with Fellow Digitals, and project plans address both internal and third-party IP rights.

Artificial intelligence (AI)

We have internal guidelines for the responsible use of AI tooling, with an emphasis on confidentiality and information security. This includes, among other things, ensuring that sensitive, confidential, or internal information and personal data are not processed via AI tools, and that output is checked before it is used or shared internally or externally. AI tooling is included in the processing register where applicable.