🟢 Information Security Policy 01.05.2026
Last updated 01.May 2026
1. Purpose
The purpose of this Information Security Policy is to establish the overall framework for information security at Woba.
The policy aims to create a common understanding of information security, including the objectives, principles and responsibilities related to Woba’s work with information security.
The policy supports Woba’s protection of customer data, personal data, systems, services and business operations in accordance with applicable law, customer agreements, Woba’s Data Processing Agreement, internal policies and recognised security practices.
2. Definitions
Information security means the protection of information and information assets against unauthorised access, loss, misuse, alteration, disclosure, disruption or destruction.
Information security includes relevant organisational, technical, physical and human measures, including measures related to processes, behaviour, physical environments and technology.
Data means all information related to Woba’s business operations, including the development, delivery and servicing of solutions and products for customers and potential customers, as well as information related to employees, suppliers, systems, customer data, personal data, AI-enabled tools and whistleblower-related data.
3. Scope
This policy applies to all Woba business operations and to all employees, contractors, consultants and other persons working for or on behalf of Woba.
It applies to all systems, applications, tools, devices, vendors, sub-processors, AI-enabled tools, physical locations and information assets used by Woba.
This policy must be read together with Woba’s supporting guidelines, policies and procedures.
4. Objectives
Woba considers information security to be a quality element that supports the credibility, reliability and trustworthiness of the products and services offered by Woba.
This is reflected in Woba’s efforts to maintain a high level of security that continuously reflects Woba’s business context, risk profile, customer obligations, use of technology and the current threat landscape.
Woba’s information security work supports Woba’s ISAE 3000 assurance work and related compliance documentation.
Woba strives to promote a strong information security culture based on the understanding that a high level of information security is a crucial competitive parameter in a digitalised world.
Woba wishes to communicate this commitment to both employees and customers through awareness initiatives and general communication.
Information security work at Woba must be based on applicable legislation, customer agreements, Woba’s Data Processing Agreement and recognised security practices.
The level of information security at Woba must be determined on the basis of risk assessments that take into account the current threat landscape, customer obligations, processing of customer data and personal data, use of vendors and sub-processors, AI-enabled tools and the whistleblower module.
The level of security at Woba must ensure an appropriate level of confidentiality, integrity and availability.
Confidentiality
Data may only be accessible in relevant systems and to persons who, based on a documented need and the principle of least privilege, have been granted access.
Data must be handled confidentially within these frameworks.
Integrity
Systems, including IT systems used as part of business operations, must be reliable and function correctly.
It must also be ensured that data is reliable, accurate and trustworthy.
Availability
Woba systems and services must be available to the extent commercially and technically feasible, taking into account maintenance, updates, security measures and operational requirements.
Woba must maintain appropriate backup, continuity and incident response measures to support timely restoration of critical business systems and services.
5. Responsibility
Management at Woba has overall responsibility for ensuring that Woba complies with the objectives of this policy.
The internal compliance team is responsible for coordinating information security governance, compliance documentation, policy maintenance, risk assessments and follow-up.
The IT function and relevant system owners are responsible for implementing and maintaining appropriate technical and organisational security measures for systems and services.
For each relevant system used by Woba, one or more system owners or system administrators must be designated. They are responsible for information security in relation to the individual system, including appropriate access control, configuration, monitoring, review and follow-up.
Each employee, contractor and consultant is responsible for performing their work in accordance with this policy and for following the guidelines, policies and procedures that arise from it.
Each employee, contractor and consultant is also obliged to notify management, the internal compliance team or the relevant system owner of any actual or suspected breach of information security.
6. Follow-up
This policy, as well as the guidelines, policies and procedures that arise from it, must be reviewed and approved at least once a year by Woba’s management in cooperation with the internal compliance team.
Any changes to this policy or supporting guidelines, policies and procedures must be made in compliance with Woba’s obligations under applicable law, customer agreements, data processing agreements and internal governance requirements.
The level of security is continuously assessed by the internal compliance team in cooperation with IT, system owners and management to the extent necessary to comply with the objectives of this policy.
This policy must also be reviewed when there are material changes to Woba’s services, systems, use of AI, whistleblower module, sub-processor setup, legal requirements, customer obligations or risk profile.
7. Violation
Violation of this Information Security Policy or supporting guidelines, policies or procedures may have employment-related or contractual consequences.
Depending on the nature and severity of the violation, consequences may include warning, restricted access, disciplinary action, termination, dismissal, contractual remedies or legal action where relevant.
8. Exceptions
Exceptions to this policy may only be made where necessary for legitimate business reasons.
Any exception must be specifically justified, risk-assessed, documented and approved by management or the internal compliance team.
Exceptions must be limited in scope and duration and reviewed regularly.
Management must strive to avoid exceptions wherever possible.
9. Supporting Guidelines, Policies and Procedures
Woba maintains a register of current guidelines, policies and procedures that support this policy.
Relevant supporting documents may include:
- Guidelines for Employees;
- Personal Data Processing Policy;
- Data Processing Agreement;
- Customer Data Deletion Policy;
- Policy for Safeguarding Data Subject Rights;
- procedures for handling data processing agreements and sub-processors;
- incident response procedures;
- access control procedures;
- AI procedures;
- backup and disaster recovery procedures.
10. Documentation
Woba documents its work on information security, data protection and compliance in Woba’s workspace in Wired Relations and other approved internal systems where relevant.
Documentation may include policies, procedures, risk assessments, vendor assessments, sub-processor documentation, training records, incident records, audit documentation, approvals and follow-up tasks.
11. Contact
Questions regarding Woba’s work on information security, data protection, AI governance or compliance can be directed to Woba’s internal compliance team.
Contact:
Peter Engel Møller
Email: pm@woba.io