Technical and Organisational Security Measures

AtWorkStudio adopts an Information Security Policy formally approved by Management, communicated to personnel and suppliers and reviewed at planned intervals and upon significant changes in the operating context. The policy is consistent with the requirements of ISO/IEC 27001:2022, ISO/IEC 27017:2015 and ISO/IEC 27018:2025 and constitutes the Provider's formal commitment to Clients and interested parties regarding information security.

Information security roles and responsibilities are assigned to Management, which directly manages, implements and verifies all activities of the Information Security Management System. In its relationships with Clients, AtWorkStudio acts as Data Processor pursuant to Article 28 of Regulation (EU) 2016/679 (GDPR).

Management maintains contact with the authorities relevant to the provision of the services, including the Italian Data Protection Authority (Garante per la Protezione dei Dati Personali), the ACN (Italian National Cybersecurity Agency), the Postal Police and the judicial authority. Institutional communications take place through official channels (PEC or certified mail). The notification of any personal data breaches to the Data Protection Authority takes place within 72 hours pursuant to Article 33 of the GDPR.

Within its Management System, AtWorkStudio collects and analyses information on threats to information security, drawing on official sources (CVE, vendor portals, threat intelligence centres) and specialist aggregators. Relevant information is contextualised against the Provider's operating environment and, where necessary, leads to the updating of the risk assessment and of the technical measures. Customised threat intelligence services or reporting dedicated to the Client are provided under a separate contractual basis.

Information is classified according to its confidentiality, integrity and availability and to the applicable legal, regulatory and contractual requirements. The technical and organisational protection adopted is proportionate to the classification. Protection levels are reviewed periodically depending on the relevance of the information and on regulatory compliance.

The labelling of information is implemented through cloud data classification and protection tools, consistently with the classification scheme adopted. Information with controlled access is managed on protected platforms and subject to traceability.

Physical and logical access control to information and corporate assets is established according to the principle of least privilege. Logical access is managed through a centralised cloud identity management platform, with differentiated access by role, authorised by Management and protected by mandatory multi-factor authentication. Access profiles are reviewed periodically and promptly revoked at the end of the relationship.

The identity lifecycle is managed centrally through a cloud identity management platform. The creation, modification and deactivation of accounts take place upon formal authorisation by Management. The uniqueness of credentials is ensured, shared accounts are not permitted and, upon termination of the relationship, identities are deactivated immediately.

Access credentials are managed centrally with mandatory multi-factor authentication. Passwords are not communicated in clear text and, where necessary, are stored in encrypted vaults. The assignment and revocation of credentials take place upon formal authorisation by Management.

Access rights are assigned exclusively upon authorisation by Management and according to the operational role, with segregation of privileges and traceability of activities. Upon termination of the assignment, rights are revoked immediately. Self-modification of access levels by users is not permitted.

Suppliers are classified, assessed and managed according to a formal procedure that provides for division into three categories (cloud, systems, occasional) based on the relevance of the service, the criticality for the Management System and the presence of certifications. Strategic suppliers are recorded in a dedicated list and, for those not ISO/IEC 27001 certified, a documented audit is conducted at least every two years.

Agreements with suppliers include specific security clauses: non-disclosure agreements (NDAs), logging requirements, traced access, multi-factor authentication, encryption, restoration and confidentiality, in line with the ISO/IEC 27017 and ISO/IEC 27018 guidelines. Logical access by suppliers to the systems is protected by MFA and recorded in the system logs.

Critical suppliers are monitored at least annually through the review of the list and the verification of the continued existence of security, regulatory and contractual requirements. Changes in the corporate structure, in the location of datacentres or in the GDPR qualification (e.g. Processor / Sub-processor) are subject to specific assessment and, if relevant, lead to the updating of the contractual and technical documentation.

AtWorkStudio monitors changes in suppliers' security practices and service terms through official portals, technical feeds and contractual communications. Relevant changes are assessed by Management and, if necessary, lead to updates in technical configurations, protection measures or contractual clauses towards Clients.

The acquisition, use and exit from cloud services provided or managed on behalf of Clients are governed contractually. AtWorkStudio applies security criteria consistent with its own Management System throughout all phases of the cloud service lifecycle, including access control, encryption, logging and segregation of responsibilities. Evidence of cloud providers' compliance (ISO/IEC 27017, ISO/IEC 27018 certifications, DPA) is available to Clients on request.

The management of information security incidents is governed by a formal procedure that defines roles, operational phases, tools used and tracking methods. Activation may take place upon a Client's report or through alerts from the monitoring systems (SIEM, EDR). The classification of events includes the assessment of the impact on personal data and any obligations to notify the Data Protection Authority pursuant to the GDPR.

The response to incidents is prompt and proportionate to the severity identified. All actions carried out are traced and, in the event of an impact on services provided or on personal data, communication towards the Client is activated according to the applicable contractual and regulatory rules. Incidents are classified into the following four levels:

Evidence relating to incidents is collected and retained through the active security systems (SIEM, EDR, MDM). Logs and events are recorded automatically and, where necessary, exported and archived in digital format to support internal, disciplinary or legal activities in compliance with the regulations in force. The service of collecting forensic evidence on the Client's systems is not included in the base supply and may be activated on request.

Information security is ensured even during operational disruptions thanks to the adoption of resilient cloud platforms and technical measures that do not depend on local infrastructure. All critical assets remain protected by encryption, multi-factor authentication and access segregation. A Business Continuity and Disaster Recovery Plan defines the actions to be taken in an emergency.

The continuity of ICT services is ensured through resilient cloud solutions, distributed across certified datacentres located in the European Union. The Provider's critical systems are configured to be accessible even during local disruptions, thanks to automatic failover and geographic replication. The Provider's ICT readiness is tested periodically. For Clients who have contracted the backup service (control 8.13), restore tests on the Client's data are carried out and documented according to the agreed arrangements.

Drawing up a detailed Disaster Recovery plan tailored to the Client's systems — defining RTO and RPO, restore runbooks, scenarios and periodic tests — is not included in the base service and is available as a contractual option.

The legal, regulatory and contractual requirements relevant to information security are identified, documented and integrated into the Management System in compliance with the GDPR, ISO/IEC 27001:2022 and the clauses signed with Clients and suppliers. The review of compliance takes place during the review of the System or in the event of a change in the technical or organisational scope.

All corporate records, including procedures, contracts, logs and Management System documentation, are retained in digital format on cloud platforms protected by multi-factor authentication and granular permission management. Records are accessible only to authorised parties and protected against tampering, unauthorised release and accidental loss. Paper archives are not used.

AtWorkStudio processes personal data exclusively for the provision of the contracted services, in its capacity as Data Processor pursuant to Article 28 of the GDPR. The protection of personal data is ensured by encryption, multi-factor authentication, access segregation, traceability and retention in certified cloud environments located in the European Union.

The approach and effectiveness of the Management System are reviewed through internal audits planned annually, which may be activated on an extraordinary basis in the event of incidents or significant changes. The audits are conducted by a certified ISO/IEC 27001 Lead Auditor, external and independent of Management. The Provider is also subject to periodic third-party audits carried out by the certification body and to periodic checks by its own DPO pursuant to Article 39(1)(b) of the GDPR.

Collaborators and suppliers operating on behalf of AtWorkStudio are trained and informed about the corporate policies and the operational responsibilities connected to information security. Training and update activities are documented. Updates are communicated upon procedural revisions or relevant changes in the scope of the Management System.

A channel for the prompt reporting of security events is available, open to Clients, collaborators and internal personnel, via email, ticket or direct communication to Management. All reports are recorded, analysed and managed according to the incident management procedure, without hierarchical filtering levels, in order to ensure responsiveness and transparency.

The provision of AtWorkStudio's services is based on an entirely cloud architecture: the processing and storage of Clients' data take place at the datacentres of providers certified to ISO/IEC 27001, ISO/IEC 27017 and ISO/IEC 27018, equipped with multiple physical security perimeters, multi-factor access control, continuous 24/7 monitoring and documented compliance. The productive physical perimeter is therefore defined by the selected datacentres, according to the contractual evidence made available to Clients. The Provider's operating premises do not host processing infrastructure or removable media containing Clients' data; the personnel's workstations are centrally managed devices, encrypted at operating-system level and protected by multi-factor authentication.

The cloud-first architecture adopted ensures protection against physical and environmental threats through selected providers with certified geo-redundant datacentres. Corporate devices are encrypted and, in the event of damage, loss or theft, no corporate data is accessible in clear text. Operational continuity in the event of environmental events is governed by the Business Continuity and Disaster Recovery Plan.

AtWorkStudio does not use removable physical storage media for the processing or retention of corporate or Clients' data. All information resides on cloud systems or corporate devices protected by encryption, MFA and centralised management. The use of unauthorised external media is prohibited by the internal policy.

The disposal of assets provides for complete remote reset via MDM with secure removal of all data. Devices are not transferred to third parties without prior deletion of corporate information. Operational data resides on cloud platforms and there are no persistent local copies on the devices.

Privileged access rights are limited to personnel authorised by Management. Administrative accounts are separated from operational accounts and protected by multi-factor authentication. Activities on the administrative environments (cloud productivity platforms, infrastructure, backup, MDM and network management) are traced and subject to centralised logging. There are no shared accounts or permanent elevated privileges for ordinary users.

Access to information is restricted according to the principle of least privilege. Permissions are assigned to specific operational roles and authorised by Management. Accounts are managed through the cloud identity management platform with mandatory MFA and all activities are traced in the cloud platforms' logs. Shared accounts or untraceable access are not permitted.

Access to cloud services and control panels is protected by mandatory multi-factor authentication. Mobile devices use biometric authentication and automatic locking. Credentials are personal, traceable and revoked upon termination of the relationship.

Capacity management is ensured by the scalable cloud architecture of the providers adopted. Storage and backup are consumption-based according to the contractual conditions defined with the Client. Active monitoring of infrastructure resources may be offered as an optional service.

On the Provider's devices and systems, protection against malware adopts a multi-layered approach: Endpoint Detection and Response (EDR) solutions with behavioural detection, automatic containment of threats and centralised telemetry; native operating-system mechanisms that allow the installation only of software signed by certified developers; automatic updates of definitions and security policies distributed via MDM; correlation of events and response to alerts through SIEM. Personnel awareness is reinforced by continuous training and periodic awareness campaigns.

The extension of the same measures to the Client's devices, endpoints and systems (managed anti-malware/EDR, MDM, training) constitutes an additional service provided under a separate contractual basis.

Technical vulnerabilities on the Provider's systems are identified through the EDR console and official sources (CVE, vendor feeds) and managed according to a formal patch management procedure. The cloud infrastructure is subject to the security, updating and vulnerability management policies of ISO/IEC 27001 certified vendors.

For Clients who have contracted a managed patch management or vulnerability assessment service, the activities are provided according to the agreed arrangements and the evidence of system updates is archived in dedicated management portals, accessible to the Client.

The security configurations of the Provider's devices and systems are managed according to documented baselines (encryption, automatic locking, automatic updates, MFA, backup, remote wipe). Compliance with the baselines is verified during the management review. For Clients who have contracted a managed cloud administration or systems service, the configurations of their systems are administered through the specific tools of each environment and traced through change management.

Corporate or Clients' information is deleted when no longer needed, in compliance with the contracts, the data protection agreements (DPA) and the principles of Regulation (EU) 2016/679. Data is retained exclusively on cloud platforms equipped with automatic retention and secure deletion. During disposal, devices are reset according to procedure, with destruction of the encryption key for devices equipped with a dedicated security chip.

Data loss prevention (DLP) measures are implemented through device configurations, access segregation, encryption and managed cloud tools. Specific DLP policies can be activated through the data classification and protection tools available on the Client's cloud platforms, upon contractual request. User behaviour is governed by the internal policy.

Backup services are provided through selected enterprise cloud backup platforms, according to contracted arrangements. Backups are AES-256 encrypted and replicated in certified datacentres in the European Union. Integrity is ensured by centralised monitoring, retention policies and the possibility of restoring at various levels. The backup service is not included in the base supply and may be activated on request, defining with the Client the scope, frequency, encryption, retention, methods of verifying integrity, restore timescales and backup location.

Critical systems are hosted on cloud infrastructure with high availability, automatic failover and geographic replication. The cloud-native architecture eliminates internal single points of failure. Availability requirements are declared in the contracts with Clients with a contractual SLA of no less than 99.9%.

Logs of relevant activities are collected and retained through centralised systems (SIEM, identity management platform, EDR, backup, network management consoles). The events traced include access, critical changes, errors, administrative operations and anomalies. Logs are protected against unauthorised access and used for the analysis of security events. The service of collecting and retaining access logs on the Client's systems (in compliance with the Data Protection Authority's provisions on System Administrators) is not included in the base supply and may be activated on request.

On the Provider's systems and networks, continuous monitoring activity is operated through SIEM for the detection of anomalous behaviours and potential incidents, and through a network security console for the monitoring of the local network. The native consoles of the cloud services provide further alerts on relevant events.

Managed monitoring services for the Client's systems (SIEM-as-a-Service, MDR, customised alerting) are provided under a separate contractual basis.

The use of privileged utility programs is limited to authorised personnel and traced in the platforms' logs. High-impact system tools are accessible only with administrative accounts protected by MFA, and their use is subject to logging and direct authorisation by Management. Where it is necessary to access cloud systems with utility programs (antivirus, IDS, IPS, vulnerability assessment software), the Provider reserves the right to do so without prior notice to the Client.

Internal networks are protected by encryption, segmentation and controlled authentication through a centralised network management console. Devices are individually authorised and managed via MDM. Data in transit is protected by TLS/HTTPS encryption.

The accessible cloud services ensure the protection of traffic through TLS and secure authentication mechanisms. The service levels of the connectivity and cloud providers are monitored through their respective consoles.

Network segregation is implemented through configured VLANs and separate SSIDs for management, corporate devices and services. Traffic between segments is restricted through firewalls and centralised rules. Access is permitted only to managed and authorised devices. The network on which the machines providing the services are located is virtually and/or physically segregated from the Provider's other networks.

Cryptography is applied to data at rest and in transit. Corporate devices are encrypted natively at operating-system level and through a dedicated security chip. Data in transit travels over TLS/HTTPS channels and backups are protected with AES-256 encryption. At the Client's request, Bring Your Own Key (BYOK) solutions can be activated. Emails containing confidential data can be encrypted through cloud message protection tools. The encryption of data at rest for the Client's services is not included in the base supply and may be activated on request. The Provider and its partners keep the encryption keys in a secure location.

Changes to configurations, cloud systems, devices and services are managed through a formal change management model. Each variation is documented, approved by Management and linked to any security impact assessments. Variations that may impact the Client are communicated indicating the type of change, the date and expected timing, the technical description and the notification of the start and end of the intervention. In the event of a proven emergency problem, including one related to data security, the Provider has the right to interrupt the provision of the services in whole or in part in order to protect the Client's structure, service and data.

The roles, responsibilities and capabilities required for the use of cloud services are documented and communicated to Clients in the service contracts, which clearly define what falls to the Provider and what remains with the Client for each service model provided (IaaS, PaaS, SaaS).

The service contracts provide for an exit strategy that defines the timing and methods for the return of data, the assets subject to return and the procedure for communicating deletion or return. Decommissioning requests are recorded in the ticketing system and execution times are monitored against the contractual deadlines. The Client may request a paid exit strategy service that defines the components included, the activities to be carried out, the parties involved, the release dates and the time period. In the event of decommissioning, the Provider carries out the complete deletion of all data within 30 days of the Client's request, providing evidence by means of a decommissioning report.

Each Client has its own tenant or resource group logically separated from the others. The Provider ensures the separation of internal administration environments from the resources used for the provision of services to the Client and implements security controls that ensure an appropriate isolation of the resources used by the different tenants.

The hardening of virtual machines is carried out according to the specifications documented in the Client's contract, using the provider's standard security settings as a starting point (minimum ports, minimum services, anti-malware, log monitoring). The security configurations are defined and maintained for each Client.

The procedures for critical administrative operations (installation, modification or deletion of virtual resources, contract termination procedures, backup and restore) are documented in the service contracts and operational procedures. For Clients who have contracted the operational management of their cloud environments, protection mechanisms (resource locks) are activated, where technically applicable, to prevent unauthorised deletions or modifications of critical resources.

Cloud monitoring capabilities are available to Clients through the providers' native consoles, with exclusive access to their own data. The monitoring service managed by AtWorkStudio is offered as an optional service on a contractual basis. The documentation on the available monitoring capabilities is accessible directly from the administration panels of each service.

The configuration of virtual networks is designed to measure for each Client based on the agreed requirements and project specifications, when the service is contracted. The alignment between virtual and physical configuration is ensured by the design process and maintained over time through change management.

The personal data present in the cloud is processed exclusively for the purposes defined by the Client in the appointment as Data Processor. The Provider does not carry out any processing additional to or different from that instructed by the Client Controller.

The personal data processed as part of the provision of the services is not in any case used by the Provider for marketing or advertising purposes. The appointment as Data Processor expressly excludes any use of the data outside the instructions of the Client Controller.

In the event of a personal data breach, the Provider promptly notifies the Client Controller, providing all the information necessary so that the Client can fulfil its own notification obligations to the competent Authorities within the time limits set by the GDPR. The security event management procedure defines the classification, timing and methods of communication.

The contracts between AtWorkStudio and Clients define the minimum technical and organisational measures applied to the processing of personal data, consistently with the instructions of the Data Controller. The measures are not subject to unilateral reduction by the Provider.

Any recourse to sub-suppliers that process personal data is governed by the appointment as Data Processor or by the contractual agreements with the suppliers, which impose security and data protection obligations no lower than those applied by the Provider to the Client. The sub-suppliers are assessed and monitored within the supplier management process.

The personal data processed on behalf of Clients is hosted in datacentres located in the European Union. The exposure to the non-EU jurisdiction of the cloud providers adopted is subject to specific assessment and documented in the Management System. The Client is informed of the countries in which the data may be processed through the contractual evidence and the appointment as Processor.