Data Policy

Norday is committed to maintaining the highest standards of data security and privacy for all stakeholders, including its customers. Robust policies and procedures are implemented across the organization to protect sensitive information, ensure operational integrity, and maintain compliance with industry standards.

Employee Screening and Conduct
Norday mandates comprehensive screening for all employees, both new and existing, as a critical component of its security framework. This includes obtaining a Certificate of Conduct (VOG), which confirms that an individual’s judicial past does not pose an objection to their role. This rigorous screening is an essential requirement for audits and aligns with the ISO27001 standard.

Specific profiles are assessed during the VOG screening to address potential risks associated with data access and handling. These profiles include:

  • Authority to access and/or edit systems.
  • Handling sensitive or confidential information.
  • Bearing knowledge of security systems, control mechanisms, and verification processes.

This process specifically accounts for the risk of misuse of information and potential system sabotage, ensuring that individuals with access to sensitive information and systems meet stringent security criteria.

Complaint Management
Norday maintains a structured approach to addressing dissatisfaction from its stakeholders, including customers, partners, and employees. An expression of dissatisfaction regarding the quality of a product, service, or process is formally defined as a complaint.

A dedicated hotline (quality@norday.nl) is established for reporting all complaints, whether from internal or external parties. Examples of issues that can be classified as complaints include:

  • Delivery problems, such as delayed or undelivered products or services.
  • Dissatisfaction with customer service interactions, including responses or treatment by employees.
  • Billing issues, such as incorrect amounts or unexpected charges on invoices.
  • Communication issues, where stakeholders were not kept informed of order or project status.
  • Inadequate documentation, identified as incomplete or confusing.
  • Incorrect information found on the website, in marketing materials, or product manuals.
  • Difficulties experienced with the installation, use, or maintenance of products or services.

Internal Data Security Practices
Norday implements strict internal policies to safeguard data against unauthorized access and leakage. Employees are held responsible for preventing unauthorized access to their accounts and are required to manage passwords responsibly. Passwords are strictly personal and are not to be exchanged between colleagues, except in exceptional emergencies, nor with external parties.

Password requirements ensure strong protection, mandating a minimum of eight characters, including at least one uppercase letter, a number, and a letter. Previously used passwords cannot be reused for new Google account or Macbook access. For systems not providing automatic password expiration notifications, employees receive email alerts to change their passwords before expiration. Accounts are automatically blocked after five consecutive incorrect password entries to prevent brute-force attacks. Credentials for general accounts and customer systems are securely stored, with different access levels and password collections for various purposes. Employees are also responsible for keeping this data up-to-date.

Regarding file management, stringent rules apply to all devices, regardless of operating system or mobility. Norday-related files are not permitted to be stored locally on computers. Sharing Norday-related files with external Google accounts is prohibited unless a substantiated reason is provided. The use of removable storage for Norday files is restricted to very exceptional situations, such as for backup disks. These rules remain in effect even when employees are working remotely, ensuring a consistent digital work environment.

Norday employees are also required to lock their computers when stepping away from their workplaces. This policy extends to shared and personal mobile devices. Customer or third-party use of Norday computers is not permitted without direct employee supervision. Mobile equipment, including laptops and mobile phones, must not be left unattended in public areas or vehicles. It is important to note that loaned mobile equipment is not insured for damage or theft, and costs may be incurred for repair or replacement if damage or theft is culpable. Furthermore, linking business Google accounts on smartphones is encouraged, but minimum access security must be ensured, particularly for business email and calendar use.

Security and Privacy Incident Management
Norday has established clear protocols for the reporting and management of security and privacy incidents, including data breaches. A dedicated hotline (security@handpickedagencies.com) is in place for employees to report any observed data breach or information security incident as soon as possible.
Security and privacy incidents are broadly defined and include, but are not limited to, the following examples:

  • Loss or theft of equipment, such as laptops, mobile phones, or access keys.
  • Loss or theft of data pertaining to customers, partners, or Norday itself.
  • Unauthorized access to Norday’s offices, equipment, or Office365 environment.
  • Malware infections affecting internal or external systems.
  • The accidental sending of an email with an attachment to unintended recipients.

Employees are expected to maintain vigilance regarding all threats related to security and information security. This encompasses potential disruptions to business processes or any issues that could negatively impact the availability, integrity, or confidentiality of data within Norday’s business processes or its products. Discovered or suspected threats are required to be reported, with an emphasis on over-reporting rather than under-reporting. An internal reporting form for security incidents is available for this purpose.

Physical Security Protocols
To further enhance overall security, Norday implements strict physical security measures concerning external parties accessing its premises. Delivery drivers and caterers are not permitted to move unsupervised within the premises. Deliveries are to be made to the Office Manager when present, or directly at the front door under the supervision of a Norday colleague. For deliveries outside office hours, orders are received at the front door without the supplier entering the building, provided a colleague is still present.

Conclusion
Norday’s comprehensive data policy is designed to protect all data assets, maintain the trust of its customers and partners, and comply with relevant industry standards. These measures, encompassing employee conduct, technical safeguards, incident response, and physical security, underscore Norday’s unwavering commitment to data integrity, confidentiality, and availability.