Compliance and Data Protection
This means that both development and operations are covered by structured and audited security processes, including risk management, continuous monitoring, and ongoing improvement.
Data location
All operation of Ciso takes place within Sweden. This means that data is stored and processed under Swedish jurisdiction, providing strong control over data handling and supporting compliance with European regulations.
By limiting data location to Sweden, exposure to third-country transfers and associated legal risks is minimized.
This means that:
- All data is stored within Sweden
- No transfer of data to third countries
- Operation under Swedish and European legislation
- Full control over where data is processed
GDPR and personal data
Ciso is designed to support compliance with the General Data Protection Regulation (GDPR). We process personal data in accordance with applicable regulations and apply both technical and organizational safeguards to ensure a high level of protection.
The roles are clearly defined: the customer acts as the data controller, and we act as the data processor.
This means that:
- Personal data is processed in accordance with GDPR
- Clear division of responsibilities between customer and provider
- Technical and organizational safeguards for data protection
- Support for traceability, control, and compliance
Subprocessors
We use subprocessors only where necessary and ensure that they meet equivalent requirements for security and data protection.
For infrastructure, we use Elastx, which processes data on our behalf within Sweden. Agreements are in place governing how data is handled, protected, and deleted.
This means that:
- Data processing agreements (DPAs) with relevant suppliers
- Requirements for security measures and incident handling
- Regulated data handling at contract termination
- Limited and controlled use of subprocessors
Information security and standards
Our security practices are aligned with established international standards for information security.
Ciso is developed by Omegapoint, which is certified according to ISO/IEC 27001. This ensures that development processes and information handling are governed by an established Information Security Management System (ISMS), including continuous risk management, audits, and improvement.
Ciso is operated on infrastructure provided by Elastx, which is also ISO/IEC 27001 certified. This means that the infrastructure is subject to the same level of requirements for security controls, physical protection, and operational processes.
This means that:
- Security is governed by international standards (ISO/IEC 27001)
- Both development and operations follow certified processes
- Risk management is structured and continuous
- Security controls are subject to independent audits
- Combination of organizational and technical controls
Together, this ensures that the entire delivery chain – from application to infrastructure – meets high standards for information security.
Data protection in practice
In addition to formal requirements and agreements, data protection is implemented through technical solutions and operational processes within the system.
This means that data protection is not only policy-driven but embedded in the system’s design and operation.
This means that:
- Controlled access to data
- Traceability of access and changes
- Protection of data through encryption and secure storage
- Procedures for handling and deletion of data
Summary
Ciso is designed to meet high standards for data protection and regulatory compliance.
This means that:
- Data is stored and processed within Sweden
- Personal data is handled in accordance with GDPR
- Subprocessors are used in a controlled and regulated manner
- Both application and infrastructure are covered by ISO/IEC 27001-certified processes
- Security practices follow established standards and are continuously reviewed
- Data is protected through technical and organizational measures
Together, this creates a solution where sensitive information can be handled with a high level of legal and security assurance.