Security Policy | DataHouse.pl / ETOP Sp. z o.o.

The security of devices, data, and transmission is our highest priority. Therefore, our Security Policy takes into account the particular nature of our services and the specific security policies of our clients’ IT systems. Below we present the basic document of security rules on which our services are based.

SECURITY POLICY DATAHOUSE.PL / ETOP SP. Z O.O.

1. Objectives of the Security Policy

1.1 The primary task of this document is to outline the basic principles of operation regarding the security of both proprietary and entrusted IT resources.
1.2 The fundamental objectives are considered to be:
1.2.2 – protection against data loss
1.2.3 – maintaining service continuity
1.2.3 – preventing unauthorized access to IT resources
1.2.4 – maintaining proper procedures in relations with other operators and state authorities

2. Physical and Technical Security of Resources

2.1 Principles of physical access to the infrastructure:
2.1.1 Physical access to the data center premises and devices is granted only to authorized personnel with proper clearance and skills.
2.1.2 Physical access by third parties or clients is permitted only under escort by personnel specified in 2.1.1.
2.1.3 Physical access by subcontractors or other contractors is allowed only under an agreement or authorization that references and enforces this document’s rules.
2.1.4 Unauthorized access to a client’s devices or spaces is prohibited. Authorization must be in written or permanent electronic form. Authorized staff follow general access rules.
2.1.5 Physical access must be logged in a written logbook; access via electronic keycards must be logged electronically.
2.1.6 Detailed physical access rules are defined in internal procedures established by management.

2.2 Implementation of technical solutions:
2.2.1 Power for data center devices is based on a three-tier redundant power system, including UPS, generator sets, and multiple external power sources.
2.2.2 Unless otherwise specified in contract, device power is internally redundant.
2.2.3 Critical devices supporting service continuity have redundant feeds on separate power lines.
2.2.4 Data center rooms are protected by fire detection systems.
2.2.5 Rooms housing active and critical devices are protected by automatic fire suppression.
2.2.6 Data center spaces and communication ducts are monitored by video surveillance with recording.
2.2.7 Data center premises are secured by an alarm system with event logging.
2.2.8 Access to data center rooms is controlled by an access system that logs events.
2.2.9 Core network devices operate in redundant cluster or mesh configurations.
2.2.10 Major network links essential to service stability have internal redundancy (protection).
2.2.11 If utilization of any system component exceeds 80%, it should be expanded promptly.
2.2.12 Data center premises are protected 24/7 by onsite security agents and emergency response teams upon alarm.
2.2.13 External network connections are routed redundantly via separate geographic paths.
2.2.14 Colocation room structure is designed to protect against fire, intrusion, and flooding using appropriate materials and technical solutions.

3. Logical Security

3.1 Logical access to the data center’s own devices is granted only to authorized personnel with proper clearance and skills.
3.2 Logical access to devices owned or leased by third parties is granted only under contract or order, after access credentials are provided in written or electronic form by the renter or owner.
3.3 Logical access to IT systems relies on password and access list mechanisms.
3.4 Configuration and management access to critical service systems, logging, and monitoring systems is granted only to personnel authorized by management. This includes power, physical access, and supervision systems.
3.5 All data accessed during administration of internal or client systems is confidential and not to be disclosed except under law or contract.
3.6 If a client loses data access, it may be restored only upon written or electronic order signed by an authorized representative or proxy.
3.7 Granting logical access to third parties must be documented in writing or permanent electronic form, with the requirement to change the key/password immediately.
3.8 Network connection logic is designed for redundancy, using redundant switching systems and dynamic routing protocols.
3.9 Upon service termination or decommissioning of a device, all stored and configuration data is permanently deleted.
3.10 Details of logical access procedures are specified in internal onboarding/offboarding processes.
3.11 Shared resource configuration prevents cross-access by different entities.
3.12 Access to shared resource configuration or monitoring is permitted only to authorized company personnel.
3.13 Monitoring data related to a specific client may only be shared with the authorized person and only concerning their service.
3.14 Global monitoring data may be publicly released only if confidentiality of individual client data is not affected.
3.15 Network traffic monitoring systems include protection against external cyberattacks and mitigation of internal network disruptions.
3.16 Sharing access to shared-device monitoring with third parties is prohibited; such access is only for devices solely used by a single client or owned by them.
3.17 Management network is segregated from production network and limited to the data center.
3.18 Critical data is protected by periodic backups; backup quantity and retention methods are defined internally.
3.19 Client data is backed up per contractual terms.

4. Incident Handling in IT Systems

4.1 Procedure priorities:
4.1.1 – secure data against loss
4.1.2 – secure data against unauthorized access
4.1.3 – maintain or restore system/service operation
4.1.4 – notify affected parties (clients or others)
4.1.5 – analyze root causes and eliminate or reduce recurrence risk

4.2 Event types:
4.2.1 Unplanned events are prioritized over planned events.
4.2.2 Critical events that prevent service operation are given top priority.
4.2.3 Planned events are scheduled in consultation with stakeholders at minimally disruptive times.

4.3 Additional rules:
4.3.1 The data center management is notified immediately of critical events globally affecting operations.
4.3.2 If a critical event is imminent, staff must act immediately to safeguard data and isolate the threatening device/system.
4.3.3 Until a superior or management appoints a responsible person, the first staff member who reports the event handles it.
4.3.4 Detailed incident procedures are defined in internal documentation and client contracts.

5. Collaboration with Other Operators and Government Authorities

5.1 With other operators:
5.1.1 The data center supports open peering with external operators.
5.1.2 If a connection threat to network integrity is detected, it is blocked pending investigation.

5.2 With authorities:
5.2.1 Data center, as a legal entity and telecom operator, may provide data to authorities based on legal acts, regulations, or court/prosecutor orders.
5.2.2 Confidential data or access is only provided under the conditions described in 5.2.1.

6. Other Provisions

6.1 All other specific rules are defined in internal procedures. Due to confidentiality, access by third parties is restricted.
6.2 Disclosure of internal procedures to third parties requires management approval.
6.3 All security procedures comply with ISO 27001.