Ruby Logic

Information Security Policy

Ruby Logic Poland sp. z o.o.
OrganizationRuby Logic Poland sp. z o.o.
Version1.1
Last update2026-05-18
ClassificationPublic
Source documentISMS-PO-01 - Information Security Policy (internal version)
1. Introduction

Ruby Logic Poland sp. z o.o. (hereinafter: Organization) operates in software development and also designs, develops, maintains, and delivers SaaS services. Protecting information - both the Organization's own information and information entrusted by clients and partners - is one of the Organization's key commitments.

This Policy (hereinafter: Policy) is a public description of information security principles applied within the Information Security Management System (ISMS). This document is based on the internal policy ISMS-PO-01 and is kept aligned with its current version.

2. Purpose of the Policy

The purpose of this Policy is to define the framework for information protection and confirm that the Organization:

  1. Protects the confidentiality, integrity, and availability of information.
  2. Meets legal, regulatory, and contractual information security requirements.
  3. Applies a risk-based approach and continuous improvement mechanisms.
  4. Ensures business continuity for key services.
  5. Communicates security requirements to persons acting on behalf of the Organization.
3. Scope

This Policy applies to information, systems, and processes related to the Organization's SaaS operations, in particular:

  • information processed in any form,
  • IT systems and infrastructure,
  • external services supporting the delivery of SaaS services,
  • business and operational processes supporting the ISMS.

This Policy is binding for employees, contractors, subcontractors, suppliers, and partners, to the extent resulting from contracts and granted access rights.

4. Top Management Statement

Top management of Ruby Logic Poland sp. z o.o. declares full commitment to protecting information and commits to:

  1. Providing resources necessary to establish, implement, maintain, and continually improve the ISMS.
  2. Integrating information security requirements into the Organization's business and operational processes.
  3. Applying a risk-based approach in decision-making.
  4. Ensuring compliance with legal, regulatory, and contractual requirements.
  5. Assigning, communicating, and supporting roles responsible for information security.
  6. Regularly reviewing ISMS effectiveness and the achievement of information security objectives.
  7. Taking responsibility for ISMS effectiveness.
5. Compliance with Standards and Regulations

The Organization's ISMS is maintained in compliance, among others, with:

  • ISO/IEC 27001:2022 (PN-EN ISO/IEC 27001:2023-08),
  • ISO/IEC 27002:2022,
  • GDPR and relevant national regulations,
  • contractual obligations (including NDAs, SLAs, and data processing agreements).
6. Information Security Objectives

The Organization establishes and monitors information security objectives in the areas of:

  • confidentiality,
  • integrity,
  • availability,
  • ISMS compliance and effectiveness.

These objectives are measurable and subject to periodic reporting and management reviews.

7. Key Security Principles

The Organization applies a layered approach proportionate to risk, including:

  • information classification and proper data handling,
  • access control based on need-to-know and least privilege principles,
  • cryptographic protection of data in transit and at rest,
  • secure software lifecycle practices,
  • protection of infrastructure, networks, and operating environments,
  • physical and organizational security of information processing locations.
8. Risk Management

The Organization conducts a cyclical risk management process covering risk identification, analysis, treatment, and monitoring. Residual risks are accepted in line with adopted criteria, and material risks require Management Board decisions.

9. Information Security Incident Management

The Organization maintains a process for reporting, classifying, and handling information security incidents, including:

  • the obligation to promptly report events and suspected breaches,
  • root-cause analysis and implementation of corrective actions,
  • fulfillment of notification obligations regarding personal data breaches.
10. Business Continuity

The Organization maintains the capability to deliver services securely under disruption conditions, including through:

  • monitoring service availability,
  • maintaining redundancy of key infrastructure components supporting critical services,
  • maintaining and testing backups,
  • applying solutions that support operational resilience,
  • periodic testing of selected business continuity scenarios.
11. Security of Personnel and Suppliers

The Organization:

  • requires appropriate confidentiality commitments and security compliance from persons acting on its behalf,
  • provides information security training,
  • manages access rights and their withdrawal after business need ends,
  • assesses supplier risk and oversees security in cooperation with external entities.
12. Protection of Personal Data and Intellectual Property

The Organization protects personal data and intellectual property rights in accordance with applicable law, in particular Regulation (EU) 2016/679 (GDPR), contractual obligations, and ISMS rules.

13. Roles, Accountability, and Enforcement

The Management Board is accountable for ISMS effectiveness, supported by designated organizational roles. All persons acting on behalf of the Organization are required to comply with this Policy. Violations of security principles may result in organizational, contractual, and, where justified, legal consequences.

14. Communication of the Policy

This Policy is communicated to persons acting on behalf of the Organization. Significant changes are published and communicated through applicable communication channels.

Contact

For information security matters, please contact us through the contact form at https://rubylogic.eu/en/contact