Clientify

ISO/IEC 27001:2022 certification by Bureau Veritas covering Information Security Management System supporting development, support, maintenance, and hosting of digital marketing platform. Original approval March 2021, current certificate valid July 2025 through March 2027. Demonstrates systematic approach to managing sensitive information security.

Governance framework for data lifecycle management including collection, storage, processing, sharing, retention, and disposal. Implements Data Quality and Data Minimization principles verified through Comply.org review with classification standards and privacy protection measures aligned with ISO 27001.

Established procedures for handling data subject requests including access, rectification, erasure, portability, and objection rights. Defines response timelines, verification processes, and escalation procedures for GDPR compliance with Individual Participation principles required by ISO 27001.

Executive-approved SGSI Information Security Policy (SGSI-PSI-01) establishing security objectives, risk management approach, and mandatory controls verified through Comply.org review and ISO 27001:2022 certification. Covers Security core principle validation including access controls, incident response, and security awareness aligned with certification scope.

Privacy policy outlining data collection practices for CRM operations, marketing automation, and customer communications. Emphasizes GDPR compliance with Transparency principle implementation. EU-based processing with Spanish headquarters ensuring adherence to European data protection standards.

Organizational policy for identifying, assessing, and managing security risks across CRM operations and customer data processing. Supports Accountability principle verified through Comply.org review with defined risk tolerance levels and mitigation strategies required by ISO 27001 certification.

Documented obligations and procedures for notifying data breaches to supervisory authorities and affected data subjects. Includes incident response timelines, breach assessment criteria, and communication protocols aligned with GDPR Article 33/34 requirements verified through DPA analysis.

Comprehensive Data Processing Agreement (DPA) covering data processing activities, data types and categories, processor responsibilities, and controller-processor relationship. Establishes legal framework for GDPR compliance with documented safeguards. Publicly available for review with downloadable PDF version.

Data Protection Officer (DPO) designated for privacy compliance oversight and data subject inquiries. Contact: dpo@clientify.com. Headquarters: Almeria, Spain (EU jurisdiction). Supports GDPR data subject rights including access, rectification, erasure, and objection with documented response procedures.

Data retention policies aligned with storage limitation principle ensuring data is kept only as necessary for CRM and marketing automation purposes. Implements retention schedules, deletion procedures, and regular data lifecycle reviews verified through Comply.org review for compliance with GDPR and ISO 27001.

Regular systematic evaluations of potential threats and vulnerabilities including asset identification, threat analysis, and impact analysis required by ISO 27001. Supports Accountability principle and Auditing Options from Comply.org review with documented methodology and annual certification audits.

Employee security training program covering cybersecurity best practices, data privacy, and incident reporting. Supports Security principle verified through Comply.org technical review with training requirements mandated by ISO 27001:2022 certification for maintaining security-conscious workforce.

Comprehensive supply chain risk management program governing relationships with payment processors (GoCardless, PayPal, Stripe), analytics providers (Google Analytics), communication tools (Intercom), and infrastructure providers (AWS, Digital Ocean). Supports Subprocessors management validation from Comply.org technical review.

Formal contractual agreements with 13 external vendors and service providers including security requirements, data protection clauses, and compliance obligations. Supports Subprocessors and Data Transfers verification from Comply.org DPA analysis with comprehensive third-party governance.

Formal vulnerability management process with regular assessments, patch management, and remediation procedures. Supports Security Measures verification from Comply.org technical review with continuous monitoring required by ISO 27001 Information Security Management System certification.