Information Security Policy¶
Document ID: POL-001 Document owner: Jan Marc Castlunger (CEO / ISO) Classification: Confidential Version: 1.0 Approved: March 2026 Next review: March 2027 Frameworks: ISO 27001 (5.2, A.5.1) | SOC 2 (CC1.1, CC1.2, CC1.3)
1.1 Policy Statement¶
CTW Data Solutions GmbH is committed to protecting the confidentiality, integrity, and availability of all information assets. As a provider of identity document verification technology, we recognise that the security of personal data — including government-issued identity documents and biometric information — is fundamental to our business and to the trust placed in us by our customers.
This policy applies to all employees, contractors, and third parties with access to CTW Data Solutions systems or data.
1.2 Security Objectives¶
- Protect all personal and sensitive data processed through the Quick-ID platform against unauthorised access, disclosure, or loss.
- Maintain the availability and integrity of the Quick-ID API and supporting infrastructure at all times.
- Comply with all applicable legal and regulatory requirements including GDPR/DSGVO, and meet the requirements of ISO/IEC 27001:2022 and SOC 2 Trust Services Criteria.
- Enable enterprise customer integrations by maintaining a certified and auditable security posture.
- Continuously improve the ISMS through annual reviews, internal audits, and incident learning.
1.3 Scope¶
The ISMS covers all information assets, processes, personnel, and systems involved in the development, operation, and delivery of the Quick-ID document verification and OCR SDK platform. This includes all operations of CTW Data Solutions GmbH in its entirety.
Geographic scope: Global — primary processing in Microsoft Azure Germany West Central (Frankfurt). Additional Azure EU regions deployed per customer requirements (non-DACH, non-Italian customers may be served from other EU regions).
See also: ISMS Scope Document
1.4 Principles¶
Core Principles
- Least privilege — access is granted only to what is needed for a specific role
- Defence in depth — multiple overlapping controls, not reliance on a single measure
- Data minimisation — we collect and retain only what is necessary
- Privacy by design — security is built into systems from the start, not bolted on
- Continuous improvement — the ISMS is a living system, not a one-time exercise
1.5 Roles and Responsibilities¶
| Role | Responsibility | Holder |
|---|---|---|
| Information Security Officer (ISO) | Overall ISMS ownership, policy approval, annual review | Jan Marc Castlunger (CEO) |
| Data Protection Officer (DPO) | GDPR compliance, data subject requests, breach notification | Sebastian Windeck (CTO) |
| Chief of AI | AI model security, data pipeline integrity, algorithm governance | Malte Toetzke |
| All Employees | Compliance with policies, reporting incidents, annual training | All staff |
| Infrastructure Owner | Azure security, AKS management, Terraform, backup integrity | Sebastian Windeck (CTO) |
| Development Lead | Secure coding, GitHub access control, dependency management | Sebastian Windeck (CTO) |
1.6 Consequences of Non-Compliance¶
Failure to comply with this policy may result in disciplinary action up to and including termination of employment or contract. Breaches that result in harm to individuals or the company may be referred to relevant authorities.
1.7 Review¶
This policy is reviewed annually by the ISO, or immediately following a significant security incident or material change to the business.
Approved by: Jan Marc Castlunger, CEO / Information Security Officer, CTW Data Solutions GmbH Date: March 2026