CodeTwo Trust Center

Yes, CodeTwo’s Information Security Management System (ISMS), certified as compliant with the requirements of ISO/IEC 27001 and ISO/IEC 27018, guarantees maximum information security and personal data protection both in the cloud and on-premises.

Please see: Information Security Management System Policy, ISO Compliance Center.

Yes, PCI DSS, GDPR, ISO/IEC 27001 and ISO/IEC 27018, CCPA, HIPAA.

For detailed information, see Information Security Management System Policy, ISO Compliance Center, GDPR Information Center, US Data Protection Laws Addendum, PCI DSS Compliance and HIPAA Information Center.

CodeTwo’s information security program is managed by a dedicated team consisting of Information Security Officers, Compliance Officers, the Data Protection Officer (DPO), penetration testers, and internal auditors. The overall supervision of the Information Security Management System (ISMS) is performed by the ISMS Representative.

Our information security policies are maintained on an ongoing basis and updated as needed. In addition, they undergo a formal review, in accordance with ISO/IEC 27001.

Yes, CodeTwo conducts:

• ISO/IEC 27001 and ISO/IEC 27018, certified by BSI.
• PCI DSS (Payment Card Industry Data Security Standard), SecurityMetrics® scans our infrastructure once a quarter.
• Cyber Essentials, a UK government-backed certification scheme overseen by National Cyber Security Centre (NCSC). All endpoints are scanned and constantly test for vulnerabilities by third party solutions.
• Microsoft 365 App Compliance Program.
• Internal Audits by selected employees, appointed and trained as auditors.

Please see: ISO Compliance Center, PCI DSS Compliance, Cyber Essentials Certificate, Microsoft 365 Certification.

Yes, the organization maintains a formal Business Ethics, forming the basis of its core values and standards of conduct, along with a comprehensive anti-corruption code. Both documents are publicly accessible on the company’s website.

Please see: Business Ethics, Anti-corruption Code.

Yes, as a company established in Poland, we are subject to European Union legislation and adhere to the requirements of the General Data Protection Regulation (GDPR).

Please see: GDPR Information Center.

Yes, for customers subject to the CCPA, we have included relevant provisions in our DPA.

Please see: Data Processing Agreement.

Yes, if you wish to enter into BAA with CodeTwo, contact us using this form.

Please see: HIPAA Information Center.

Yes, we are certified to ISO/IEC 27001, ISO/IEC 27018, PCI DSS and Cyber Essentials. The certificates are available on our website.

Please see: ISO Compliance Center, PCI DSS Compliance, Cyber Essentials Certificate.

Yes, GDPR, CCPA, HIPAA.

Please see: GDPR Information Center, US Data Protection Laws Addendum, HIPAA Information Center.

Yes, we are a processor for the data entrusted by a customer as required to provide our service. We are a controller for the data provided in the CodeTwo Admin Panel account.

Please see point 2. General in our Data Processing Agreement.

Yes, the Data Processing Agreement (DPA) must be signed between us and a customer.

Please see: Data Processing Agreement.

Data subject rights are handled in accordance with GDPR requirements. All relevant information regarding these rights is provided in our Privacy Policy.

See What are your rights? section in CodeTwo Privacy Policy.

Yes, in accordance with the GDPR, CodeTwo maintains a Record of Processing Activities, which is regularly reviewed and kept up to date.

Yes, Microsoft is our only subprocessor. The list is available in the Data Processing Agreement (DPA).

Please see point 3. Subprocessing and Appendix 2 – List of subprocessors in our Data Processing Agreement.

The product operates in Microsoft Azure datacenters. The customer chooses the most convenient region of the datacenter during tenant registration. The list of all current regions used by our product can be found on our website.

Please see: List of regions where the CodeTwo cloud service is available.

Yes, the organization has procedures in place for verifying new suppliers/third-party, as well as for conducting periodic reviews of existing suppliers in terms of security.

Yes, the organization requires its suppliers to meet defined security requirements and, in accordance with ISO/IEC 27001, performs due diligence to assess and monitor their compliance with high security standards.

Yes, contracts with suppliers are reviewed for security and data protection obligations. For key suppliers, they are also subject to periodic reviews and/or reassessed when contracts are updated by the supplier.

Supplier risks are continuously monitored throughout the relationship via regular risk assessments and performance reviews. This includes tracking and evaluating any suppliers-related incidents, as well as periodic reviews of contractual terms and conditions to ensure continued compliance and risk mitigation.

Supplier Risk Management is an integral part of the organization’s overall risk management framework, and the process is based on the ISO/IEC 27005:2022 standard.

Yes, the organization has Incident Management Procedure that includes handling data security breaches. It sets out the response time to an incident and a formal pathway for dealing with it. We have an internal security team comprised of security experts and engineers who are responsible for incident management and conducting further actions resulting from the incidents.

Please see 6. Incident management section in the Data Processing Agreement.

Yes, all security incidents are properly documented and tracked within a centralized system, in accordance with ISO/IEC 27001 requirements and internal security policies.

In accordance with GDPR, in the event of an information security incident or a data breach affecting customer data, the organization will notify the relevant supervisory and authority and affected individuals without undue delay after becoming aware of the breach.

Please see 7. Data Breaches section in the Data Processing Agreement.

Yes, the incident response procedures are regularly tested and reviewed. They are formally updated and at least once during scheduled reviews, and additionally whenever changes to relevant processes take place.

Yes, lessons learned from incidents are systematically used to improve security controls. The organization follows a continuous improvement approach in line with ISO/IEC 27001, where incident analysis and post-incident reviews are key elements in enhancing the overall security posture.

Yes, backup procedures are in place for all critical systems and data. Regular backups are conducted in line with ISO/IEC 27001 standards to support business continuity and data integrity.

Please see point 5. Asset and operations management in Appendix 3 – Summary of security measures implemented by CodeTwo in the Data Processing Agreement.

Yes, the organization maintains a Business Continuity Plan (BCP), which is documented, approved by management, and periodically tested in accordance with ISO/IEC 27001.

Please see: ISO Compliance Center.

Yes, the Disaster Recovery Plan (DRP) is documented and regularly tested in accordance with ISO/IEC 27001.

Yes, CodeTwo has a continuous automated monitoring and alerting platform to detect and alert on suspicious/malicious activity, as well as any degraded performance issues, bottlenecks, overloads in the service and all our infrastructure.

What is more, CodeTwo has a 24/7 Monitoring Team who proactively monitor the service in order to override any automated procedures in case they fail.

Please see: ISO Compliance Center.

Yes, the organization conducts Business Impact Analyses (BIA) for the key processes related to customer service delivery. The BIA process is performed in accordance with the requirements of the ISO/IEC 27001 standard. The results of these analyses are confidential and not shared externally.

Yes, the organization follows a Secure Software Development Lifecycle aligned with recognized security standards and internal policies.

Yes, security reviews are conducted throughout the development process as part of our Development Lifecycle (DLC), ensuring that security considerations are addressed at each stage.

Yes, source code is reviewed internally prior to deployment to production environments, as part of our Development Lifecycle (DLC).

Yes, automated tools are used to detect vulnerabilities in the code.

Security issues identified during development are tracked and managed using OWASP guidelines and best practices. Each issue is documented, assessed for severity, and assigned for remediation. Progress is continuously monitored until the issue is resolved and properly verified.

Please see: OWASP Top 10:2025.

Yes, we established a dedicated teams. The members of this team perform constant vulnerability verification scans with two different external, commercial solutions.

SecurityMetrics scans our infrastructure once a quarter, in terms of PCI standards (Payment Card Industry Data Security Standard).

All endpoints are scanned and constantly test for vulnerabilities by third party solutions.

Please see: PCI DSS Compliance, SecurityScorecard rating.

Yes, critical applications with user data undergo regular penetration tests. Vulnerability assessments are performed internally (continuously).

We continuously perform vulnerability scanning and prioritize findings based on severity and business impact. Critical vulnerabilities are addressed immediately by updating to the last patched versions. When patches are not yet available, we implement temporary mitigations where possible and work closely with the supplier until an official fix is released.

Yes, the organization has defined process for applying security patches and updates. The organization performs scheduled maintenance several times a year, which is transparent to Customers - it does not affect the main capabilities of our service, like mail flow or signature adding features. If CodeTwo ever performs a security patch or update that requires any actions on the Customer’s side, Customers will be notified in advance with sufficient notice and clear instructions.

Normally, however, updates are rolled out in the background and the process is unnoticeable for the customer. There is no downtime whatsoever for any of the components of the service.

Yes, third-party libraries are strictly managed in accordance with ISO/IEC 27001 requirements.

Yes, all data in transit is protected using encryption protocols, with a minimum standard of TLS 1.2.

Please see: Security and reliability of the CodeTwo cloud service.

Yes, all data is kept in encrypted storage.

Cryptographic keys are managed and protected in accordance with established internal procedures aligned with industry’s best practices and ISO/IEC 27001 requirements. The organization implements a formal key management process covering key generation, storage, rotation, access control, and revocation. Access to cryptographic keys is restricted based on principle of least privilege and is subject to appropriate security controls and monitoring.

Yes, the data classification policy and data protection policies have been implemented and are maintained in accordance with ISO/IEC 27001 requirements. These policies are confidential and restricted to internal use within the organization.

Please see: Appendix 3 – Summary of security measures implemented by CodeTwo in the Data Processing Agreement.

Yes, the organization has implemented controls to prevent unauthorized access in accordance with ISO/IEC 27001 requirements.

Please see: Appendix 3 – Summary of security measures implemented by CodeTwo in the Data Processing Agreement.

The organization has implemented a system of controls to make sure that no one can cease to work for the organization without having their authentication credentials deactivated and all access rights revoked.

Please see point 4. Access control in Appendix 3 – Summary of security measures implemented by CodeTwo in the Data Processing Agreement.

Yes, Access rights are assigned according to the principle of least privilege and the security-by-design approach. Access is granted only to the extent necessary for users to perform their assigned duties. We maintain a formal Access Management Policy aligned with ISO/IEC 27001 requirements, including role-based access control, approval procedures, and periodic access reviews.

Please see point 4. Access control in Appendix 3 – Summary of security measures implemented by CodeTwo in the Data Processing Agreement.

Yes, multi-factor authentication is required for all systems.

Please see point 4. Access control in Appendix 3 – Summary of security measures implemented by CodeTwo in the Data Processing Agreement.

Yes, users’ access rights are formally reviewed in accordance with the Access Management Policy and all access roles and permissions are frequently audited by a dedicated team.

Please see point 4. Access control in Appendix 3 – Summary of security measures implemented by CodeTwo in the Data Processing Agreement.

The organization constantly monitors information systems against all attempts of unauthorized access and use of expired or invalid credentials.

Please see point 4. Access control in Appendix 3 – Summary of security measures implemented by CodeTwo in the Data Processing Agreement.

Yes, security logs are generated and monitored for all critical systems and applications.

Yes, logs are actively monitored for suspicious or unauthorized activities by a 24/7 Monitoring Team.

Yes, we use a variety of tools to monitor malicious traffic in our environments. Monitoring activities are supported by a dedicated team and formalized processes aligned with ISO/IEC 27001.

Please see: Security and reliability of the CodeTwo cloud service.

Security logs are retained in accordance with established internal policies aligned with industry best practices, legal requirements, and information security standards (including ISO/IEC 27001). Log retention periods are defined based on the purpose of monitoring, incident investigation, and compliance obligations. Access to logs is restricted and logs are protected against unauthorized access, modification, or deletion. For security reasons, specific log retention timeframes are not publicly disclosed.

We use a variety of tools to monitor malicious traffic in our environments. Each alert is analyzed and subject to our internal procedures.

Yes, you can find DPO contact information on our website.

If you want to exercise your privacy rights or have any other questions relating to data protection you can contact our Data Protection Officer using this form or this email: moc.owtedoc@opd.

Please see contact information here: https://www.codetwo.com/company/contact.

Yes, the organization has developed a comprehensive security measures and procedures form prepared by the Information Security Team. This document, along with the ISO/IEC 27001 and ISO/IEC 27018 audit report prepared by an external and independent certification organization (available upon request), will be provided after the execution of a Non-Disclosure Agreement (NDA).

Please contact our Data Protection Officer.