Information Security Code of Practice
This Information Security Code of Practice (“Code of Practice”) applies to the use of Bolt’s (Bolt Operations OÜ (registration code 14532901) or Bolt Technologies OÜ (registration code 12417834), or any other affiliate, subsidiary, legal entity directly or indirectly belonging to the same group with Bolt) information or information environment, electronic or computing devices, premises and network owned or leased by Bolt in the situations such as (but not limited to):
the application of the Code of Practice has been agreed in writing;
if Bolt’s data is handled, including without concluding a written agreement;
when entering the Bolt's physical or virtual environment (including remote access), including without entering into a written agreement.
Bolt’s employees, contractors, consultants, temporaries, and other workers at Bolt (“You”, “Your”) shall at all times comply with this Code of Practice and its updates and upgrades.
For the sake of clarity, data, for the purposes of this Code of Practice, is data owned, processed, or held by Bolt, whether primary or secondary, irrespective of storage location. It is used interchangeably with the term ‘information’.
1.1. You shall at all times comply with the security requirements set forth in this Code of Practice.
1.2. You shall provide Services which are designed, delivered, and at all times support compliance with industry standards and best practices, such as ISO 27001/27002, ISF Standard of Good Practices for Information Security and ISO 22301 for Business Continuity Management Systems, whenever feasible and not in conflict with other agreed requirements. If credit card data is processed, Payment Card Industry Data Security Standard must be complied with.
1.3. You shall independently and proactively follow industry developments and endeavour to incorporate the newest approved best practices into its day to day operations. Within fourteen (14) calendar days of Bolt’s request, You shall provide Bolt its policies and methodologies for following and incorporating changes in industry best practices.
1.4. You shall have a comprehensive, documented information security policy and related guidelines, and communicate them to all individuals with access to Your relevant information and systems.
1.5. You shall adopt and document security measures for information systems and the creation, use, modification, and deletion of data. The measures shall be commensurate to the data contained and processed in the systems, and be based on an information classification scheme (e.g. internal, restricted or confidential). Information ownership must be defined at all times.
1.6. You shall implement and regularly update a security risk management system, which incorporates emerging threats, possible business impacts, and probabilities of occurrence. You shall modify security related processes, procedures, and guidelines accordingly.
1.7. You shall comply with EU as well as other applicable statutory, regulatory, and legal obligations relating to the Services provided to Bolt, and its systems used to provide such Services or containing Bolt related data.
2.1. You shall detail how Bolt related data is protected to ensure that Bolt data security, privacy and other compliance requirements are met.
2.2. On a regular basis You shall conduct independent reviews and assessments (e.g. internal/external audits, certifications, vulnerability and penetration testing) on Your compliance with this Code of Practice. Visibility of the assessment results shall be provided to Bolt, including at the minimum the scope of the assessment, security findings and their mitigation status, when this requested by Bolt. You shall immediately report any critical vulnerabilities or findings to Bolt.
2.3. Bolt (or an auditor or a qualified adviser appointed by Bolt) may conduct an audit of You according to an audit plan upon three (3) Business Days’ notice of its intention to conduct an audit unless such audit is conducted in respect of a critical vulnerability, in which event no notice is required. Bolt may also request to audit Your subcontractors respectively. You shall provide unfettered and immediate access to the information and/or systems required to conduct the audit and provide assistance in conducting the audit to the best of its ability. Additionally, Bolt or its designated security auditing partners may perform ad hoc testing and application security reviews of any service that is about to be deployed or that is currently operated by You. Bolt strives to inform You seven (7) calendar days in advance of such testing and reviews.
2.4. Bolt is responsible for the costs of the reviews and tests referred to in this section. However, should the testing or review reveal any violation or breach of this Code of Practice by You, You shall without delay compensate Bolt for the costs arising from the audit and remedy the breach without any cost to Bolt.
2.5. All policies, guidelines, plans, systems, schema, assessment results, methodologies and other set forth in this Code of Practice shall be submitted to Bolt within fourteen (14) calendar days at any time as requested by Bolt, if no shorter period is prescribed. Additionally, You shall provide without unreasonable delay visibility to Bolt related security incidents, security incident investigations and authority requests.
2.6. You shall provide Bolt visibility on where Bolt related data is processed, stored, transmitted, and where it may be accessed from. You shall inform Bolt in writing in advance should You intend to transfer Bolt related data to another location with different regulatory environment from the initially approved location, and obtain Bolt’s prior written consent for such transfer. Data retention timeline is two (2) years, if applicable laws, regulations, rules or contractual agreements do not foresee otherwise.
Incident handling and response
3.1. You shall have adequate and documented issue/incident response procedures (or plans) and nominated persons to timely react and prevent any further damage caused by security, privacy or any other compliance issues, vulnerabilities, or incidents.
3.2. You shall inform Bolt without delay in case of any Bolt related security incident
3.3. You shall at all times maintain the capability to prevent, monitor, detect, investigate, and respond to security and privacy incidents.
3.4. You shall have proper forensic procedures in place to ensure chain of custody, which is required for the presentation of evidence to support potential legal action subject to the relevant jurisdiction after an information security incident.
3.5. You shall maintain capability to detect potentially suspicious network behaviors and/or file integrity anomalies, and capability to support forensic investigative capabilities in the event of a security breach.
4.1. You shall have business continuity / disaster recovery plans documented and implemented. To minimize the impact of a realized risk event (e.g. natural disasters, accidents, equipment failures, or sabotage) on the organization, including subcontractors providing end-to-end service to Your customers. You shall demonstrate the functioning of such plans by conducting regular tests and exercises. At Bolt’s request, You shall provide reports on the tests and exercises it has undertaken to verify its ability to recover from a realized risk event.
4.2. You shall enforce a documented backup policy that ensures the capability to fulfill agreed service levels and continuity requirements during emergency situations. The backups shall be stored in secure storage. Actual restoration of the backups must be tested regularly to ensure their usability. You shall store backups of Bolt related data based on the criticality of the data. At a minimum, You shall store daily backups for the last thirty (30) calendar days and monthly backups for the last twelve (12) months, unless required otherwise by statutory, regulatory, or legal obligations. Additionally, You shall store system backups for the last twelve (12) months to ensure recovery from a clean version in case of contamination of the whole service.
Personnel security and awareness
5.1 You shall ensure that its employees and subcontractors are bound by statutory or contractual confidentiality obligations prior to accessing Bolt related data. Employees shall be made aware of what action might be taken in the event of a violation, and disciplinary measures must be stated in the policies and procedures.
5.2 You shall perform proper vetting (including background and other security checks) for critical staff according to relevant national legislation at no additional cost to Bolt.
5.3 You shall maintain an appropriate entry and exit procedure for personnel changes that includes disabling user access rights upon termination of employment with You or termination of assignment for Bolt.
5.4 You shall conduct security and privacy awareness training during induction and at least annually for all existing employees and new hires performing Services for Bolt. Due emphasis shall be given to client confidentiality, understanding the agreed confidentiality obligations and specifically the sensitivity of personal data. Advanced security training shall be given to key roles (e.g. administrators or employees with full access to Bolt related data) working with sensitive information and assets (e.g. consumer data, financial data or employee data).
5.5 You shall have documented guidelines to define acceptable usage for e-mail, instant messaging, internet access, VOIP, wireless access, social media, and any other electronic communications. You shall ensure that all employees have at all times access to up-to-date guidelines, and You shall have measures in place to maintain and increase awareness of the guidelines.
6. Physical security
6.1 Adequate physical security perimeters (e.g. fences, walls, barriers, guards, gates, electronic surveillance, physical authentication mechanisms, reception desks and security patrols) shall be implemented to safeguard sensitive data and information systems.
You shall have a premises access control system, where in:
every individual shall have a unique access card and/or key to access the premises;
physical access control log data shall be stored for at least ninety (90) calendar days unless
otherwise restricted by local legislation;
access to sensitive areas (e.g. server rooms) shall be granted separately by named owners of the
area and only for those who need access to the area to perform their work related duties;
there shall be a regular access rights auditing and revocation process.
6.3. You shall have up-to-date documented policies and/or guidelines for responding to premises intrusions and a capability to timely respond to intrusions to premises where Bolt assets or related data is processed, transmitted or stored.
6.4. Keys, access codes, and intrusion alarm revocation codes to areas where Bolt related data is processed, transmitted or stored shall not be given to anyone without a valid business need, including cleaning and maintenance staff.
6.5. You or their respective sub-contractor hosting servers containing Bolt related data shall have adequate fire protection in server rooms.
6.6. You shall install and maintain movement recording video cameras of appropriate quality for facial recognition and used to passively monitor individual physical access to sensitive areas (including entrances & exits), where Bolt related data is stored, processed, or transmitted.
6.7. You shall ensure that all power and telecommunications equipment, cabling carrying data or supporting information services are protected from interception or damage and designed with redundancies, alternative power source and alternative routing.
6.8. If Bolt related data is printed and/or stored in paper form, You shall have a clean desk practice, and You shall use secure/dedicated printers, shredders, and locked bins for hardcopy information when appropriate according to information sensitivity.
7. IT security
7.1. You must implement information security measures to protect Bolt related data against unauthorized or accidental access, use, disclosure, deletion, loss, alteration or amendment. Bolt related data shall only be stored and processed in an environment where security and privacy controls have been implemented. You shall not copy or reproduce information on data files, hard copy or other tangible media which results in the removal of any marking or ownership or of information classification scheme_._
7.2 You shall logically isolate all Bolt related data from its own, and all of its other customers’ data so that Bolt related data is processed, transmitted, accessed, and stored by a minimum number of authorized persons who only have access to such data that they need to perform their work related duties (role-based access control). This concerns also backups and logs.
Identity and Access Management for development and administrative purposes must fulfill the following requirements, including but not limited to:
You shall have policies and/or guidelines for approving, creating, and terminating user access rights
You shall have policies and/or guidelines for strength and rotation of access credentials, e.g.
Implementing an automatic and forced password resetting process
Prohibiting and preventing the use of default or weak passwords
Securely handling and delivering credentials (such as user name and password)
Every user must be individually identifiable. Common/shared user accounts are prohibited and the use of them shall be prevented.
Any credentials must have the minimum permissions required for their intended use.
As part of software development two-factor authentication shall be implemented based on threat analysis. In case of administrative remote access to environment with Bolt related data two-factor authentication is always required.
7.4 You shall ensure that there is a sufficient audit trail of the use of access privileges in place for Bolt related data. Logs regarding user access and all activity that creates, changes, or deletes Bolt related data shall be collected and stored for at least twelve (12) months or more, if required by statutory, regulatory or legal obligations. Access to log data shall be restricted to prevent compromise and misuse of log data. Bolt shall have right to know who has access to its data. You shall support Bolt in case of security investigations or requests from authorities by providing visibility to relevant logs.
7.5 You shall protect at Your own premises and/or systems all Bolt data by appropriate controls including, but not limited to network segmentation using host based firewall or network based firewall, firewall log monitoring, network intrusion detection or prevention systems (IDS/IPS), web application firewalls, log management, correlation capability, malware prevention for servers and end-user computing devices, application and infrastructure vulnerability scanning. You shall maintain documented processes to ensure that all network devices are protected from unauthorized access and that all updates are conducted based on an agreed maintenance plan.
7.6 You shall deploy any host systems using a standardized secured configuration (hardened, i.e. provide only necessary ports, protocols and services to meet the functionality requirements). Sufficient vulnerability and patch management processes shall be maintained and followed in order to implement security patches and fixes in a timely fashion according to industry best practices and the level of criticality.
7.7 Sharing of Bolt related data shall only be undertaken through secure data sharing portals or tools. The use of insecure file transfer protocols is strictly forbidden.
7.8 You shall maintain cryptographic certificates needed to provide the Services, and monitor the expiry of all TLS certificates, and manage their timely replacement.
7.9 You shall encrypt all information and/or data by using current industry-standard strong encryption, key management and related standards when processing, transmitting and/or storing personal data, consumer data, Bolt confidential or secret information in public cloud environments, including consumer cloud storage services, and transmission of data over the public Internet.
7.10 When transferring e-mail over the public Internet, the preferred way is to use end-to-end or gateway-to- gateway encryption (e.g. TLS). At minimum You shall have the capability to send adequately encrypted attachments.
7.11 You shall establish policies and procedures and implement mechanisms for effective key management to support encryption of data in storage and in transmission as well as authentication. Key management and key usage shall be separated duties.
7.12 You shall have remote access and remote work policies, practices, guidelines and restrictions in place. Wireless access and remote connections shall be protected from eavesdropping (e.g. VPN).
If Bolt’s virtual meeting solution is not used, You shall ensure that the following controls are implemented for the virtual meeting solution:
Remote control of the web camera is disabled**;**
The web camera shall automatically shut down when a virtual meeting session has ended
7.14 All laptop hard disks and other client devices (like USB-memory sticks, netbooks, smartphones, tablet computers, portable media players etc.) and other removable/back-up media containing Bolt related data shall use full data encryption.
7.15 You shall securely and permanently destroy/wipe Bolt related data in a Bolt-approved manner from all media and/or devices when it is no longer required for the Services. Any old or broken media containing Bolt related data shall be effectively and permanently wiped without possibility to retrieve any data or destroyed prior to being decommissioned or reused. You shall ensure that necessary backup arrangements are taken into account prior disposal.
7.16 Workstations and other end-user devices that are used to access Bolt related data shall be installed from standardized installation images or by using standardized installation or configuration procedures. Devices shall be configured to be resistant to attacks in accordance with industry standards and best practices and the means of connecting to networks, IT services or other end-user devices shall be designed to be secure, and protected against unauthorized disclosure or alteration of business information. All software used in workstations shall be regularly patched and personal firewalls shall be in use.
7.17 All and any device used or added to the end user environment (e.g. Bring your own device - BYOD) shall be approved, protected by appropriate security controls and supported by standard operating procedures or instructions for acceptable use.
7.18. Automated, up-to-date and functional malicious code protection (such as an antivirus and anti- spyware/malware) shall be installed in all systems used to deliver end-to-end service for Bolt.
7.19. Administrative tools capable of potentially overriding system, object, network, virtual machine, and application controls shall be restricted.