Human Managed

Privacy Policy

How we protect personal data

This policy explains how Human Managed uses, stores, and secures personal data across our services, products, and operations.

1. Purpose

The purpose of this policy is to govern how our organization uses the personal data we collect. Personal data we collect may come from various sources and may include Personal Identification Information (PII) provided directly by our users or through partner organizations.

2. Scope

This policy applies to everyone involved in developing, designing, selecting, auditing, and using applications, services, and products that process personal data, including data provided directly by a user or indirectly through a third party or partner organization.

Exceptions must be approved in advance by the Human Managed ISMS Council through the Information Security Policy Exception Management Process.

3. General

You are responsible for ensuring our users’ data protection rights are protected, and that users are informed of their rights and have given consent before personal data is collected or stored.

4. Our users’ data protection rights

You are responsible for the data protection rights of every element of a task, technology, or service under your control. Considered effort is required at every stage to maintain a user’s right of data privacy, including:

  • The right to access – a user can request copies of their personal data.
  • The right to rectification – a user can request correction of inaccurate or incomplete information.
  • The right to erasure – a user can request that we erase their personal data under certain conditions.
  • The right to restrict processing – a user can request that we restrict processing of their personal data under certain conditions.
  • The right to object to processing – a user can object to our processing of their personal data under certain conditions.
  • The right to data portability – a user can request that we transfer collected data to another organization or directly to the user under certain conditions.

5. How we use and store users’ data

Users have the right to see what personal data we have about them, and we only use user data to the minimum extent required to deliver the applicable product, service, or feature.

We obtain consent before data is collected and stored through a clear, transparent privacy policy that is easy to understand and accessible from the moment data is provided.

We are transparent about how long data is kept before it is deleted, and where data is stored, including references to the data privacy policy of any third party we use to store data securely.

6. How we secure data

We consider data protection from the moment we begin developing a product through every instance of data processing. We implement appropriate technical and organizational measures to protect data, including encrypting, pseudonymizing, or anonymizing personal data wherever possible in accordance with the Encryption Policy.

We notify authorities and data subjects in the event of a data breach, in accordance with the Data Breach Policy.

7. Interested parties

  • Information Security Council: approves policy and decisions on policy waivers and violations.
  • ServiceOps: monitors compliance and reports violations based on defined thresholds.
  • Data Protection Officer: maintains data protection and privacy policies and ensures adequate measures are in place.
  • Chief Architect: supports security policy creation and enterprise-wide rollout of awareness and training programs.
  • HM Life: ensures employees and relevant contractors receive ongoing awareness education and policy updates.

8. Performance

The information security management team verifies compliance through multiple methods, including business tool reports, internal and external audits, and feedback to the policy owner. Each business function must maintain a written response plan under version control and available via the web.

Human Managed measures and verifies compliance through continuous monitoring measures, such as:

  • Continuous control testing and annual ISMS internal compliance audits.
  • ISMS Council annual management review.
  • Monthly incident response checklist.
  • Quarterly tabletop exercises and simulations.
  • Annual incident response exercise.
  • Planned external audits (SOC 2 Type 2, SOC 3, customer security assessments).

9. Non-compliance

An employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.

10. Continuous improvement

This policy is updated and reviewed as part of the continual improvement process.

11. Related policies, standards, and processes

  • Information Security Policy Exception Management Process
  • Encryption Policy
  • Monitoring Policy
  • Security Incident Response Plan
  • Breach Response Plan