%202.avif)
Language
The purpose of this policy is to establish Blackbirds' security policy so that information and IT assets are protected against internal and external threats, whether intentional or accidental, and to mitigate risks such as theft, loss, misuse, damage, or unauthorized access. This policy forms the foundation of our Information Security Management System (ISMS) and helps create trust for everyone involved.
This policy applies to:
- All Blackbirds employees (permanent, temporary, external and consultants);
- Customers, including their representatives and users of services/portals;
- Suppliers, partners and contractors who access or process information on behalf of Blackbirds;
- Other stakeholders who exchange information with or on behalf of Blackbirds, such as auditors, supervisors and subcontractors.
The scope includes all information, systems, networks, physical locations, cloud environments, infrastructure, documentation, and applications that are owned or managed by Blackbirds or used to provide services.
3.1 Protection of Information and IT Assets
Blackbirds protects its information and IT assets (including but not limited to computers, mobile devices, networks, software, systems, and sensitive data) against internal and external threats — whether intentional or unintentional — and mitigates risks related to theft, loss, misuse, damage, or unauthorized access.
3.2 Restricted access and privilege management
Access to information and systems is only provided to authorized persons or entities based on the need-to-know and least privilege principles. Access permissions are monitored, documented, and reviewed regularly to ensure that authorizations remain accurate.
3.3 Confidentiality
Information is protected from unauthorized disclosure. This includes appropriate controls to ensure that only authorized persons or systems have access to confidential data.
3.4 Integrity
The policy ensures that information remains accurate and complete and that changes can only be made by authorized entities in accordance with established procedures.
3.5 Availability
Blackbirds ensures that information and systems are available to authorized users when necessary to support business goals and service levels.
3.6 Compliance with legal and contractual obligations
Blackbirds complies with applicable national and international laws and regulations, industry standards and contractual obligations. Wherever possible, Blackbirds strives to exceed these requirements.
3.7 Continuously improving the ISMS
The ISMS is periodically evaluated and improved based on monitoring, audits, lessons learned and changing risks and threats.
3.8 Business Continuity
Blackbirds develops, maintains and tests business continuity plans to ensure operations during disruptions or emergencies.
3.9 Security Awareness and Training
Consistent security awareness activities and training are offered to employees, customers, and relevant third parties (e.g. supplier staff if applicable). Security responsibilities are clearly communicated and incorporated into roles and obligations.
3.10 Notification culture and non-retaliation
Blackbirds encourages timely reporting of security problems or potential incidents. No action will be taken against individuals who report a security concern or incident in good faith unless there is evidence of illegal acts, gross negligence, or repeated intentional policy violations.
3.11 Incident and breach reporting
All customers, suppliers and employees are required to report any actual or suspected information security incidents immediately to security@blackbirds.ai, in order to be able to respond appropriately and in a timely manner.
4.1 Enforcement
Failure to comply with this policy may result in disciplinary measures or contractual sanctions, depending on the role of the person concerned and the seriousness of the violation.
4.2 Exceptions
Exceptions to this policy are only allowed with written approval from the Information Security Management Leader. Approved exceptions are defined as a policy waiver with a clear scope and end date.
4.3 Complaints
All parties involved (employees, customers, suppliers, partners) can submit complaints about the content or application of this policy to the Information Security Management Leader via<email>. The Information Security Management Leader will respond within 14 days and ensure appropriate processing of the complaint.
Data Management Specialists: We keep your data for a maximum of 10 years after registration, with an extension of 2 years in case of personal contact. Upon termination of our services, we will keep your data for a maximum of one month, unless a legal obligation states otherwise.
This version was last checked in January 2026
