ISO 27001 is recognized as the premier information security management system (ISMS) standard worldwide. ISO 27001 also leverages the comprehensive security controls detailed in ISO 27002. The basis of this certification is the development and implementation of a security management program, including the development and implementation of an Information Security Management System (ISMS). This widely-recognized and widely-respected international security standard specifies that companies that attain certification also:

• Systematically evaluate our information security risks, taking into account the impact of security threats and vulnerabilities
• Design and implement a comprehensive suite of information security controls to address security risks
• Implement an overarching audit and compliance management process to ensure that the controls meet our needs on an ongoing basis

MoreApp has been ISO 27001 certified since 2017, with the privacy extension ISO 27701 included since 2023. Information security is tested annually by an independent party.

MoreApp is proud to be ISO 27701 certified, demonstrating our commitment to safeguarding your data and ensuring privacy compliance. This certification underscores our dedication to managing and mitigating privacy risks associated with data processing activities. By adhering to ISO 27701 standards, we prioritise your trust and security, providing you with a seamless and reliable platform for all your data collection needs. With MoreApp, you can rest assured that your personal information is handled with the utmost care, making us a trusted partner in today's privacy-conscious world.

MoreApp runs on Google Cloud Platform with a data center located in Eemshaven, The Netherlands. An efficient data center that is running on 100% renewable energy, mostly from Dutch wind. We ensure great scalability, high availability and security by addressing the following:

• Access to our webservers is heavily restricted
• Servers are spread over multiple availability zones
• Database servers are replicated and run regular off-site backups

Since we're constantly sending and receiving sensitive information, we need to make sure our Platform and App are as secure as possible. We make sure of this by attending to the following things:

• SSL encrypted connections to and from our webservers
• All passwords are safely stored after salting, hashing and applying strong encryption
• All endpoints that expose sensitive data require authentication
• HSTS to prevent downgrade attacks and cookie hijacking
• DDoS protection
• MITM-attack prevention
• Intrusion Detection (OSSEC)

We also continuously check our system to comply with the

• Common Vulnerabilities and Exposures (CVE)
• Security Best Practices
• Center for Internet Security (CIS) Benchmarks
• OWASP Top 10

We use independent third-parties to audit our practices against most sought after standards and regulations in the world. These reviews occur at least annually and are conducted by globally-respected audit and security firms that are independent and thorough in their evaluations. We take their reports very seriously and have processes in place to address any issues that present risks to us or our customers.

External and internal application security testing
The fact that we have our Information Security Management System (ISMS) worked out right now, doesn't mean it'll automatically stay that way. We need to keep making sure of this by testing our product and having ourselves audited by a certified third party.

• We plan regular penetration tests
• We plan regular Security Risk Analyses
• We meet in the monthly Avisi Security Council to discuss the latest trends, vulnerabilities and legal issues

Continuous Improvement
A critical part of any information security management program is the continual improvement of security and compliance programs, systems, and controls. MoreApp is committed to soliciting feedback from different internal teams, customers, internal and external auditors, and improving our security, privacy and compliance processes and controls over time.

Since our employees are working with sensitive data each and every day, we need to make sure they can be trusted. That's why:

• All employees get a background check before we hire them
• All employees are in possession of a Certificate of Conduct for handling sensitive information
• We train our employees to make security the priority
• We have 'employee termination' procedures in place
• We only work on laptops with full disk encryption and a vicious locking policy

We highly value privacy and the protection of your personal data. Therefore, we have put forward a Data Processing Addendum, tailored to our products and services. In the Data Processing Addendum, we mutually agree on how we process personal data on your behalf and how we protect the personal data that you process.

The Data Processing Addendum is added as an appendix to our License Agreement.