Information Security

by Christian Clausen

on Mar 28, 2025 • 3 min

Purpose, Scope, and Users

The aim of this top-level security policy is to define the purpose, direction, principles and basic rules for information security management. Top management approves this policy.

This Policy is applied to the entire Information Security Management System (ISMS), as defined below. Users of this document are all employees of Merrymake, as well as relevant external parties.

Policy

Scope of the ISMS

The ISMS scope is all employees and all information assets of Merrymake, both the information and the systems and people that store and process information.

Information security policy statement

We have an agile, customer centric approach to everything including security policies. We understand how important data privacy and protection is to our customers. We trust the people we work with: customers, employees and partners. Our security policies, provide clear guidelines and rules making it easy to protect sensitive data in the interest of individuals and companies that trust their data with us.

Top management is committed to:

1. Fulfill the requirements of all interested parties.
2. Continually improve the ISMS.
3. Communicate the policy and lead by example.

Our goal is not to completely eliminate information security risks, but to minimize them in a cost-effective manner, offsetting the cost of controls against the anticipated reduction in potential losses due to security breaches. Our goal is to prove that Merrymake is a mature and trustworthy partner and supplier in relation to data processing.

Information security objectives

Strategic security objectives for the whole Information Security Management System:

1. Show that security is a top priority for Merrymake and that Merrymake puts actions behind its core values (Ambition, Care, Ruggedness).
2. Comply with ISO27001:2022.
3. Be approved as data processor and host by all enterprise customers.

Tactical security objectives for particular controls or groups of controls, security processes, departments, etc. reside in the SOA.

It is our goal to prove that Merrymake is a mature and trustworthy partner and supplier in relation to data processing and hosting. Information security is important to us as a business enabler, which allows us to enter into — and maintain — business relationships, markets, and situations that would otherwise be too risky. Information security supports our financial bottom line by minimizing the likelihood and impact of breaches. Our approach to information security enhances our corporate image as a trustworthy, honest, and ethical organization.

Basic cybersecurity terminology

Confidentiality

To ensure that only an authorized person can access data or information systems. Some of the methods through which we achieve confidentiality: Passwords, biometrics, two-Factor Authentication (2FA), Single-Sign On (SSO), email Magic Links, Secure SHell (SSH) access, Virtual Private Networks (VPN), Access Control Lists (ACL), keys, access cards, access chips, and policy based security.

Integrity

To assure that the data or information system can be trusted, because it is edited only by authorized persons and remains in its original state when at rest. Data encryption and hashing algorithms are key processes to increase integrity.

Availability

Data and information systems are available when required. Running redundant instances of hardware and software, working in small batches, and continuous system tests through a 3rd party help increase availability.

Information Asset

Anything that is or holds information, i.e. people, premises, hardware, cloud services, or data. As well as intangible assets, such as brand and reputation.

Security roles, responsibilities and authorities

Merrymake has an information security forum, responsible for ensuring that the information security strategy is visible, coordinated and in compliance with Merrymake's objectives. Merrymake has a separate and well-defined security function whose task is to safeguard Merrymake. The security organization has the following defined roles:

• CEO — owns the ISMS. Particularly ensuring management commitment, communication, and organizational controls.
• CTO — responsible for the ISMS in relation to: equipment, access control and technical controls for business operations and software environments.
• DPO — works towards compliance with all relevant data protection laws, as well as collaborating with the supervisory authorities.

Records or evidence

There is a yearly management review and a yearly internal audit. The records are kept in our ISMS folder on cloud drive.