Information security is paramount at Globality.
We invest considerable resources to provide a safe, secure platform to our partners, customers, and employees. Our dedicated information security team is committed to protecting our systems through continuous research, implementation of cutting-edge technology, and subject-matter expertise. Our security policy is guided by Globality’s core values, code of conduct, and business ethics. It dictates how we operate anywhere, any time.
We understand the importance of protecting confidential information.
As a company that caters to large enterprises and highly regulated industries, we have diligently matured and improved our security program as an integral part of our process since day one.
We understand compliance, governance, and regulations; we use them as drivers to guide us to exceed our customers’ security requirements.
Ethics & Values
Trust
Our customers and their communities expect us to be trustworthy partners, and it is our personal commitment to earn this trust every day and in all our business activities. We are responsible to our customers, our vendors, and our own employees
Collaboration
Creating a more inclusive global economy starts with communication. We promote inclusion and encourage the exchange of ideas and opinions in every aspect of our operations.
Innovation
Leveraging modern, cutting-edge technologies and harnessing them to service our customers, we bring unparalleled speed, accuracy, and value to sourcing systems and processes, applying AI and machine learning algorithms backed by a highly resilient infrastructure.
Statement & Policies
Security Statement
Globality prides itself on its leadership in the technology services industry. We recognize that we have a responsibility to protect all the data we hold or process, whether it belongs to Globality or to our employees, partners, customers, or suppliers.
Security Policies
Globality utilizes an information security program based on ISO 27001 and maintains a valid ISO/IEC 27001:2022 certification. Our information security policy has been reviewed by third-party auditors to ensure compatibility and conformity with ISO/IEC 27001:2022. We perform additional audits at least annually to ensure our continued compliance and review our processes and practices.
Compliance & Certification
We closely follow several security standards, regulations, and applicable laws and use them as drivers for the development of our security policies and procedures.
GDPR
Globality closely observes the European Union General Data Protection Regulation and continuously performs audits to ensure compliance.
FSQS-ES
Globality has met all requirements to become fully registered within the Financial Supplier Qualification System (FSQS), a standard used by major UK banks and financial organisations when selecting suppliers.
SOC2
Globality has completed its SOC2 examination with the guidance of third-party auditing firm A-LIGN. This globally recognized attestation validates our commitment to critical security standards for protecting and securing client data.
ISO27001:2022
Globality has been certified to the ISO27001:2022 standard since 2018 and completes an annual recertification audit. A copy of our ISO27001:2022 certificate may be downloaded from our customer support portal.
Security Statement
Globality prides itself on its leadership in the technology services industry. We recognize that we have a responsibility to protect all the data we hold or process, whether it belongs to Globality or to our employees, partners, customers, or suppliers.
To demonstrate our commitment to information security, Globality implements industry-best practices and security controls and affirms them through ISO 27001-2022 certification, the global standard for information security management.
It is the responsibility of our entire staff to become familiar with our security processes and to comply with our information security and privacy policies and the procedures we have established. We commit to providing an effective, efficient, and continuously improving security program to protect our assets and our customers‘ data.
Globality’s senior management and executive board fully support our information security program and require all our employees, vendors, and partners to do the same. Our staff of security professionals is dedicated to implementing our security program and protecting your data.
Globality’s infosec team responsibilities include the following:
- Developing processes, procedures, and policies required for the protection of data we store and process and the IT assets we use
- Identifying risks to the security of information and systems and mitigating these risks to levels acceptable to Globality
- Defining security requirements, establishing baselines, and measuring compliance based on applicable laws, regulations, and best practices
- Consulting with company employees, partners, and vendors to investigate security issues and evaluate products and processes
- Collaborating with business owners and technical staff to develop Globality’s infosec strategy and architecture
- Ensuring that incident response and disaster recovery plans are developed and implemented
- Responding to and recovering from disruptive and destructive events
- Increasing employee awareness of information security through training, discussion, and communication
All Globality employees are responsible for implementing information security:
- The executive team ensures that oversight, guidance, and adequate and appropriate resources are in place to fulfill this policy statement.
- Directors and senior leaders within Globality are responsible for enforcing and ensuring adherence to policies and standards within their functional areas.
- Managers and team leaders are responsible for the day-to-day management and implementation of security policies within their business areas and for ensuring compliance by their staff.
- All employees, vendors, and partners are responsible for understanding and adhering to our security principles, policies, and standards.
Globality is committed to security principles that apply to all areas and employees, regardless of role or geographical location:
- Protect Globality systems, assets, and information against unauthorized access.
- Protect the confidentiality, integrity, and availability of the information we collect, store, transfer, and process in accordance with legislation, regulation, contractual requirements, and industry-best practices.
- Ensure that policy requirements are communicated and understood by providing training and awareness programs to all employees.
- Apply Globality’s security standards to our supply chain and partners.
- Ensure that any actual or suspected breaches of information security are assessed, investigated, and reported.
- Continuously assess and measure the maturity of our information security program and consistently improve it.
Globality is committed to protecting Personally Identifiable Information (PII) and ensuring compliance with the European General Data Protection Regulation (GDPR):
- We collect only the personal information we need and explain why we need it.
- We share personal information within Globality only when there is a lawful reason for doing so and when the data controllers have given their consent.
- We allow data owners to request access to the personal information Globality holds for them, the right to have this information corrected or deleted, and the right to complain if they believe their information has been mishandled.
- We keep personal information only as long as is justified by our business needs.
- We take appropriate measures to protect the rights and freedoms of individuals whose personal information may be transferred to countries with different data protection laws.
- We ensure that actual or suspected breaches of these principles are reported and investigated appropriately.
- We apply these standards to Globality’s entire supply chain and delivery partners.
- We review this policy annually to reflect new legal and regulatory developments and ensure that we meet best practices.
Maintaining the confidentiality and integrity of PII is a requirement we take very seriously. We treat the information entrusted to us by our customers respectfully and professionally, ensuring that any data we process is handled legally and only for legitimate business reasons.
Security Policies
Globality utilizes an information security program based on ISO 27001 and maintains a valid ISO/IEC 27001:2022 certification. Our information security policy has been reviewed by third-party auditors to ensure compatibility and conformity with ISO/IEC 27001:2022. We perform additional audits at least annually to ensure our continued compliance and review our processes and practices.
Globality defines and distributes security policies and guidelines to its employees to communicate individual responsibilities with respect to safeguarding resources. These policies are available to every employee through our internal portals. All Globality new hires are required to undertake a series of training sessions that address their responsibilities as they relate to our code of conduct, information security, laws and regulations, and privacy. Globality employees and partners are required to acknowledge their responsibility for the security of Globality’s information to which they are granted access and to take due care to protect Globality’s information systems.
INTERNAL SECURITY ORGANIZATION
Globality has a formal corporate security organization that is responsible for all the security matters in the organization and is comprised of a team of technology and security professionals. The information security org reports directly to the CTO and holds ultimate responsibility for the organization's security-related decisions and strategies.
The Globality information security team members hold a variety of certifications and other credentials that attest to their proficiency in the field. They participate in training programs and activities sponsored by industry-leading security agencies to stay abreast of security trends and technologies.
CONFIDENTIALITY AGREEMENTS
All Globality employees and contractors are required to sign nondisclosure and confidentiality agreements as part of their onboarding process.
ASSET INVENTORY AND CLASSIFICATION
Globality has established and maintains asset inventory processes for its physical and information assets. Globality’s data classification policy addresses asset values and asset risks based on their participation in storing and processing Globality’s data.
INFORMATION HANDLING
Globality handles information in a manner conforming with local and global laws and regulations and as defined in its contractual obligations. We rely on standards such as the GDPR and ISO27001:2022 to drive our information-handling practices.
HUMAN RESOURCES SECURITY
Humans connecting to Globality’s corporate network are required to conduct themselves in a manner consistent with our security policies around confidentiality, business ethics, and professional standards. Globality requires that communications via these connections comply with applicable laws and regulations, including those governing restrictions on the use of telecommunications technology, encryption, copyrights, and license agreement terms.
CONFIRMATION OF SECURITY RESPONSIBILITIES
All Globality staff members provide individual confirmation of their responsibility for the security of Globality’s information to which they have access and to take due care to protect the technological equipment assigned to them. All staff members sign an attestation acknowledging their responsibility for the equipment, data, and tools received and their commitment to abide by Globality’s information security policies.
APPROPRIATE USE
The Globality code of conduct and the information security policy address the appropriate use of electronic tools and technologies. Our policies provide specific details regarding the authorized uses of our information systems, the types of data that may be stored on them, and the persons who are allowed access to such data.
SECURITY AWARENESS TRAINING
Security awareness training is an essential component of Globality’s onboarding process. Globality’s awareness program reinforces the concepts and responsibilities defined in the information security policy and includes periodic training courses, exams, lectures, and relevant communications. Globality executes tiered, role-based security training tailored to employees’ individual responsibilities and needs.
TERMINATION PROCESSES
Globality has established documented termination processes that define responsibilities for the collection of information assets and removal of access rights for employees who leave the organization.
FACILITY SECURITY
The following physical and environmental controls are incorporated into the design of Globality’s facilities:
- Separate, protected facilities
- Badge entrance control
- CCTV systems
- Temperature control and monitoring
- Smoke detection alarm
- Transient voltage surge suppression and grounding
- Redundant power feeds and UPS systems
- Redundant Internet lines and phone systems
- Physically secured network equipment areas
- Strict guest access control and monitoring
CHANGE CONTROL
Globality has established and maintains a change management/change control process that includes risk assessment, test, and retrieval procedures and review and approval components.
DEVELOPMENT ENVIRONMENT SEGREGATION
Development environments at Globality are required to be separate from production environments. Globality strictly prohibits the transfer or copy of data from any production system to any development or test environment.
WIRELESS NETWORKS
Only IT-managed wireless networks are permitted at Globality. The wireless network is segmented to ensure that only fully managed endpoints are admitted to the corporate network; unmanaged endpoints are placed on a guest WLAN. Wireless access security includes industry-standard encryption and authentication.
BACKUP
Globality’s data assets are routinely backed up for disaster recovery purposes. Restoration processes are tested, and metrics are maintained. Transmission of backup data to a remote data center is performed over secure lines, using encrypted traffic. Backup data are encrypted while at rest.
ENDPOINT PROTECTION
Globality protects all laptops, desktops, and other endpoints using an advanced technology suite, which includes anti-virus/anti-malware agents, mobile device management agents, an endpoint firewall, full disk encryption, and a secure virtual private network (VPN) client for communicating with corporate resources.
SPAM BLOCKING AND URL FILTERING
Globality has deployed advanced controls for blocking access to inappropriate websites from its network. Globality has also established and maintains e-mail security with anti-spam and anti-virus software.
AUTHORIZATION AND AUTHENTICATION CONTROLS
Globality follows a formal, documented process to grant or revoke access to its resources. Access is based on the “least-privilege” and “need-to-know” principles to ensure that authorized access is consistent with actual requirements and responsibilities. Globality uses a centralized single sign-on system that enforces strict security and password policies and controls access to its resources. Processes for user provisioning and deprovisioning have been established and are rigorously followed to ensure that users have only the access they need for the duration it is needed.
PRIVILEGED ACCESS
Globality carefully restricts privileged access to a small number of infrastructure administrators. Administrative access is closely guarded, monitored, and logged.
PASSWORD REQUIREMENTS
Globality’s password policies establish strict password guidelines that are enforced through our single sign-on (SSO) and other control systems. Session timeouts are enabled and set to predefined maximums.
REMOTE ACCESS
Globality uses VPN technology to enable secure remote access for its employees. VPN users are required to authenticate themselves using two-factor authentication against Globality’s SSO system. Our VPN tunnels are secured using AES128 or higher encryption. Vendor/consultant access to Globality resources is limited to specific VPN tunnels and requires approval from the information security team.
GDPR
On May 25, 2018, the GDPR came into effect across European Union (EU) member states, affecting any organization that processes personal data of EU individuals. The GDPR represents a strengthening and harmonizing of existing data privacy rights of individuals in the European Union.
The GDPR is relevant to any globally operating company, not just the EU-based businesses and residents. Our customers’ data is important irrespective of where they are located, which is why we have implemented GDPR controls as the baseline standard for all our operations worldwide. Globality is committed to protecting the personal data of our EU employees, contractors, customers, and vendors, regardless of where the data is stored or processed. We have a robust security program and an established series of internal policies, processes, and practices to ensure that the personal data of EU individuals is processed appropriately and protected in our information systems.
At Globality, we believe that the GDPR is an important step toward strengthening data protection laws across the European Union and enabling individual privacy rights. Globality is committed to GDPR compliance across all our service offerings and practices.
What is personal data?
Personal data is related to an identifiable or identified individual. GDPR covers a broad spectrum of information that could be used on its own or in combination with other pieces of information to identify a person. Personal data extends beyond a person’s name or e-mail address. The personal data Globality processes is limited to first name, last name, email, profile picture (if provided), and IP address.
When processing the personal data of EU individuals, we
- Ensure that there is a legitimate business reason to collect the data.
- Ensure that we have consent to collect and use the data (if required).
- Limit the collection, storage, and usage of the data only to the extent for which there is a business reason and consent from the data controller(s) is obtained.
Here are some ways in which Globality is ensuring compliance with GDPR:
- In the event of a data breach that may impact the security of employees’, customers’, or vendors’ personal data, we will take steps to notify EU authorities within 48 hours of discovery of the incident.
- When initiating new projects or launching new products, implementing new software, or onboarding new vendors that may process personal data of EU individuals, we will assess the data privacy impact to ensure that personal data is adequately protected in any systems or processes controlled by Globality.
- We stand ready to answer questions by any data subject about the types of personal data Globality processes about them. If you would like to make a request concerning the personal data Globality processes, please email our privacy team at privacy@globality.com.
- We raised awareness across our organization and trained employees to handle data appropriately. They now understand the importance of information security and the high standards set by the GDPR.
- We assessed the Globality platform against the requirements of the GDPR and have corrected any discrepancies with the GDPR guidelines.
- We assessed our sub-processors (third-party service providers, partners) and ensured that they are fully compliant with the GDPR.
- Globality has established a privacy team.
- We will gladly sign a DPA with you if it wasn’t included in our original agreement.
- We have revised our privacy policy to incorporate the requirements of the applicable privacy laws based on our data inventory, data flows, and data handling practices.