These Technical Organisational Measures cover all CitNOW Group Corporate office locations, in addition to its research and development facilities.

About CitNOW Group

Created to leverage innovation and help retailers and manufacturers deliver an outstanding customer experience, CitNOW Group is driven by the vision to transform the way the automotive world communicates.

CitNOW Group offers multiple services for the various stages of the customer journey. Find out about each service through our Brands & Solutions page.

CitNOW Group comprises, CitNOW, CitNOW Imaging, CitNOW Triage and Appraise, Dealerdesk, Dealerweb, Quik, REALtime Communications (RTC), and Web1on1 (t/a CitNOW Conversations). Our span is global with a presence in 82 countries with over 19,500 installations and a number of partnerships with complimentary automotive suppliers.

Purpose and Scope

CitNOW Group processes customer and consumer data on behalf of our customers in the Automotive Industry. As such, CitNOW Group respects the privacy and value of this data, as well as the trust our customers place in us.

The following are the technical and organisational measures to ensure data protection and data security. The aim is to guarantee the confidentiality, integrity and availability of the information processed. For more detailed information on data centre facilities, click on the links at the bottom of the document.

Approach

We will:

• Use all reasonable, appropriate, practical, and effective security measures to protect our important processes and assets to achieve our security objectives.
• Comply with all ISO 27001:2022 requirements within our Information Security Management System.
• Utilise ISO 27002 as a framework for guiding our approach to managing security.
• Continually review our use of security measures so that we can improve the way in which we protect our business.
• Protect and manage our information assets to enable us to meet our contractual, legislative and privacy responsibilities.
• Use all reasonable, appropriate, practical, and effective measures to transfer information to Third Parties who require access to said information.
• Ensure compliance with the General Data Protection Regulation (GDPR), the UK General Data Protection Regulation (UK GDPR), and the EU General Data Protection Regulation (EU GDPR) through our GDPR representatives within the business, as well as our independent outsourced Data Protection Officer (DPO).
• Utilise TISAX framework and guidelines to meet consumer and regulatory information security requirements within CitNOW Group policies.

1. Policies for information security
   1. CitNOW Group has defined a set of Information Security Policies which have been approved by the Management Board, and which sets out the organisation’s approach to managing its information security objectives.
   2. The Information security policies are in place to address requirements created by business strategy, regulations, legislation, contracts and the current and projected information security threat environment. These policies are also a requirement of our ISO 27001, Cyber Essentials Plus and TISAX accreditations (where applicable, by entity). The following policies are in place for all staff:
      • Access Control Policy
      • Acceptable Use Policy
      • Change Management Policy
      • Information Classification Policy
      • Information Security Incident Management Policy
      • Information Transfer Policy
      • Mobile Device & Teleworking Policy
      • Physical Security Policy
      • Clear desk and clear screen policy
      • Password management system
      • Cryptography Policy
      • People Policies including staff onboarding, vetting and offboarding
      • Internet Browser Usage Policy
   3. There may also be mandatory polices in addition to the above, based on an employee’s job role.
   4. A review of all CitNOW Group information security policies is carried out at least annually or whenever significant changes are made that would impact a policy, regardless of the nature of the change (e.g. business change; legislation change; technology change).
2. Risk Management
   1. CitNOW Group have a comprehensive yet pragmatic approach to risk identification, analysis and treatment as well as ongoing monitoring and review. This is set out within our Risk Assessment & Treatment Methodology document. It addresses risks arising from internal and external issues, whether threat or opportunity based and outlines the approach to risks arising from applicable legislation.
   2. There is also a living Risk Register in place, which is used to map and treat risks identified from the identification and analysis. It is also used to evidence activity and demonstrate links back to the controls and policies selected by the organisation to address the risk threats and opportunities.
3. Organisational
   1. Roles and responsibilities: CitNOW Group have identified the key roles and responsibilities within Information Security and Data Protection. These specific roles are assigned and communicated so that information security is not only managed effectively, but the performance of the security management system is reported through to top management.
      1. Head of Security Operations & Risk: Leading and managing the ISO committee to ensure the upkeep of the ISMS and ISO accreditation. Also responsible for Information Security within the organisation as well as risk management.
      2. Group Compliance & Data protection Manager: Leads the Group Compliance Team and is responsible for areas of the ISMS relating to Legal, Contractual and Data Protection. Responsibility of GDPR practices in both our UK and EU Offices.
      3. ISO Committee: Day to day running and upkeep of the ISMS. Implementation of Policies and Procedures and ensuring staff compliance. Management of Corrective Actions & Improvements and Risks & Treatments.
      4. Internal Auditors: Individuals have attended the recommended ISO 27001 Internal Auditor course and as such are responsible for carrying out all Internal audits, in line with the Audit Programme.
      5. Management Board responsible for ISMS and GDPR: procedures within ISO and ensuring we are working towards our KPI’s. Also responsible for sign off Risk Acceptance as per our Risk Methodology.
      6. Data Protection Officer: Responsible for ensuring that CitNOW Group is compliant with all aspects of the GDPR Legislations, both UK and EU.
      7. EU Representative: Our appointed EU Representative in regard to EU GDPR. Responsible for liaising with the EU supervisory authorities in relation to EU GDPR and liaising with Data Subjects based in the EU.
      8. GDPR Champions: Day to day contact for GDPR within the business. Ensures the upkeep of living Policies such as the Article 30 Records of Processing doc, breach register etc. Also responsible for upkeep of the Privacy Notice and ensuring our day-to-day compliance with regards to our responsibilities towards our Data Subjects and customers.
   2. Segregation of duties: The segregation of duties is used to ensure conflicting responsibilities are not allocated to the same individual and to prevent a single individual being able to access, modify or use assets without authorisation or detection.
   3. Threat Intelligence: To understand potential threats and vulnerabilities that may affect information security, we gather and analyse threat intelligence from well-known sources. This ensures we are aware of threats that may impact us and can take the appropriate actions when necessary. Any threat intelligence that may affect the organisation is logged in the Risk Register and follows our risk treatment method.
   4. Information security in project management: The Product Departments of the group follow a product workflow which includes the need to involve Compliance at the early stages of the project, along with the completion of risk assessments. In the event any Project will impact the Privacy of our customers, staff or consumers, our Data Protection Impact Assessment procedures shall be followed. If a project involves a third party, the Supplier Security Procedure will also be followed.
   5. Inventory of information and other assets: We operate an Information Asset Inventory Tracker and Physical Asset Tracker, which track our assets throughout their lifecycle. The asset owner is responsible for the proper management of an asset over the whole asset lifecycle and for protecting the asset in accordance with Classification of information. All CitNOW Group information assets must be returned to CitNOW Group upon termination of employment or third-party agreement.
   6. Acceptable use of information and other associated assets: CitNOW Group has an Acceptable Use Policy that outlines rules for using company information systems and assets. It emphasises responsible use for business purposes, prohibits unauthorised activities, and ensures data security. Employees must follow guidelines for software updates, internet use, email communication, and incident reporting.
   7. Handling of assets: Wherever possible CitNOW Group avoids the creation of paper-based information assets itself and attempts to produce only digital information. Digital information is protected against unauthorised access through measures including Access Controls.
   8. Classification & Labelling of information: CitNOW Group have three confidentiality levels defined with the ‘Information Classification Matrix’ (Confidential, Public, and Internal). All documentation must be clearly labelled with the appropriate confidentiality label and information classified as "Confidential" must be accompanied by a List of Authorised Persons.
   9. Information transfer: CitNOW Group have an information transfer policy which ensures that all information/data transfers within CitNOW Group, whether internal, external, or to third parties, meet minimum security requirements. It outlines roles and responsibilities, methods for secure transfer, and guidelines for handling various formats of information, including electronic mail, instant messaging, and external memory devices. The policy applies to all employees and third parties, emphasising the importance of compliance and proper classification of information.
   10. Access Control: CitNOW Group have an Access Control policy which defines rules for accessing systems, equipment, facilities, and information based on business and security needs. Access follows "deny-by-default" and "need-to-know" principles. Role-Based Access Control (RBAC) adheres to "least privilege" and access rights are reviewed annually. The IT department controls network access, granting it only when necessary.
   11. User responsibilities and Password management: All users of any CitNOW Group systems must have a unique user ID and shall require authentication by a password. Passwords should be kept confidential and must not be distributed through any channel (by oral, written or electronic distribution, etc.) or saved within the information system unless within an approved password safe (or Vault). Users must apply good security practices when selecting and using passwords and will follow obligations outlined within the password policy.
   12. User access management: The technical implementation of the allocation or removal of CitNOW Group Employee Basic Access Rights is carried out by the IT Department and HR Department. The technical implementation of the allocation or removal of access rights is carried out by the System Owners. Segregation of duties and segregation of privileged accounts from non-privileged accounts is implemented wherever possible and practical. Access rights are monitored and regularly reviewed, at least annually.
   13. Information security in supplier relationships: CitNOW Group has a Supplier Security Policy. The purpose of this policy is to ensure that information exchange with third parties happens in such a way that the maximum value can be gained from these relationships whilst protecting CitNOW Group information assets from abuse. All third parties with access to data or information have a current and up to date Non-Disclosure and Confidentiality Agreement in place. This is either contained within the contract or service agreement depending upon the type of supplier. There is also an internal third-party procedure in place that ensures all employees follow the correct steps when considering a new supplier and that the Compliance team are involved in the process, who will ensure all checks have been undertaken.
   14. Supplier addressing security with suppliers: Where possible we work with suppliers that already meet the majority of our Information Security needs for the services that they provide to us and have a good track record of addressing information security concerns responsibly. We select leading and well-trusted services that are known for their robustness, reliability and security and wherever possible look to suppliers that have already achieved ISO 27001 or its equivalent.
   15. Monitoring, review and change management of supplier: All CitNOW Group suppliers undergo a thorough security review before engaging their services. This review process is continuous, with critical suppliers being evaluated annually, and non-critical suppliers reviewed at the end of their contract or before contract renewal. When managing changes to supplier services, we consider several factors to ensure the best outcomes. As a best practice, we aim to research and evaluate three potential suppliers before making a final selection. The key considerations include:
       • The nature of the change;
       • The supplier type affected and the criticality of business information, systems and processes and re-assessment of risks;
       • The intimacy of relationship; and
       • Our ability to influence or control change in the supplier
   16. Information Security Incident Management: Incident response procedures are established in advance to ensure a structured approach during incidents. They outline staff roles and responsibilities for reporting and responding to security incidents, creating a consistent management framework. The initial task is to assess the event and decide on actions to minimise compromise to Availability, Integrity, or Confidentiality (CIA) of information, prevent further incidents, minimise disruption, and identify who needs to be informed, including internal personnel, customers, suppliers, and regulators while considering GDPR and the Data Protection Act 2018 requirements. Once assessed, an appointed individual will communicate with relevant parties to resolve the event. Response time varies by incident classification and severity. If an incident affects customers, we will notify them per legal and contractual obligations, within legally enforceable limits after a thorough investigation.
   17. Information security during disruption: CitNOW Group have identified various scenarios which could potentially impact the business and have documented the steps to mitigate such events as part of Business Continuity Plan. This plan is designed to assist in timely resumption of operations in the event of a disruptive incident. Testing and maintaining of CitNOW Group the business continuity plan is conducted to ensure it is consistent with our information security objectives is done based on the following:
       • Testing of specific parts of the plan and their impact on information security is conducted in frequencies that are related to the risk probability and impact per the risk assessment.
       • BCP Audits are planned regularly in line with the audit programme.
       • Reviews of the plan itself for ensuring relevance is conducted by Compliance and IT teams, with any identified beneficial changes being presented to the Management Board.
       • Full Business Continuity tabletop exercise carried out at least once a year to ensure it remains part of an integrated approach to the business and its ability to meet its objectives.
   18. Applicable legislation: The applicable legislation, regulation and contractual requirements affecting CitNOW Group are identified, documented, monitored and reviewed as part of the normal course of business and as part of the management reviews.
   19. Intellectual property rights: CitNOW Group outlines its approach to protecting its own Intellectual Property Rights (IPR) through the following measures, which are derived from established policies and agreements, this includes:
       • Terms and conditions of employment
       • Information deletion
       • Confidentiality or non-disclosure agreements
   20. Protection of records: CitNOW Group records are kept protected from loss, destruction, falsification, unauthorised access and unauthorised release, in accordance with legislative, regulatory, contractual and business requirements. Specific records are kept in line with the Data Retention. Schedule and are managed by the relevant information / asset owner
   21. Information security review: CitNOW Group information security policies are procedures are subject to independent review at regular intervals and when changes are made, as part of our commitment to continual service improvement. Internal Audits are also planned through the Audit Programme, on an annual basis, with the appropriate personnel allocated to undertake the audit.
   22. Technical review: Vulnerability & penetration tests are conducted on each product on an annual basis by a qualified pen test specialist company, results are reviewed, and any vulnerabilities remediated.
   23. Operating procedures: CitNOW Group have operational procedures in place and allows Directors and Heads of Department to decide where to store operational procedures which best suit them and their staff, as well as the creation of such documentation.
4. People
   1. Screening: CitNOW Group Global Recruitment and Selection Policy incorporates the screening activities that are to be undertaken for all new hires. These include but are not limited to evidence of their eligibility to work and two satisfactory employment references.
   2. Employee Terms and Conditions All new employees within CitNOW Group are provided with a Contract specific to the entity of which they are engaging with at time of Employment Offer. These contracts impose strict obligations of non-disclosure and confidentiality on to the employee and describes the obligations for compliance with information security policies.
   3. Information security awareness, education and training Upon joining the company staff must join our ‘DNA’ training sessions which fully onboard them into the business, including sessions from members of our Organisation Security Team. Continuous training and awareness is provided and undertaken by all current staff in the forms of e-learning and Phishing campaigns. Staff are also encouraged to source and apply for training they feel would be beneficial based on their skill set.
   4. Disciplinary Policy Information security is important and in turn repeat non-conformance of CitNOW Group policies or deliberate cause of a major data breach could result in disciplinary action being taken, where necessary and applicable, CitNOW Groups HR department will act in line with the disciplinary policy for UK market employees. The disciplinary policy is specific to all employees within the UK market, due to differing legislations in other markets, the HR team will handle disciplinary within other markets in conjunction with local market laws.
   5. Termination or change of employment: In the event of termination of employment, issues such as non-disclosure and behaviour around confidential information after leaving the organisation are addressed in accordance with the Terms and conditions of employment and are reminded to the staff members upon exit interview with the HR Team. Retrieval of the leavers assets is carried out in line with Return of Assets and removal from all systems is carried out in line with the Access Control Policy.
   6. Confidentiality & non-disclosure agreements: Confidentiality and non-disclosure agreements addressing the requirements to protect confidential information using legally enforceable terms. Confidentiality or non-disclosure agreements are applicable and required for all external parties or employees of CitNOW Group, with either a signed NDA in place or full NDA provision forming part of an agreement.
   7. Reporting information security events & weaknesses: Each employee, supplier or other third party who is in contact with information and/or systems of CitNOW Group, or those of its customers, must report any system weakness, incident or event which could lead to a possible security incident. Information on how to report such events or weaknesses forms part of our ongoing information security training for all CitNOW Group employees and as part of onboarding process for suppliers and other third parties.
5. Physical
   1. Physical entry: Physical security measures within all CitNOW Group offices include:
      • All employees require a key pass or fob to enter the offices unless the office has a manned reception.
      • All visitors are required to sign in at reception and always wear a visitors' badge.
      • Employees are vigilant of tailgating and are required to challenge unknown people within the office.
      • Main office doors must always be closed.
      • All windows are main access doors are locked at the end of every day.
      • CCTV monitoring is in place to cover access points to all offices, which is provided by the landlords
   2. Secure areas: All CitNOW Group offices are secured by the following controls:
      • Telecommunications, servers, and networking equipment is securely stored in locked comms rooms, with only a few employees having access to these areas.
      • Post is delivered to a single locked mailbox, only accessible to our staff wherever possible.
      • Secure filing cabinets, lockers, or lockable desk drawers are available to all staff.
      • If a shared meeting room is required over multiple days, then, if appropriate, materials can be left overnight so long as the room is locked, and any confidential material is obscured from the view of any passers-by.
      • All meetings of a “Confidential” nature are held in dedicated meeting rooms to avoid risk of information leakage into the main open plan office where it is not required to be shared.
      • Employees and others using offices and meeting rooms are reminded of the need to avoid leaving “Confidential” materials where others might see them, this include leaving information white boards etc.
   3. Clear desk and clear screen policy: Confidential or sensitive information, whether held electronically or on paper records must be secured appropriately and in accordance with the Information Classification Policy when employees are absent from your workplace for an extended period and at the end of each working day. To facilitate this, guiding principles have been produced which cover both non-electronic (e.g., manual/paper files) as well as electronic forms of information. When away from workstations, employees must lock the screen with a password.
   4. Equipment: All CitNOW Group have the following controls in place to ensure the safety of equipment.
      • CitNOW Group predominantly uses cloud-based services from large, well-established providers, who are responsible for provision of assured utilities within their respective datacentres.
      • Power and telecommunications cabling carrying data or supporting information services within all CitNOW Group offices are protected from interception, interference, or damage.
      • Cabling to servers and networking equipment are securely stored in locked comms rooms, with only a few employees having access to these areas and all cabling is well maintained.
      • Specialist equipment such as Fire Protection equipment is maintained according to the service intervals and specifications.
   5. Storage media: CitNOW Group employees are only permitted to use removable media provided by the company and issued by the IT department on their work computers. These media should not be connected to or used on computers not owned or leased by CitNOW Group, unless explicitly authorised by the IT department. Any business or personal data stored on assets must be securely erased using approved technologies, depending on the sensitivity of the data. CitNOW Group ensures that all assets are disposed of through WEEE-approved, authorised treatment companies. Employees are allowed to take company equipment, such as laptops, off-site without prior authorisation or the need for recording the event, provided that all security policies for asset protection are followed at all times.
6. Technological
   1. Malware: The use of anti-virus software on employee devices detects and eliminates the vast majority of common malware that is in existence. We use well-known and widely trusted products to minimise the risk that a user will encounter malware. In all cases where anti-malware software is installed:
      • The software must be regularly updated using the auto-update feature of the software;
      • Malware scanning must occur when files are accessed.
   2. Vulnerability management: CitNOW Group periodically run vulnerability scans and carries out annual penetration tests to look for any vulnerabilities not previously identified. Where a vulnerability comes to light, regardless of the source, it is considered by the Compliance team, CIO, CTO and any other key stakeholders. Where action is required to remediate a vulnerability, depending on the nature, action is taken immediately or scheduled for action to be taken by a specified target date.
   3. Information Deletion: Utilising world-leading data warehouses enables CitNOW Group to ensure a high availability and security concept. Our Databases hold Customer and Consumer PII (defined within Article 6 in line with the Data protection Act 2018). For deletion of PII from our databases, we utilise anonymisation concepts and then full deletion after a defined period. PII removal from our databases: Retain logs indicating the following will be kept for each deletion:
      • Who
      • Deleted what
      • When
      • Authorised by whom
   4. Data Leakage Prevention: CitNOW Group have implemented Data Loss Prevention techniques that help assure us that our sensitive information is being accessed and used correctly and not accessible by unknown or anonymous users, by:
      • Identifying data that requires protection, e.g., by classification;
      • Specifying who has access to what information and when they can access it;
      • Ensuring the service provider has a mechanism in place for the control and monitoring of how, when and what data is accessed, protecting information from unauthorised use, copy and distribution;
      • Control over shared information with outsiders or third parties;
      • Highlighting to staff the need to check recipients, classify information, through Information security awareness, education and training;
      • Taking steps to implement Data masking where appropriate.
   5. Back-ups: Backup of all business-critical systems within CitNOW Group is done regularly; both cloud and local back-ups are used. Backup policies have been established to define the requirements and retention periods, for backup of information, software, and systems within each entity.
   6. Availability of information processing facilities: CitNOW Group predominately use cloud-based services for the delivery of our work. These systems have inherent redundancy built into their high-availability, resilient architectures.
   7. Logging and monitoring: CitNOW Group perform event logging for all entities products via various monitoring software, logs are accessed as and when required and contain information such as, user logging attempts and errors in the applications. All logging information is only accessible to users with the appropriate privileges; users are required to have an account within the specified system with suitable permissions.
   8. Controls of software: There are several measures in place within CitNOW Group to control changes of software on operational systems. All changes to operational software are managed in accordance with Change management and consider the business requirements for the change and the security aspect of the change.
   9. Network Security: Internal networks are managed by the IT department. The IT department are responsible for maintaining and updating all network activities. As we primarily use cloud-based services, the Security of network services is primarily the responsibility of the cloud service providers. All internet and cloud-based services have a strict SLA agreement between CitNOW Group and the supplier. Any access to CitNOW Group servers or systems are managed by authentication. Guest networks without access to core systems are available for guests.
   10. Use of Cryptographic: CitNOW Group have a cryptographic policy in place that outlines our approach towards the use of cryptographic controls. This ensures the organization maintains the highest possible standards of encryption. All individuals within CitNOW Group are responsible for ensuring that Internal/Confidential data is encrypted before leaving the organisation’s premises. Key management Considerations, outlines the requirements for managing cryptographic keys though their whole lifecycle including generating, storing, archiving, retrieving, distributing, retiring and destroying keys. Cryptographic algorithms, key lengths and usage practices should be selected according to best practice.
   11. Secure development policy: The policy reflects our approach to secure development of our services, products and websites and applies to all development teams. Secure coding standards are considered and followed.
   12. Acceptance testing: Testing is carried out on all changes to ensure the security, robustness, correctness and performance of the application. Acceptance testing is standard practice for our developers as part of our deployment cycle, all new features are tested individually before deployment. We have segregation of duties, with testers appointed at each entity to be part of each development team.
   13. Outsourced development: All outsourced developers are assessed to ensure they are qualified and competent. Individual Contractors are treated in the same manner as CitNOW Group developers with same development policies and controls applying to all for outsourced development as internal development.
   14. Separation of environmental: To reduce the risk of malicious activities, unauthorised or accidental changes from internal uses, all products within CitNOW Group have a separate test/development and production environments, following industry best practices, we predominantly use the following environments within each entity:
       • Development – for development
       • Staging/Testing - for internal testing
       • Production environment – live operational environment
   15. Change management: Significant changes to the organisation, business processes, information processing facilities and systems within CitNOW Group are subject to formal review and agreement by the Management Board.
   16. Change control: Our change control procedures in development are within our Change Control Policy change management. All changes to the system are run through a peer code review and testing process of which are in line with our documented procedures.
   17. Protection of test data: No personal data is used for development or testing in ordinary circumstances in any of CitNOW Group products.
7. Additional Supporting Policies
   1. CitNOW Group also have a host of other policies within the business that help to support our information security practices, these included, but not limited to;
      • Group Global Anti-Bribery Policy
      • Disciplinary Policy
      • Group Global Whistleblowing Policy
      • Global Health and Safety Policy
      • Modern Slavery Policy
      • Breach Notification Procedure
8. Certifications
   1. ISO 27001: CitNOW Group Limited is ISO 27001 certified by the BSI (cert number – IS 785456).
   2. Cyber Essentials Plus: CitNOW Group Limited is Cyber Essentials Plus certified by CyberSmart (cert number - b5aea281-ec18-4306-9374-beba1ef3fe98)
   3. TISAX: The ENX Association supports with TISAX (Trusted Information Security Assessment Exchange) on behalf of VDA the common acceptance of Information Security Assessments in the automotive industry. The TISAX Assessments are conducted by audit providers that demonstrate their qualification at regular intervals. TISAX and TISAX results are not intended for general public.
   4. For Zype TV Ltd (t/a CitNOW) and CitNOW Video GMBH confidentiality, availability and integrity of information have great value. We have taken extensive measures on protection of sensitive and confidential information. Therefore, we follow the question catalogue of information security of the German Association of the Automotive Industry (VDA ISA). The Assessment was conducted by an audit provider, in this case the TISAX audit provider TUV SUD GmbH. The result is exclusively retrievable over the ENX portal.
9. Subprocessors

   All subprocessors used by each entity within CitNOW Group are listed on the subprocessor page of the CitNOW Group website.

   These subcontractors are subject to change over time as new features and system updates are released. Measures are taken when selecting new subcontractors to ensure appropriate security and privacy due diligence is applied.

   In line with our Third-Party Supplier Procedure, CitNOW Group ensures security with third-party suppliers by meticulously evaluating their security measures and compliance standards. To strengthen this commitment, we establish robust Data Processing Agreements with all subprocessors. Additionally, we implement additional transfer mechanisms where necessary to adhere to data protection regulations, including the completion of Standard Contractual Clauses (SCCs), International Data Transfer Agreements (IDTAs), and/or Transfer Risk Assessments (TRAs).

10. CitNOW Group Head Office

    All CitNOW Group Head office locations can be found within the CitNOW Group website.