These Technical Organisational Measures cover all CitNOW Group Corporate office locations, in addition to its research and development facilities.

About CitNOW Group

Created to leverage innovation and help retailers and manufacturers deliver an outstanding customer experience, CitNOW Group is driven by the vision to transform the way the automotive world communicates.

The CitNOW Group offers multiple services for the various stages of the customer journey. Find out about each service through our Brands & Solutions page.

CitNOW Group comprises AutoSLM, CitNOW, Dealerdesk, Dealerweb, Quik, Reef, REALtime Communications (RTC), Tootle and Web1on1. Our span is global with a presence in 64 countries with over 15,000 users and a number of partnerships with complimentary automotive suppliers.

Purpose and Scope

CitNOW Group processes customer and consumer data on behalf of our customers in the Automotive Industry. As such, CitNOW Group respects the privacy and value of this data, as well as the trust our customers place in us.

The following are the technical and organisational measures to ensure data protection and data security. The aim is to guarantee the confidentiality, integrity and availability of the information processed. For more detailed information on data centre facilities, click on the links at the bottom of the document.

Approach

We will:

• Use all reasonable, appropriate, practical, and effective security measures to protect our important processes and assets to achieve our security objectives. · Comply with all ISO 27001:2013 requirements within our Information Security Management System.
• Utilise ISO 27002 as a framework for guiding our approach to managing security.
• Continually review our use of security measures so that we can improve the way in which we protect our business.
• Protect and manage our information assets to enable us to meet our contractual, legislative and privacy responsibilities.
• Use all reasonable, appropriate, practical, and effective measures to transfer information to Third Parties who require access to said information.
• Ensure compliance with General Data Protection Regulations through our GDPR representatives within the business as well as our independent outsourced DPO (Data Protection Officer).
• Utilise TISAX framework and guidelines to meet consumer and regulatory information security requirements within CitNOW policies.

About CitNOW Group

Created to leverage innovation and help retailers and manufacturers deliver an outstanding customer experience, CitNOW Group is driven by the vision to transform the way the automotive world communicates.

The CitNOW Group offers multiple services for the various stages of the customer journey. Find out about each service through our Brands & Solutions page.

CitNOW Group comprises AutoSLM, CitNOW, dealerdesk, Dealerweb, Quik, Reef, REALtime Communications (RTC), Tootle and Web1on1. Our span is global with a presence in 64 countries with over 15,000 users and a number of partnerships with complimentary automotive suppliers.

1. Policies for information security
   1. The CitNOW Group has defined a set of Information Security Policies which have been approved by the Management Board and which sets out the organisation’s approach to managing its information security objectives.
   2. The Information security policies are in place to address requirements created by business strategy, regulations, legislation, contracts and the current and projected information security threat environment. These policies are also a requirement of our ISO 27001, Cyber Essentials and TISAX accreditations (where applicable, by entity). The following policies are in place for all staff:
      • Access Control Policy
      • Acceptable Use Policy
      • Change Management Policy
      • Information Classification Policy
      • Information Security Incident Management Policy
      • Information Transfer Policy
      • Mobile Device & Teleworking Policy
      • Physical Security Policy
      • Clear desk and clear screen policy
      • Password management system
      • Cryptography Policy
   3. There may also be additional mandatory polices in addition to the above, based on an employee’s job role.
   4. A review of all The CitNOW Group information security policies is carried out at least annually or whenever significant changes are made that would impact a policy, regardless of the nature of the change (e.g. business change; legislation change; technology change).
2. Risk Management
   1. CitNOW Group have a comprehensive yet pragmatic approach to risk identification, analysis and treatment as well as ongoing monitoring and review. This is set out within our Risk Assessment & Treatment Methodology document. It addresses risks arising from internal and external issues, whether threat or opportunity based and outlines the approach to risks arising from applicable legislation.
      
      There is also a living Risk Register in place, which is used to map and treat risks identified from the analysis. It is also used to evidence activity and demonstrate links back to the controls and policies selected by the organisation to address the risk threats and opportunities.
3. Organisation of information Security
   1. Roles and responsibilities: The CitNOW Group have identified the key roles and responsibilities within Information Security and Data Protection. These specific roles are assigned and communicated so that information security is not only managed effectively, but the performance of the security management system is reported through to top management.
      1. Information Security Manager: Leading and managing the ISO committee to ensure the upkeep of the ISMS and ISO accreditation.
      2. ISO Committee: Day to day running and upkeep of the ISMS. Implementation of Policies and Procedures and ensuring staff compliance. Management of Corrective Actions & Improvements and Risks & Treatments.
      3. Internal Auditors: Individuals have attended the recommended ISO 27001 Internal Auditor course and as such are responsible for carrying out all Internal audits, in line with the Audit Programme.
      4. Management Board responsible for ISMS and GDPR: Point of contact for the ISO committee and the CitNOW Group Management Board. Responsible for signing of new policies and procedures within ISO and ensuring we are working towards our KPI’s. Also responsible for sign off Risk Acceptance as per our Risk Methodology.
      5. Data Protection Officer: Responsible for ensuring that the CitNOW Group is compliant with all aspects of the GDPR Legislations, both UK and EU.
      6. EU Representative: Our appointed EU Representative in regard to EU GDPR. Responsible for liaising with the EU supervisory authorities in relation to EU GDPR and liaising with Data Subjects based in the EU.
      7. GDPR Champions: Day to day contact for GDPR within the business. Ensures the upkeep of living Policies such as the Article 30 Records of Processing doc, breach register etc. Also responsible for upkeep of the Privacy Notice and ensuring our day-to-day compliance with regards to our responsibilities towards our Data Subjects and customers. There is a monthly meeting between the GDPR Champion and the DPO scheduled for the 1st Thursday of every month.
   2. Segregation of duties: The segregation of duties is used to ensure conflicting responsibilities are not allocated to the same individual and to prevent a single individual being able to access, modify or use assets without authorisation or detection.
   3. Information security in project management: The Product Departments of the group follow a product workflow which includes the need to involve Compliance at the early stages of the project, along with the completion of risk assessments. In the event any Project will impact the Privacy of our customers, staff or consumers, our Data Protection Impact Assessment procedures shall be followed. If a project involves a third party, the Supplier Security Procedure will also be followed.
4. Human Resources Security
   1. Screening: The CitNOW Group Global Recruitment and Selection Policy incorporates the screening activities that are to be undertaken for all new hires. These include but are not limited to evidence of their eligibility to work and two satisfactory employment references.
   2. Employee Terms and Conditions All new employees within CitNOW Group are provided with a Contract specific to the entity of which they are engaging with at time of Employment Offer. These contracts impose strict obligations of non-disclosure and confidentiality on to the employee and describes the obligations for compliance with information security policies.
   3. Information security awareness, education and training Upon joining the company staff must join our ‘DNA’ training sessions which fully onboard them into the business, including sessions from members of our Organisation Security Team. Continuous training and awareness is provided and undertaken by all current staff in the forms of e-learning and Phishing campaigns. Staff are also encouraged to source and apply for training they feel would be beneficial based on their skill set.
   4. Disciplinary Policy Information security is important and in turn repeat non-conformance of the CitNOW Group policies or deliberate cause of a major data breach could result in disciplinary action being taken, where necessary and applicable, the CitNOW Groups HR department will act in line with the disciplinary policy for UK market employees. The disciplinary policy is specific to all employees within the UK market, due to differing legislations in other markets, the HR team will handle disciplinary within other markets in conjunction with local market laws.
   5. Termination or change of employment: In the event of termination of employment, issues such as non-disclosure and behaviour around confidential information after leaving the organisation are addressed in accordance with the Terms and conditions of employment and are reminded to the staff members upon exit interview with the HR Team. Retrieval of the leavers assets is carried out in line with Return of Assets and removal from all systems is carried out in line with the Access Control Policy.
5. Asset Management
   1. Responsibility of assets: We operate an Information Asset inventory Tracker and Physical Asset Tracker, which track our assets throughout the lifecycle of the assets. The asset owner is responsible for the proper management of an asset over the whole asset lifecycle and for protecting the asset in accordance with Classification of information. All CitNOW Group information assets must be returned to the CitNOW Group upon termination of employment or third-party agreement.
   2. Acceptable use of assets: CitNOW Group have an Acceptable use policy; the purpose of this document is to define clear rules for the use of the information system and other information assets within CitNOW Group.
   3. Classification & Labelling of information: CitNOW Group have three confidentiality levels defined with the ‘Information Classification Matrix’ (Confidential, Public, and Internal). All documentation must be clearly labelled with the appropriate confidentiality label and information classified as "Confidential" must be accompanied by a List of Authorised Persons.
   4. Handling of assets: Wherever possible the CitNOW Group avoids the creation of paper-based information assets itself and attempts to produce only digital information. Digital information is protected against unauthorised access through measures including Access Controls.
   5. Management of removable media: CitNOW Group employees may only use CitNOW Group removable media in their work computers, which is provided by the IT department. CitNOW Group removable media may not be connected to or used in computers that are not owned or leased by CitNOW Group without explicit permission of the IT Department
   6. Disposal of media: Any business or personal data and information stored on the asset should be erased safely by using approved technology and means acceptable to the level of sensitivity of the data and information. CitNOW Group will only use appropriate WEEE approved authorised treatment company for the uplift of assets.
6. Access Control
   1. Access Control Policy: This policy outlines the rules for access to various systems, equipment, facilities and information, based on business and security requirements for access. Access to systems and networks must be in accordance with the principles of “deny-by-default” and “need-to-know”. Role Based Access Control (RBAC) is designed according to the principle of “least privilege” and access rights are monitored and regularly reviewed, at least annually.
   2. User access management: The technical implementation of the allocation or removal of CitNOW Group Employee Basic Access Rights is carried out by the IT Department and HR Department. The technical implementation of the allocation or removal of access rights is carried out by the System Owners. Segregation of duties and segregation of privileged accounts from non-privileged accounts is implemented wherever possible and practical. Access rights are monitored and regularly reviewed, at least annually.
   3. User responsibilities and Password management: All users of any CitNOW Group systems must have a unique user ID and shall require authentication by a password. Passwords should be kept confidential and must not be distributed through any channel (by oral, written or electronic distribution, etc.) or saved within the information system unless within an approved password safe (or Vault). Users must apply good security practices when selecting and using passwords and will follow obligations outlined within the password policy.
7. Cryptography
   1. Cryptographic Policy: CitNOW Group have a cryptographic policy in place that outlines our approach towards the use of cryptographic controls across and ensures that the organisation maintains the highest practicable standard of encryption. All individuals within the CitNOW are responsible for ensuring that Internal/Confidential data is encrypted before leaving the organisation’s premises.
   2. Key management: The policy includes the requirements for managing cryptographic keys though their whole lifecycle including generating, storing, archiving, retrieving, distributing, retiring and destroying keys. Cryptographic algorithms, key lengths and usage practices should be selected according to best practice.
8. Physical and Enviromental Security
   1. Physical entry controls: Physical security measures within all CitNOW Group offices include:
      • All employees require a key pass or fob to enter the offices unless the office has a manned reception.
      • All visitors are required to sign in at reception and always wear a visitors' badge.
      • Employees are vigilant of tailgating and are required to challenge unknown people within the office.
      • Main office doors must always be closed.
      • All windows are main access doors are locked at the end of every day.
      • CCTV monitoring is in place to cover access points to all offices, which is provided by the landlords.
   2. Secure areas: All CitNOW Group offices are secured by the following controls:
      • Telecommunications, servers, and networking equipment is securely stored in locked comms rooms, with only a few employees having access to these areas.
      • Post is delivered to a single locked mailbox, only accessible to our staff wherever possible.
      • Secure filing cabinets, lockers, or lockable desk drawers are available to all staff
      • If a shared meeting room is required over multiple days, then, if appropriate, materials can be left overnight so long as the room is locked, and any confidential material is obscured from the view of any passers-by.
      • All meetings of a “Confidential” nature are held in dedicated meeting rooms to avoid risk of information leakage into the main open plan office where it is not required to be shared.
      • Employees and others using offices and meeting rooms are reminded of the need to avoid leaving “Confidential” materials where others might see them, this include leaving information white boards etc.
   3. Equipment: All CitNOW Group have the following controls in place to ensure the safety of equipment.
      • The CitNOW Group predominantly uses cloud-based services from large, well-established providers, who are responsible for provision of assured utilities within their respective datacentres.
      • Power and telecommunications cabling carrying data or supporting information services within all CitNOW Group offices are protected from interception, interference, or damage.
      • Cabling to servers and networking equipment are securely stored in locked comms rooms, with only a few employees having access to these areas and all cabling is well maintained.
      • Specialist equipment such as Fire Protection equipment is maintained according to the service intervals and specifications
   4. Clear desk and clear screen policy:

      Confidential or sensitive information, whether held electronically or on paper records must be secured appropriately and in accordance with the Information Classification Policy when you are absent from your workplace for an extended period and at the end of each working day. To facilitate this, the following guiding principles have been produced which cover both non-electronic (e.g., manual/paper files) as well as electronic forms of information.

9. Operation Security
   1. Operating procedures: CitNOW Group have operational procedures in place and allows Directors and Heads of Department to decide where to store operational procedures which best suit them and their staff, as well as the creation of such documentation.
   2. Change management: Significant changes to the organisation, business processes, information processing facilities and systems with CitNOW Group are subject to formal review and agreement by the Management Board
   3. Separation of environmental: To reduce the risk of malicious activities, unauthorised or accidental changes from internal uses, all products within the CitNOW Group have a separate test/development and production environments, following industry best practices, we predominantly use the following environments within each entity:
      • Development – for development
      • Staging/Testing - for internal testing
      • Production environment – live operational environment
   4. Malware: The use of anti-virus software on employee devices detects and eliminates the vast majority of common malware that is in existence. We use well-known and widely trusted products to minimise the risk that a user will encounter malware. In all cases where anti-malware software is installed
      • The software must be regularly updated using the auto-update feature of the software;
      • Malware scanning must occur when files are accessed.
   5. Back-ups: Backup of all business-critical systems within the CitNOW Group are done regularly, both cloud and local back-ups are used. Backup policies have been established to define the requirements for backup of information, software and systems within each entity.
   6. Logging and monitoring: CitNOW Group perform event logging for all entities products via various monitoring software, logs are accessed as and when required and contain information such as, user logging attempts and errors in the applications. All logging information is only accessible to users with the appropriate privileges, users are required to have an account within the specified system with suitable permissions.
   7. Controls of software: There are several measures in place within the CitNOW Group to control changes of software on operational systems. All changes to operational software are managed in accordance with Change management and consider the business requirements for the change and the security aspect of the change.
   8. Vulnerability management: CitNOW Group periodically run vulnerability scans and carries out annual penetration tests to look for any vulnerabilities not previously identified. Where a vulnerability comes to light, regardless of the source, it is considered by the Compliance team, CIO, CTO and any other key stakeholders. Where action is required to remediate a vulnerability, depending on the nature, action is taken immediately or scheduled for action to be taken by a specified target date.
10. Communication Security
    1. Network controls: Internal networks are managed by the IT department. The IT department are responsible for maintaining and updating all network activities. As we primarily used cloud-based services, the Security of network services is primarily the responsibility of the cloud service providers. All internet and cloud-based services have a strict SLA agreement between CitNOW Group and the supplier. Any access to the CitNOW Group servers or systems are managed by authentication. Guest networks without access to core systems are available for guests.
    2. Information transfer: CitNOW Group have an information transfer policy to ensure that information/data, which is being transferred, internally, externally or to third parties is done in a method as to meet the minimum-security requirements. This will include information in a variety of formats (example – Paper and Electronic). This policy applies to all employees of CitNOW Group and any Third-party that processes the organisation information.
    3. Confidentiality & non-disclosure agreements: Confidentiality and non-disclosure agreements addressing the requirements to protect confidential information using legally enforceable terms. Confidentiality or non-disclosure agreements are applicable and required for all external parties or employees of the CitNOW Group, with either a signed NDA in place or full NDA provision forming part of an agreement.
11. System Acquisition, Development and Maintenance
    1. Security requirements of information systems: CitNOW Group follows the security controls which include the assessment and documentation of security requirements, especially (Development Teams are per entity within the CitNOW Group, with an overarching CTO located at Group Level and Management Board.):
       • Information security in project management
       • System changes control procedures
       • Information security policy for supplier relationships
       • Monitoring and review of supplier services
       • Secure coding practices
    2. Secure development policy: The policy reflects our approach to secure development of our services, products and websites and applies to all development teams. Secure coding standards are considered and followed.
    3. Change control: Our change control procedures in development are within our Change Control Policy change management. All changes to the system are run through a peer code review and testing process of which are in line with our documented procedures.
    4. Outsourced development: All outsourced developers are assessed to ensure they are qualified and competent. Individual Contractors are treated in the same manner as CitNOW Group developers with same development policies and controls applying to all for outsourced development as internal development.
    5. Acceptance testing: Testing is carried out on all changes to ensure the security, robustness, correctness and performance of the application. Acceptance testing is standard practice for our developers as part of our deployment cycle, all new features are tested individually before deployment. We have segregation of duties, with testers appointed at each entity to be part of each development team.
    6. Protection of test data: No personal data is used for development or testing in ordinary circumstances in any of the CitNOW Group products.
12. Supplier Relationships
    1. Information security policy for suppliers: The CitNOW Group has a Supplier Security Policy. The purpose of this policy is to ensure that information exchange with third parties happens in such a way that the maximum value can be gained from these relationships whilst protecting CitNOW Group information assets from abuse. All third parties with access to data or information have a current and up to date Non-Disclosure and Confidentiality Agreement in place. This is either contained within the contract or service agreement depending upon the type of supplier. There is also an internal third-party procedure in place that ensures all employees follow the correct steps when considering a new supplier and that the Compliance team are involved in the process, who will ensure all checks have been undertaken.
    2. Supplier addressing security with suppliers: Where possible we work with suppliers that already meet the majority of our Information Security needs for the services that they provide to us and have a good track record of addressing information security concerns responsibly. We select leading and well-trusted services that are known for their robustness, reliability and security and wherever possible look to suppliers that have already achieved ISO 27001 or its equivalent.
    3. Monitoring supplier services: All CitNOW Group suppliers are subject to a security review before engaging services and are subject to ongoing review. All critical suppliers are reviewed on an annual basis and non-critical suppliers are reviewed at the end of contract or prior to contract renewal
    4. Managing changes to suppliers: Changes to suppliers’ services consider the following and as best practice we also aim to research and consider 3 suppliers prior to final selection of a new supplier.
       • The nature of the change;
       • The supplier type affected and the criticality of business information, systems and processes and re-assessment of risks;
       • The intimacy of relationship; and
       • Our ability to influence or control change in the supplier
13. Information Security Incident Management
    1. Responsibilities and procedures: The procedures for incident response planning are defined in advance of an incident occurring. This helps to guide an incident through the key stages we have defined to ensure that all incidents receive the same structured approach.
    2. Reporting information security events & weaknesses: Each employee, supplier or other third party who is in contact with information and/or systems of the CitNOW Group, or those of its customers, must report any system weakness, incident or event which could lead to a possible security incident. Information on how to report such events or weaknesses forms part of our ongoing information security training for all CitNOW Group employees and as part of onboarding process for suppliers and other third parties.
    3. Assessment of information security event: As part of the assessment, it will also determine the impact and likelihood of event. Once assessed, an assigned nominated person will commutate with relevant parties required to resolve that event. During the assessment of a security event the first task is to assess the event and then determine a course of action that;
       • Minimises any compromise of the Availability, Integrity or Confidentially (CIA) of information
       • Prevents against further incidents
       • Has the minimum disruption to other users of that service
       • Considers who needs to be informed; internally, customers, suppliers, regulators e.g., within GDPR and Data Protection Act 2018 requirements.
    4. Response to information security event: The response time to an incident shall be dictated by the classification and severity. Should any incident occur that affects our customers, we will notify the customer in accordance with our legal and contractual obligations. It should be noted that immediate notification is not always possible because of the time it takes to properly investigate, however notification will take place within any legally enforceable limits.
14. Information Security Aspects of Business Continuity Management
    1. Planning information security continuity: CitNOW Group have identified various scenarios which could potentially impact the business and have documented the steps to mitigate such events as part of Business Continuity Plan. This plan is designed to assist in timely resumption of operations in the event of a disruptive incident.
    2. Verify, review and evaluate information security continuity: Testing and maintaining of the CitNOW Group the business continuity plan is conducted to ensure it is consistent with our information security objectives is done based on the following:
       • Testing of specific parts of the plan and their impact on information security is conducted in frequencies that are related the risk probability and impact per the risk assessment.
       • BCP Audits are planned regularly in line with the audit programme.
       • Reviews of the plan itself for ensuring relevance is conducted by Compliance and IT teams, with any identified beneficial changes being presented to the Management Board.
       • Full Business Continuity tabletop exercise carried out at least once a year to ensure it remains part of an integrated approach to the business and its ability to meet its objectives.
    3. Availability of information processing facilities: The CitNOW Group predominately use cloud-based services for the delivery of our work. These systems have inherent redundancy built into their high-availability, resilient architectures.
15. Compliance
    1. Application legislation: The applicable legislation, regulation and contractual requirements affecting the CitNOW Group are identified and documented and monitored and reviewed as part of the normal course of business and as part of the management reviews.
    2. Intellectual property rights: Any agreements entered that require any form of compliance with legislative, regulatory and contractual requirements related to intellectual property rights and use of proprietary software products will need approval from the CitNOW Group Management Board or where necessary via our outsourced lawyer.
    3. Protection of records: CitNOW Group records are kept protected from loss, destruction, falsification, unauthorised access and unauthorised release, in accordance with legislative, regulatory, contractual and business requirements. Specific records are kept in line with the Data Retention. Schedule and are managed by the relevant information / asset owner
    4. Information security review: The CitNOW Group information security policies are procedures are subject to independent review at regular intervals and when changes are made, as part of our commitment to continual service improvement. Internal Audits are also planned through the Audit Programme, on an annual basis, with the appropriate personnel allocated to undertake the audit.
    5. Technical review: Vulnerability & penetration tests are conducted on each product on an annual basis by a qualified pen test specialist company, results are reviewed, and any vulnerabilities remediated.
16. Additional Supporting Policies

    The CitNOW Group also have a host of other policies within the business that help to support our information security practices, these included, but not limited to;

    • Group Global Anti-Bribery Policy
    • Disciplinary Policy
    • Group Global Whistleblowing Policy
    • Global Health and Safety Policy
    • Modern Slavery Policy
    • Breach Notification Procedure
17. Certifications

    For Zype TV Ltd (t/a CitNOW) and CitNOW Video GMBH confidentiality, availability and integrity of information have great value. We have taken extensive measures on protection of sensitive and confidential information. Therefore, we follow the question catalogue of information security of the German Association of the Automotive Industry (VDA ISA). The Assessment was conducted by an audit provider, in this case the TISAX audit provider TUV SUD GmbH. The result is exclusively retrievable over the ENX portal.

    1. ISO 27001: CitNOW Group Limited is ISO 27001 certified by the BSI (cert number – IS 785456).
    2. Cyber Essentials: CitNOW Group Limited is Cyber Essentials certified by Comtact (cert number - 6facac97-1c10-4d49-8360-0d36b6824fc7
    3. TISAX: The ENX Association supports with TISAX (Trusted Information Security Assessment Exchange) on behalf of VDA the common acceptance of Information Security Assessments in the automotive industry. The TISAX Assessments are conducted by audit providers that demonstrate their qualification at regular intervals. TISAX and TISAX results are not intended for general public.
18. Subprocessors

    These subprocessors are subject to change over time as new features and system updates are released. Measures are taken when selecting new subcontractors to ensure appropriate security and privacy due diligence is applied. We will let you know with a minimum 30 days' notice of our intent to onboard or change a subprocessor in writing (email preferred). The sub processors that each entity within the CitNOW Group uses can be found via the following links:

    • AutoSLM
    • Auto Imaging
    • CitNOW: - Zype TV - European Entity
    • Dealerdesk
    • Eight Technology
    • Quik
    • RTC: Available on request
    • Web1on1
19. CitNOW Group Head Office

    All CitNOW Group Head office locations can be found within the CitNOW Group website.