Skip to content
HomeQuality and Information Security Policy

Quality and Information Security Policy

1. Introduction

Information is one of the most crucial drivers of the modern economy and a significant factor in business development and management. The collection of data and information processed by Expert.ai, regardless of the form in which they are managed or stored, constitutes the company’s Information Asset. This asset is a competitive element of fundamental importance, guiding both tactical and strategic decisions and supporting the company’s operational processes. Expert.ai encompasses all companies within the group.

In the current landscape of rapidly changing and dynamic markets, technologies facilitate the swift and efficient gathering and processing of information to achieve business objectives. Increasing competition compels companies to seek new forms of customer engagement, encouraging the exploration of solutions based on emerging technologies and the development of innovative channels designed to manage an increasingly pervasive amount of high-value information.

In this context, profound and rapid changes are occurring, leading to exposure to new risk scenarios. It is therefore essential to continuously and promptly monitor innovation to implement protection and risk mitigation measures in a timely manner. This approach helps meet the growing demand for security from customers and protects the company’s value and competitiveness.

Furthermore, the protection and secure management of information are pertinent topics of national and international regulations, which are increasingly stringent. These regulations require, from an organizational standpoint, that behaviors, control systems, and actions aimed at protecting information are in place.

The protection of Information Assets is thus of strategic importance, originating from the establishment of appropriate reference regulations that direct the necessary organizational, technological, and regulatory interventions. The development of artificial intelligence software constitutes the core business of the organization, which has equipped itself over time with state-of-the-art artificial intelligence-based natural language understanding technologies suitable for this purpose.

Today’s increasingly discerning and demanding market necessitates methods that ensure the final service or product possesses characteristics that make it easily assimilable by customers and compliant with international regulations and standards. Recognizing this need, the organization has adopted an internal Quality and Information Security Management System.

2. Motivation

Expert.ai is a company operating in the field of Information Technology Natural Language Understanding. Given the nature of its activities, the organization considers quality and information security to be essential features to ensure the protection of its technological infrastructure, information assets, and business processes. Furthermore, quality and information security management represent a competitive advantage in the design and development processes of its products and services.

Regarding information security, Expert.ai designs and develops technologies to transform the way people find, understand, and use information. Consequently, information security is regarded by the organization’s Top Management as an indispensable factor in guaranteeing the quality of its products.

The mission of Expert.ai is to develop artificial intelligence software that comprehends the language of ordinary people, with the speed and accuracy required to discern, manage, and utilize strategic information on a large scale. This focus on information management processes necessitates special attention to their security and quality.

Additionally, the organization aims to position itself as the leading company in the development of artificial intelligence on the international market. Therefore, a commitment to the continuous improvement of its processes, both at organizational and technical levels, is imperative.

Based on this, Expert.ai intends to implement the necessary technical and organizational measures to ensure the integrity, confidentiality, and availability of its information assets.

3. Purpose and commitment

The Top Management, recognizing the importance of the organization’s image to its client base and aiming to achieve quality objectives in process management and service delivery, intends to actively maintain and continuously improve an Integrated Quality and Information Security Management System (ISQMS) in accordance with ISO 9001, ISO/IEC 27001, and related guidelines ISO/IEC 27017 and ISO/IEC 27018. This is with the objective of efficiently and effectively managing the organization and ensuring its continuity.

Our commitment is demonstrated through our adherence to internationally recognized standards and certifications, ensuring that we consistently meet and exceed industry expectations.

Privacy and Data Protection

At Expert.ai, we prioritize the protection of personal information and the privacy of our users. Our adherence to the ISO 27018 Personal Information standard underscores our commitment to safeguarding personal data in cloud services. This standard provides a code of conduct for the protection of Personally Identifiable Information (PII), integrating with our Information Security and Quality Management System (ISQMS) based on ISO/IEC 27001:2022. By implementing specific controls, we ensure the confidentiality and protection of personal data, aligning with the stringent requirements of the General Data Protection Regulation (GDPR).

Cybersecurity

Our cybersecurity framework is robust and comprehensive, designed to protect the confidentiality, integrity, and availability of information. The ISO/IEC 27001:2022 certification is a testament to our rigorous approach to information security management. This standard helps us maintain legal compliance and implement effective security controls, which are crucial in today’s digital landscape. Additionally, our ISO 27017 Cloud Security certification provides guidelines for information security controls specific to cloud services, ensuring the security of data for both our cloud service providers and customers.

AI Governance

Expert.ai is a leader in AI governance, ensuring that our AI systems are developed and managed responsibly by adhering to our internal Information Security and Quality Management System (ISQMS) framework. Our commitment to high standards is exemplified by our SOC 2 Type II Report on the Platform product. This report, issued by a certified external auditor, reflects our dedication to maintaining stringent standards of security, availability, processing integrity, confidentiality, and privacy. It demonstrates that our internal control measures are not only well-designed but also operate effectively over time. The Trust Service Criteria (TSC) included in our Platform monitoring are Security and Availability, ensuring that our AI systems are both reliable and secure.

Quality 

Our ISO 9001:2015 Quality Management System (QMS) certification, integrated into our ISQMS, highlights our ability to consistently provide services and products that meet customer requirements. This international standard focuses on service quality, ensuring that we deliver high-quality solutions that comply with industry standards.

Compliance with Laws and Regulations

Compliance with relevant laws and regulations is a cornerstone of our operations at Expert.ai. Our Information Security and Quality Management System (ISQMS), supported by our comprehensive certifications, ensures the protection of confidentiality, integrity, and availability of information. This robust framework guarantees that we meet and exceed legal requirements, including the General Data Protection Regulation (GDPR), the AI Act, and U.S. regulations such as HIPAA. By adhering to these stringent standards, we demonstrate our unwavering commitment to maintaining the highest levels of security and compliance across all our operations.

To achieve these goals, the Top Management and the Quality and Information Security staff intend and are committed to:

  • Enhance the attitudes of each member of the organization and provide for their continuous training and professional development.
  • Guarantee the availability of the resources necessary for the operation and maintenance of the ISQMS.
  • Promote the technological development of the entire organization.
  • Ensure compliance with privacy regulations (EU Regulation 2016/679 – GDPR, General Data Protection Regulation), as well as the confidentiality, integrity, and availability of information for customers and stakeholders.
  • Increase the culture of Quality and Information Security.
  • Motivate and empower staff to contribute to the achievement of the company’s objectives.
  • Satisfy customers to strengthen the company’s position in the market.
  • Ensure adherence to scheduled time frames for project implementation.
  • Involve strategic suppliers and outsourcers in the provision of quality services and compliance with SLAs.
  • Minimize operational risks and the possibility of offenses related to Legislative Decrees and Regulations (e.g., 231/01, AI Act, DORA, NIS2, HIPAA).
  • Standardize operating methods and implement controls to reduce errors.
  • Initiate a continuous improvement cycle and upgrade the realization process to reduce service delivery time.
  • Acknowledge, examine, and evaluate the needs and expectations of all stakeholders.
  • Support, disseminate, and explain the Quality and Information Security Policy by making information documents available to staff and promoting targeted training and involvement actions.

Systematically review the ISQMS policy and objectives and the risks associated with their achievement.

Communicate this policy to interested parties as appropriate.

Define the objectives for each process by providing the expertise and resources to achieve them.

4. Quality and Information Security Engagement

The quality and security of information, and the manner in which they are guaranteed within the scope of the processes and services provided, are the subject of specific communications from the relevant corporate functions to the parties involved. All employees receive appropriate updates on quality and information security processes, as well as on the measures implemented by the organization through specific training initiatives. Additionally, all up-to-date documentation relevant to the ISQMS is made available in a dedicated area of the company intranet.

Regarding third parties (customers and/or suppliers), communications relating to quality and information security are regulated in accordance with the company policies that are part of the ISQMS and the provisions of contracts. Expert.ai permits the communication and dissemination of information to external parties only for the proper performance of its activities, which must be conducted in compliance with the rules dictated by the company’s organizational models and mandatory regulations.

Finally, appropriate contacts are maintained with the authorities relevant to data and information security, as well as with the pertinent cybersecurity and privacy bodies and associations. This is aimed at providing cooperation in any contingency and updating their skills in relation to research areas in the field of artificial intelligence.

5. Roles and responsibilities

The organization’s Quality and Information Security Management System defines roles and responsibilities within it:

Chief Information Security Officer (CISO): manages security governance aligned with business risks and objectives and ensures compliance with privacy and information security policies according to corporate standards and legal regulations.

Chief Data Officer (CDO): responsible for developing and managing the company’s data and information management strategy. 

Cyber Security Engineer: responsible for designing and implementing secure network solutions for defend against hackers, cyberattacks and other persistent threats. The engineer is also responsible for testing and monitoring the company’s systems, continuously ensuring that all implemented security measures are up-to-date and functional. Said figure is also responsible for carrying out penetration testing.

IT Security and Compliance Specialist: responsible for strategic and implementation guidelines concerning security measures on company systems in order to mitigate cyber risks and to monitor and analyze security events; is responsible for reviewing changes resulting from the application of the ISMS in the first instance and maintains third-party evaluation metrics.

IT & Systems Administrators: responsible for the definition, implementation and technical maintenance of the security devices and technologies that make up the organization’s ICT networks and resources that are part of the Information Security Management System.

Within the documentation pertaining to the integrated management system, it is also possible to find the wording IT Department, which refers to the appointed and authorized technicians and System Administrators, who operate the company’s systems and are responsible for the proper management of devices and networks.

The CISO, CDO, IT Security and Compliance Specialist and the Cyber Security Engineer are an integral part of the Quality and Information Security Staff, which is the advisory and controlling body of the Quality and Information Security Management System and which drafts and implements its policies and procedures, reviews them and monitors their implementation.

The Quality and Information Security Staff is also entrusted with the task of promoting the culture of quality and security of data and information within the organization, planning specific and periodic security training courses for all personnel, cooperating with the relevant internal corporate functions, to make the latter aware of the risks. This body is also responsible for adopting and following methodologies and criteria for risk analysis and management and for suggesting organizational, procedural and technical security measures to protect the organization’s safety and the continuity of its activities. Finally, it is responsible for verifying security incidents and adopting appropriate countermeasures.

The skills of all the above-mentioned functions have been appropriately assessed in relation to their roles. The HR Department keeps evidence of the skills and training of the resources involved in the information security management system.

6. Strategic and Business Objectives

The strategic and business objectives concerning the organization and its market positioning are consistent with the ISQMS objectives and the objectives for quality and information security. These are articulated based on the guiding principles set out below.

Firstly, the ISQMS defines a set of measures to strategically implement the “customer first” principle, in compliance with internationally accepted quality and security requirements. Expert.ai, through the ISQMS, also aims to protect its own and its customers’ information assets in the best possible manner.

Secondly, Expert.ai adheres to the “be process driven” principle, which involves the creation of structured and measurable processes to achieve results. Through the ISQMS, Expert.ai aims to preserve the company’s image as a reliable and competent supplier, while simultaneously meeting the requirements of current and mandatory regulations.

Additionally, Expert.ai positions itself in the market by strategically defining the “Focus on product” principle, which identifies the organization’s need to offer innovative and competitive solutions through the supply of its products. These products must be developed and adapted to the needs of customers in compliance with the policies and procedures of the ISMS, ensuring the security and efficiency of processes as well as the integrity, availability, and confidentiality of information.

Finally, the guiding principle “Empower your colleagues” is implemented through measures aimed at guaranteeing staff loyalty and professionalism, while also increasing the level of awareness and competence on security issues.

All of these provisions are consistent with the strategic and market objectives set out by the organization:

  • Expand its market, positioning itself as an international reference company in the development of artificial intelligence.
  • Improve product life cycle management.
  • Lower service costs to be more competitive in the market.
  • Improve communication and internal organization in a manner appropriate for an innovative and developing company.

It is the responsibility of the Quality and Information Security Staff to monitor the proper implementation of the quality and information security objectives. These objectives are periodically verified on a four-month basis and form part of the documentation to be analyzed during the Management Review.

The objectives for information security are:

  • Encourage the dissemination of a culture and awareness of data and information security and protection, particularly the confidentiality, integrity, and availability of data and information, among employees, collaborators, partners, and third parties, in relation to their roles and responsibilities in this area.
  • Train staff to carry out activities to protect company assets and information processed according to the Information Security Management System.
  • Protect company assets and managed information assets.
  • Protect data and information from unauthorized access.
  • Protect the image of the company.
  • Respect ethics in the workplace, among colleagues and with third parties.
  • Deal quickly, effectively, and scrupulously with emergencies or incidents that may occur in activities, also by collaborating with third parties or bodies in charge.
  • Comply with applicable laws and regulations, and adhere to standards identified with a sense of responsibility and awareness based on risk assessment.
  • Verify and monitor the continuity of information security for critical services even after major incidents that could potentially compromise the survival of the company itself.
  • Monitor, review, and improve the information security management system.

Quality objectives, on the other hand, are aimed at the pursuit of customer satisfaction, trust, and loyalty, guiding the organization in developing, implementing, and improving its quality management system.

The specific objectives for quality are:

  • Continuous improvement of all company processes, involving all employees.
  • Provide quality products and services that meet the initial and subsequent needs and expectations of customers and other third parties.
  • Commitment to comply with the requirements regulated by applicable laws, as well as contractual commitments.
  • Compliance with all internal rules and regulations for the safety of workers in the workplace.
  • Availability of the necessary resources, in terms of qualified personnel and appropriate equipment.
  • Ensure the company’s development through the continuous improvement of semantic technology to enter new market segments.
  • Training and refresher courses for each employee, within the scope of their duties.
  • An adequate control system to measure activities, solve problems, and provide the Management with suitable elements to carry out reviews and ascertain that the Quality Policy is always suitable and consistent with the company’s mission.

7. Management of Information Security Resources

The organization recognizes the critical importance of information security in terms of availability, integrity, and confidentiality, and acknowledges that technological components alone cannot ensure it. Consequently, the human factor emerges as predominant for the proper and secure management of company resources and processed information.

The organization believes it is essential that the Policies and Procedures related to information security are operationalized to achieve the planned objectives, specifically:

  • Protecting company assets and information.
  • Safeguarding data and information from unauthorized access.
  • Preserving the company’s image.
  • Upholding ethics in the workplace among colleagues and with third parties.
  • Complying with applicable regulations.

Barring exceptions, which will be assessed and approved by the Quality and Information Security Staff, the following are generally prohibited:

  • The use of personal devices within the company.
  • The use of company devices for private purposes.
  • The storage of personal data and any other non-work-related items.
  • The processing of data outside the applications/databases provided by the company (e.g., copying/managing data locally on personal devices).

The organization considers the following activities to be entirely unacceptable, without exception:

  • Infringement of the rights of any person or company protected by copyright, trade secret, patent, or other intellectual property.
  • Exporting software, technical information, software, or encryption technology in violation of international or national laws and company regulations.
  • Introducing malicious programs (malware) into the network or servers.
  • Disclosing passwords to others or allowing others to use one’s account.
  • Using an Expert.ai resource to obtain or transmit material that violates national or international laws.
  • Undermining network security or disrupting network communications.
  • Port scanning and security scanning are expressly prohibited.
  • Performing any kind of network monitoring aimed at intercepting data not addressed to the user’s host, unless these tasks are part of the user’s regular work activity.
  • Circumventing user authentication or security of any host, network, or account.
  • Using any program/script/command or sending messages of any kind with the intent of interfering with or disabling one’s own functions or those of another user.
  • Providing information on employees, collaborators, interns, temporary employees, consultants, companies, and, in general, all subjects that have direct or indirect contact with Expert.ai.
  • Using the company email account for purposes other than those strictly related to work.
Request a demo