Security policy

Upon joining Gurtam, all employees are required to read and adhere to information security policies and requirements. Annually, the entire team undergoes internal training on information security and privacy, while specialized training is provided to roles with enhanced data access, such as top management and developers.

Gurtam follows the principle of least privilege, granting access based on the need-to-know and need-to-use principles. Access controls are structured using Role-Based Access Control (RBAC), with varying permissions for super users, medium users, and basic users. Access is generally restricted unless expressly authorized, creating a secure environment.

Gurtam teams employ measures such as VPNs, personal SSL certificates, antivirus software, strong passwords, clean desk and screen policies, automatic computer locking during inactivity, and strict guidelines for responsible information usage to enhance remote work security.

In our offices in Vilnius, Tbilisi, Dubai, and Boston, spaces are segmented into distinct zones based on job duties, with controlled access through ID badges. Access to company equipment is tightly regulated, with protective measures to shield against external impacts.

All information shared with Gurtam is protected. The company is focused on maintaining confidentiality through technical and organizational measures and enforcing mandatory NDAs for employees and third parties.

Gurtam is fully compliant with GDPR and implements the following measures:

• Adopting a Data Protection Agreement (DPA) as an annex to partner agreements.

• Incorporation of data protection clauses in License Agreements with partners.

• Adoption of a Privacy Policy.

• Implementing technological and organizational measures, including security risk management, access control, human resource security, physical security, operations security, communications security, and data breach management.

Gurtam regularly conducts security audits in line with global standards to ensure the safe handling of personal information.

The team developing each of the products—Wialon, flespi, and GPS-Trace — and the Infrastructure Department maintain a policy and continuity plan outlining the Recovery Point Objective (RPO) and Recovery Time Objective (RTO) for key ICT services. Asset owners have developed disaster recovery plans that undergo periodic testing and updates as needed.

Gurtam integrates threat intelligence to proactively identify and mitigate security threats, strengthening the system’s overall security posture. During development, we follow the best secure coding practices. Product quality is a priority, with refined testing processes and information security measures integrated at every stage of the product life cycle.

The primary goal of incident management is to restore normal operations following an emergency swiftly. Each product team defines roles, information channels, and procedures for incident classification, response, consequence mitigation, and recurrence prevention.

Gurtam identifies risks based on specific threats and vulnerabilities. Following risk assessments, the responsible person implements management strategies and mitigation measures for significant risks, including process improvements or introducing new practices to capitalize on identified opportunities. Supplier Code of Conduct ensures that suppliers adhere to specific standards and practices, which helps mitigate risks associated with third-party interactions.

Gurtam’s hardening controls include a series of measures to enhance the security of systems and applications:

• Regular updates and patches to operating systems and software to mitigate vulnerabilities.

• Secure configuration of systems by disabling unnecessary services and ports to reduce the attack surface.

• Continuous monitoring and logging of system activities to promptly detect and respond to suspicious activities.

Gurtam cloud services are secured through comprehensive controls, including access management, technical support, resource control, and vulnerability management. The team also implements change management, logging, and event monitoring. It ensures compliance with data processing requirements, all in line with international standards like ISO/IEC 27001, to maintain the security and reliability of provided services.