AIFB Edoardo Guzzi

1. Introduction and Purpose

This Information Security and Data Protection Policy defines the principles, responsibilities, and measures adopted by AIFB Edoardo Guzzi, an individual company based in Switzerland and Italy, to ensure the protection, confidentiality, and integrity of data processed within its operations and on behalf of its clients.

AIFB provides consulting, development, and digital infrastructure management services. The company handles personal and corporate data belonging to clients, collaborators, and users of its digital platforms.
The purpose of this policy is to establish the company’s commitment to information security, data protection, and compliance with applicable legal frameworks.

2. Legal Framework

AIFB operates in compliance with the following legal and regulatory frameworks:

• General Data Protection Regulation (GDPR – EU Regulation 2016/679)
• Swiss Federal Data Protection Act (FADP 2023 – LPD)
• Applicable European and Swiss privacy and electronic communications regulations

This policy applies to all employees, collaborators, contractors, and third parties who have authorized access to AIFB systems or data.

3. Principles of Information Security

AIFB upholds the following core principles in its information security management:

• Confidentiality – Information is accessible only to authorized individuals.
• Integrity – Information is accurate, complete, and protected from unauthorized alteration.
• Availability – Information and systems are accessible to authorized users when required.
• Accountability – Access and actions on data and systems are traceable and auditable.

The company commits to maintaining a continuous improvement process for information security practices.

4. Data Protection Responsibilities

AIFB acts as:

• Data Controller for internal data related to its business operations and communication systems.
• Data Processor for information managed on behalf of its clients.

The company ensures that personal data is:

• Collected and processed lawfully, fairly, and transparently.
• Limited to what is necessary for the intended purposes.
• Kept accurate and up to date.
• Stored securely and retained only as long as necessary.

Clients remain responsible for determining the legal basis of data processing and informing data subjects as required by law.

5. Access and Authentication Controls

Access to systems, platforms, and client environments is granted based on the principle of least privilege.

• Multi-factor authentication (MFA) or passkey systems are enforced for all critical accounts.
• Passwords are managed securely through 1Password and must meet complexity standards.
• Accounts are immediately revoked when a collaborator leaves or changes role.
• Access to client data is strictly limited to assigned personnel.

All access events are logged and reviewed as part of periodic internal security checks.

6. Network and Infrastructure Security

AIFB operates servers and infrastructures on secure and compliant providers including Hetzner, OVH, VHosting, WPMUDEV, and XCloud.
Systems are deployed through Coolify, Proxmox, and Docker, using best practices for isolation, monitoring, and resource segregation.
Each environment is protected by:

• Web Application Firewall (WAF) and security hardening through aaPanel Pro or equivalent tools.
• Fail2Ban, UFW, and additional firewall layers to prevent unauthorized access.
• Network segmentation for projects and client instances.
• Regular monitoring and vulnerability scans for potential threats.

7. Data Encryption and Storage

All data under AIFB’s control or management is protected using modern encryption standards:

• AES-256 encryption for data at rest.
• TLS 1.3 for data in transit.
• Encrypted backups on segregated servers.
• Access restricted to authorized personnel only.

Sensitive data, passwords, and credentials are never transmitted in clear text and are always stored in encrypted vaults or secured systems.

8. Backup and Business Continuity

All client and internal systems are protected by daily incremental and weekly full backups.
Backups are automated, verified, and stored on secure, geographically redundant servers.
In the event of system failure or incident, restoration procedures ensure business continuity and minimal downtime.

9. Incident Response

AIFB maintains an internal Incident Response Procedure defining:

• Detection and assessment of security events.
• Containment, investigation, and recovery measures.
• Internal reporting channels and escalation hierarchy.
• Documentation and post-incident analysis for corrective action.

All incidents are handled by the technical leads and, when necessary, escalated to external legal or forensic consultants.
Incidents or potential breaches can be reported to se******@**fb.ch.

10. Third-Party and Supplier Management

AIFB collaborates only with third-party providers who demonstrate adequate data protection standards and offer contractual guarantees of compliance with GDPR and FADP principles.
Providers are periodically reviewed for security compliance and service reliability.

11. Awareness and Training

All collaborators and freelancers engaged with AIFB must adhere to internal security practices and confidentiality agreements (NDA).
Regular awareness and training sessions ensure that personnel remain informed about current risks, phishing threats, and secure handling of client data.

12. Continuous Improvement

AIFB periodically reviews this policy and related procedures to ensure alignment with evolving legal requirements, technological advancements, and security standards.
Any updates are documented and communicated internally before publication.

13. Contact

For questions or concerns regarding this policy or data protection practices, contact:
Email: se******@**fb.ch
Website: https://aifb.ch/

This policy reflects AIFB’s current operational practices and compliance commitments. It will be updated as necessary to maintain alignment with applicable laws and industry standards.