Commitment of the management of DFi Service SA

At the end of the first certification cycle (2014-2017) ISO27001 and OCPD / Good Priv@cy, the management gives a mandate to the operational teams to renew its certifications. Management is committed to providing the financial, organisational and human resources to achieve this objective.


In order to pursue the steps taken, the Management has decided to strengthen its information security policy and its personal data protection management system (PDMS) as a major orientation through certification of good information security management in accordance with ISO 27001:2013 and GoodPriv@cy (OCPD:2014). The Management draws the attention of all actors, employees, partners and customers, to their responsibilities in this context.

La responsabilité étant partagée par l’ensemble des acteurs, la stratégie mise en œuvre implique un effort basé sur un cycle d’amélioration continu et le respect de l’ensemble des politiques (SMSI et SGPD) ainsi que des règlements, directives et processus relatifs aux règles de la sécurité de l’information et de la protection des données personnelles.


The security policy, and the DMS, are based on the respect of its fundamental values which are :

  • Sustainability
  • Integrity
  • Performance
  • Transparency
  • Confidentiality and the protection of personal data aim to protect the assets and interests of all stakeholders, as well as the protection of their personalities, based on the following principles :
    • Controlling risks
    • To comply with the laws and regulations specific to DFI’s sector of activity
    • Respecting confidentiality
    • Preserving the trust of stakeholders
    • Protection of personality
    • Follow best practice, freely defined norms and standards.

The Information Security Policy and the DMS, as well as all the procedures derived from them, are applicable to all DFI activities. They concern all the human, material and immaterial resources contributing to the proper functioning of our company, which form the basis of our commitments and our ethics.

Specific procedures for each of these resources are defined, in compliance with good practice and the law, in particular the federal law on the protection of personal data, in order to guarantee optimum security. In addition, they limit any malfunction that could have an impact on the course of activities, operations and the reputation of DFI.


The objectives, which serve as a guideline for the definition of the above-mentioned security and data protection principles, are as follows :

  • To ensure the protection of persons and property
  • To guarantee the protection of personality
  • Ensuring the confidentiality, integrity and authenticity of data
  • Ensure the continuity of activities by limiting the consequences of a malfunction
  • Ensuring the traceability and control of operations and events.

They are based on the implementation of the following security policy and DMS:

  • Inventory and assess property, assets, resources and personal data
  • Anticipate and manage risks and personal attacks
  • Controlling access
  • Implement a personal data protection defence and management system
  • Report any abnormal event or incident
  • Make employees, clients and third parties aware of the risks involved and the protection measures required.


Failure to comply with the security policy and the DMS poses a threat to the proper operation of DFI’s business. As such, it may be held liable. As an individual, failure to comply with these policies may result in sanctions and, depending on the case, be considered as serious professional misconduct.

Accordingly, legal, organisational and technical means are implemented to ensure compliance with the objectives and the resulting procedures.

In view of the need to conduct the security and personal data protection strategy with a consistent approach, the Management has thus decided :

  • That all staff at all levels of the hierarchy, as well as representatives of service providers or agents, must be involved in the approach
  • The implementation of an organisation structured around a CISO and an independent data protection advisor.

All the actors and decision-making bodies are responsible for applying and enforcing the security and personal data protection procedures arising from the above-mentioned policies and for informing and alerting employees, customers and third parties to the elements of the rules in force that concern them.

This Policy has been approved by the Management.

Plan-les-Ouates, 27.08.2019