Here are the most commonly asked questions about information security and data privacy of our services.
General security information
We aim to control, facilitate, and implement well-balanced security measures throughout our operations. These security measures are a combination of proactive and reactive controls, security and risk awareness, policies, access control, and more.
We have designed security practices to protect the confidentiality, integrity, and availability of both customer and 3stepIT data. The practices are maintained by a dedicated security and privacy team.
You can read our Privacy Notice here.
Our services are certified according to ISO/IEC 27001:2022 information security standard. Our certification covers IT lifecycle services, including front-end, IT asset management platform and end-of-life services.
ISO 27001 is an internationally recognised, independent information security management standard that helps organisations to keep their information secure. Working under the certified framework means that operations follow global best practices. For example, taking specific measures to protect financial information, intellectual property rights and employee and customer information, as well as information third parties entrust to the company.
The features and benefits of an internationally recognised certification
To receive ISO 27001 certification, a company must be reviewed by an accredited certifier. During the review, it is verified that the company complies with all ISO 27001 requirements. These include assessing the company’s security policy, conducting a risk assessment of the operation, addressing all identified security risks, and embedding continuous improvement for information security. 3stepIT is audited annually by an external certifier.
We also hold ISO 9001 Quality Management and ISO 14001 Environmental Management certificates.
IT Asset Management Platform
Our IT asset management platform tracks your IT assets throughout their lifecycle from procurement, in-life use to replacement. This helps to minimise the risk of losing devices or devices ending up in the wrong hands. We offer complete visibility and control of your IT portfolio including where assets are located, who’s using them and what software has been installed. Having this level of control makes it easy to demonstrate your accountability for GDPR. Plus, when end-of-life devices are data sanitized (including overwrite and destroying data), you will receive a comprehensive asset audit trail that is verified and fully reported.
Yes. Our IT asset management platform is designed to help you manage the efficiency and security of your IT estate. We do not have access to the data stored on those devices listed in the asset register. We are proud to have more than 2.3 million devices under management worldwide and are trusted by governments, financial institutions and some of the world’s largest companies to protect their business-critical technology and data. We return this trust by offering world-class solutions and data security services to our customers.
Our IT asset management platform is a SaaS solution that is accessed via a web browser or as an integrated service connected to your systems. The environment is hosted in EU/EEA area in ISO 27001, SOC1 type II and SOC2 type II certified data centres.
Yes. Our data centre systems are routinely backed up for disaster recovery purposes.
Devices undergo a comprehensive, certified, data sanitization process. Our ISO 27001 certified refurbishment centres are in Finland, Sweden and Norway.
We take protection of data very seriously. To give our customers complete peace of mind we use the best-in-class software to overwrite data during the refurbishing process process and in case this is not possible, completely destroying the media including data. Our data sanitization techniques are based on the NIST 800-88 and DIN 66399 standard. The refurbishing process creates an automatic data sanitization report for all devices. This is recorded in our IT asset management platform to give customers a comprehensive asset audit trail.
Our partners play an important role in ensuring the responsible end-of-life treatment during IT asset disposition. We choose our trading partners carefully, prioritising long-term relationships so we know where our refurbished equipment is resold. We conduct detailed background checks of our partners to make sure they meet our high standards on environmental and waste management, anti-money laundering, bribery and modern slavery, and we repeat these checks annually.
Businesses that manage IT asset disposal in-house expose themselves to several needless risks. Most IT departments have limited resources, and handling of used IT equipment can fall to the bottom of the to do list. When old data bearing devices are stored in an office environment prior to data sanitization, they represent a data security risk. This can be further compounded when in-house IT teams don’t have access to the certified data sanitization software that is used by an expert refurbishing team. This can lead to errors in the process and a risk of personal data leakage. We use best-in-class data sanitization software that is trusted by governments and financial institutions worldwide, so our customers can be confident their data has been securely sanitized.
If you find a vulnerability from our services or need to contact 3stepIT’s security team, reach out to abuse@3stepit.com.