Information Security Policy

Maas Software Engineering B.V.
Marine Facilities Planning (MFP) Platform and MFP Mobile App

1. Purpose

Maas Software Engineering B.V. is committed to protecting the confidentiality, integrity, and availability of information processed through the Marine Facilities Planning (MFP) platform and the MFP mobile application.

This Information Security Policy defines the principles and controls we apply to safeguard customer data, operational information, and system assets against unauthorized access, disclosure, alteration, and disruption.

2. Scope

This policy applies to:

  • The MFP web platform
  • The MFP mobile application (iOS and related services)
  • Supporting infrastructure hosted in Microsoft Azure
  • All employees, contractors, and third parties with access to MFP systems
  • All customer and operational data processed by Maas Software Engineering

3. Governance and Compliance

Maas Software Engineering:

  • Maintains an Information Security Management System aligned with ISO/IEC 27001
  • Operates in accordance with the General Data Protection Regulation (GDPR)
  • Applies risk management principles to identify, assess, and mitigate information security risks
  • Conducts periodic internal reviews and audits of security controls

Information security responsibilities are defined within the organization and overseen by company management.

4. Security Objectives

Our security objectives are to:

  • Ensure confidentiality of customer and operational data
  • Maintain integrity of data and system functionality
  • Ensure availability and resilience of services
  • Protect cryptographic keys and sensitive data
  • Monitor, detect, and respond to security threats
  • Maintain business continuity and operational resilience

5. Infrastructure Security

The MFP platform and associated services are hosted in Microsoft Azure.

Security measures include:

  • Azure App Services, Azure SQL Database, and Azure Storage
  • Network segmentation and controlled access
  • Use of Managed Identities for service-to-service authentication
  • Secure configuration baselines
  • Monitoring via Microsoft Defender for Cloud
  • Centralized logging and audit trails
  • Controlled deployment processes with rollback capability

All production environments are logically separated from development and test environments.

6. Access Control

Access to systems and data is governed by the principle of least privilege.

Controls include:

  • Role-based access control (RBAC)
  • Multi-factor authentication where applicable
  • Unique user accounts
  • Restricted administrative privileges
  • Periodic review of access rights
  • Controlled onboarding and offboarding procedures

Only authorized personnel may access production environments.

7. Cryptography and Key Management

Encryption is applied to protect sensitive data.

  • Data in transit is encrypted using industry-standard TLS protocols
  • Data at rest is protected using Azure encryption mechanisms
  • Additional encryption is applied to certain sensitive data using RSA 4096-bit keys
  • Cryptographic operations are implemented using secure .NET cryptographic libraries
  • Encryption keys are generated per system instance
  • Keys are securely stored in Azure Key Vault
  • Access to cryptographic keys is restricted to designated personnel
  • Key management processes are internally audited

8. Application Security

Security is integrated into the development lifecycle.

Practices include:

  • Secure coding standards
  • Code review procedures
  • Dependency management
  • Static code analysis where applicable
  • Controlled release management
  • Regular vulnerability remediation
  • External penetration testing performed by independent security specialists

Security findings are assessed and remediated according to risk.

9. Monitoring and Incident Management

We maintain monitoring capabilities to detect and respond to potential security incidents.

  • Infrastructure monitoring via Azure and security tools
  • Uptime and performance monitoring
  • Logging of critical system activities
  • Defined incident response procedures
  • Root cause analysis and corrective action when required

Customers are notified of incidents in accordance with contractual and legal obligations.

10. Data Protection and Privacy

We process personal data only as necessary for service delivery.

Controls include:

  • Data minimization principles
  • Purpose limitation
  • Logical segregation of customer environments
  • Configurable role-based visibility within the application
  • Secure data storage and backup
  • Data retention aligned with contractual and regulatory requirements

Customer data is never sold or shared for marketing purposes.

11. Mobile Application Security

The MFP mobile app:

  • Communicates securely with backend services over encrypted connections
  • Does not store sensitive data locally beyond what is technically necessary
  • Uses secure authentication mechanisms
  • Relies on backend authorization controls
  • Follows platform security best practices

Security updates are deployed as part of regular maintenance cycles.

12. Business Continuity and Disaster Recovery

We maintain documented Business Continuity and Operational Resilience procedures.

  • Disaster recovery is integrated into our Business Continuity Plan
  • Azure-based redundancy and resilience mechanisms are used
  • Backups are performed and periodically tested
  • High-risk scenarios are tested at regular intervals
  • The Business Continuity Plan is reviewed annually

13. Supplier and Third-Party Security

We rely on reputable infrastructure and service providers.

  • Primary hosting provider: Microsoft Azure
  • Third-party services are evaluated for security posture
  • Access by third parties is limited and controlled
  • Contractual safeguards are applied where appropriate

14. Employee Responsibilities

All employees and contractors:

  • Are bound by confidentiality obligations
  • Receive security awareness guidance
  • Must follow internal security procedures
  • Must report suspected incidents immediately

Failure to comply with security requirements may result in disciplinary action.

15. Continuous Improvement

Information security is an ongoing process.

We:

  • Periodically assess risks
  • Review and improve controls
  • Monitor emerging threats
  • Update policies and procedures when required

16. Policy Review

This Information Security Policy is reviewed periodically and updated when significant changes occur to:

  • Technology
  • Regulatory requirements
  • Business operations
  • Threat landscape