Welcome to Intric Support Center
Security & Compliance
DPIA
Technical and Organizational Measures

Technical and Organizational Measures

To make it easier for our customers to carry out a Data Protection Impact Assessment (DPIA), Intric provides comprehensive material based on our ISO 27001-certified Information Security Management System (ISMS). Intric AB is certified to ISO 27001:2022, an internationally recognized standard for information security management systems.

The material below includes:

  • Extracts from Intric’s internal technical and organizational measures.
  • A list of the security features available in the platform (e.g. access control, logging, encryption) that you can use to protect your data.

You can use this material as a basis for your own risk assessment (DPIA). Note that the specific measures you need to take depend on the sensitivity of the information and personal data you intend to process in the platform.

Information security and safeguards

Intric offers an AI platform for knowledge management and automation where information security and compliance are central. The platform can be run in a dedicated cloud instance with European operators, or via an on-prem deployment. The platform supports both global AI models and European and Swedish-hosted language models. For on-prem deployments, language models can also be run locally.

Information Security Management System (ISO 27001 certified)

Intric AB’s Information Security Management System (ISMS) is ISO 27001 certified and ensures that our platform meets the strict requirements for confidentiality, integrity, and availability demanded by our customers in the public sector.

Below is an overview of the policies and guidelines that form part of Intric’s ISMS.

  • Information Security Policy – Overall framework that ensures confidentiality, integrity, and availability for all systems and data. Covers access control, data protection, incident management, and continuous monitoring.
  • Access Control and Termination Policy – Least privilege is applied consistently. All access is documented, reviewed quarterly, and revoked within one business day when employment ends.
  • Acceptable Use Policy – Clear guidelines for use of IT resources, with a requirement for multi-factor authentication (MFA) for all production and critical systems.
  • Data Classification Policy – Systematic classification of information into four levels (Public, Internal, Confidential, Restricted) with specific handling requirements for each level.
  • Data Handling Procedure – Detailed requirements for secure handling of data throughout the lifecycle, from collection to deletion, with encryption of sensitive data at rest and in transit.
  • Records Retention and Disposal Policy – Secure storage and disposal of information in line with legal requirements and business needs, with verified deletion methods.
  • Incident Response Policy – Structured process for reporting, handling, and communicating security incidents, with defined response times based on severity.
  • Baseline Hardening Policy – Configuration standards for all systems include network hardening, patch management, logging, MFA, and encryption.
  • Change Management Policy – All production changes require approval, testing, and documentation. Source code changes are logged and require approval before production deployment.
  • Risk Assessment and Treatment Policy – Annual risk assessment identifies threats and vulnerabilities. Critical risks are addressed immediately with documented treatment plans.
  • Business Continuity and Disaster Recovery – Tested recovery plan ensures continued operation during incidents. Regular backup with verified recovery capability.
  • Business Impact Analysis Policy – Systematic analysis of critical processes with defined recovery time objectives (RTO) and recovery point objectives (RPO).
  • Personnel Security Policy – Background checks, confidentiality agreements, and annual security training for all staff. Clear roles and responsibilities for security work.
  • Board of Directors Charter & Oversight Committee Charter – Clear governance and accountability at management level for information security, risk management, and technology oversight.
  • Vendor Management Policy – Security assessment of all critical suppliers before onboarding and annual follow-up. Requirements for confidentiality agreements and security commitments.
  • Physical Security Policy – Controlled physical access to facilities and equipment based on the least privilege principle, with documented access management.
  • Network Security Policy – Segmented network architecture with firewalls, encrypted communication (TLS 1.2+), and regular monitoring of network traffic.

Extracts of internal technical safeguards

Below are examples of the internal technical safeguards set out in the policies, procedures, and guidelines that Intric AB has in its ISO 27001-certified Information Security Management System.

Encryption and data protection

  • Encryption at rest: All sensitive data is encrypted in storage using industry-standard algorithms
  • Encryption in transit: TLS 1.2+ is required for all data transfer over public networks
  • Key management: Centralized management of encryption keys via the cloud provider’s key management service

Access control

  • Multi-factor authentication (MFA): Mandatory for all privileged accounts and access to production, email, version control, and cloud infrastructure
  • Unique user identities: All users are assigned unique credentials that can be traced
  • Password requirements: Minimum 8 characters with complexity requirements, unique per system
  • Role-based access (RBAC): Least privilege based on job role
  • Password managers: Approved password managers are required for storing credentials

Network security

  • Segmentation: Production, development/test, and corporate networks are kept separate
  • Firewalls: Configured to allow only necessary ports and protocols

Vulnerability management

  • Automatic vulnerability scanning: Monthly scans of infrastructure and applications
  • Patch management: Critical security patches are applied according to a defined timeline
  • Penetration testing: Regular testing of security controls
  • Vulnerability prioritization: Critical vulnerabilities are addressed immediately

Logging and monitoring

  • Logging: All system activity, administrative actions, and security events are logged
  • Time synchronization: NTP is used for accurate timestamps
  • Log protection: Logs are protected against unauthorized access and modification
  • Log retention: Logs are retained in line with contract/customer instructions

Backup and recovery

  • Automatic backups: At least weekly backup of user data
  • Geographic redundancy: Backup replicated to different availability zones
  • Recovery testing: Periodic verification of backup integrity
  • Version control: Source code is version-controlled with traceability

Development security

  • Separate development environment: Development and test are separate from production
  • Code review: All changes to production require approval
  • Secure source code management: Access to repositories is restricted with MFA
  • Input validation: Data is validated to prevent attacks

Device management

  • Mobile Device Management (MDM): Centralized management of endpoints
  • Disk encryption: Encryption required for workstations and laptops
  • Automatic updates: OS and applications are kept up to date
  • Screen lock: Automatic screen lock after inactivity

Extracts of organizational safeguards

Below are examples of the internal organizational safeguards set out in the policies, procedures, and guidelines that Intric AB has in its ISO 27001-certified Information Security Management System.

Policy management and compliance

  • Annual policy review: All policies are reviewed and updated at least annually
  • ISO 27001:2022 certification: Independent certification of the information security management system
  • Statement of Applicability (SoA): Documented control selection with justification
  • Compliance monitoring: Regular monitoring of policy compliance

Risk management

  • Annual risk assessment: Systematic identification and assessment of risks
  • Risk register: Documented risks with owners and treatment plans
  • Risk acceptance: Formal process for approval of residual risks
  • Continuous monitoring: Ongoing follow-up of identified risks

Personnel and competence

  • Background checks: Carried out before employment in line with local law
  • Confidentiality agreements (NDA): Mandatory for all staff before access
  • Security training: Annual mandatory training for all staff
  • Role-specific training: Additional training for security-critical roles
  • Performance review: Annual review includes security responsibilities

Access management – processes

  • Onboarding process: Structured process for granting access when someone joins
  • Quarterly access review: Regular review of permissions for critical systems
  • Offboarding checklist: Ensures all access is revoked within one business day
  • Role change process: Documented process when job duties change

Incident management and operations

  • 24/7 monitoring and reporting: Clear channels for reporting operational and security incidents via status.intric.ai
  • Defined response times: Critical incidents are handled within 48 hours
  • Documented process: All incidents are tracked in a ticket system
  • Post-mortem analysis: Lessons learned are documented and communicated
  • Customer communication: Structured communication plan for incidents

Change management

  • Formal change process: All production changes require testing and approval
  • Rollback plans: Documented recovery plans if something goes wrong
  • Emergency changes: Separate procedures for urgent changes with post-approval
  • Customer communication: Information about planned changes

Supplier and partner governance

  • Vendor risk assessment: Security assessment before onboarding
  • Annual supplier review: Review of critical suppliers’ security (SOC 2 reports)
  • Contractual requirements: Clear security commitments in agreements
  • Subcontractor control: Review of suppliers’ sub-processors
  • Exit management: Structured process on termination, including data handling

Business continuity

  • Business Impact Analysis (BIA): Identification of critical processes
  • Documented recovery objectives: RTO and RPO defined for critical systems
  • Disaster Recovery Plan: Tested plan for recovery from major incidents
  • Annual testing: BCP/DRP plans are tested at least annually
  • Documented redundancy: Systems distributed across different zones

Platform features for technical safeguards

The Intric platform offers comprehensive and flexible functionality so that our customers have full control to implement technical safeguards, tailored to the organization’s specific requirements for information classification and an appropriate security level.

Below is a description of the functionality built into the platform to raise the security level and support compliance.

Access control and permission management

  • Role-based access (RBAC): You can define detailed user roles and restrict access to specific functions, documents, and AI models
  • Single Sign-On (SSO): Integration with your existing identity management (Azure AD, Google Workspace, etc.) for centralized access control
  • Multi-factor authentication (MFA): Option to require MFA for all users via SSO integration

Model choice and data minimization

  • Choice of AI model: You choose between global, European, Swedish, or on-prem language models based on security requirements
  • On-prem models: Option to run AI models entirely within your infrastructure with no external data transfer
  • Data minimization: You configure which data is to be processed and can limit the scope

Encryption and data protection

  • End-to-end encryption: All data is encrypted both in transit and at rest
  • Customer-managed keys: For on-prem deployments you have full control over encryption keys
  • Encrypted storage: All documentation and conversation history are stored encrypted
  • Secure API calls: All communication between systems is over encrypted channels (TLS 1.2+)

Logging and traceability

  • Audit logs: You can trace all user activity, access to documents, and system changes
  • Log export: Option to export logs for integration with your SIEM system
  • Data access log: Full logging of who has access to what information
  • User accountability: Visibility into which user is responsible for both tools/Assistants and uploaded information

Data handling, erasure, and backup

  • Data ownership: You retain full ownership of all data in the system
  • Selective erasure: Option to delete specific documents, conversations, or users
  • Bulk erasure: Functionality to delete all data when the service ends
  • Export function: You can export all your data in structured formats
  • Automatic erasure: Configurable retention rules for automatic deletion after a set period
  • Automatic backups: Regular backups of your data (for cloud deployment)
  • Restore function: You can restore deleted data within a defined period (14 days)
  • Backup frequency: Daily
  • Your own backups: For on-prem, you are responsible for backup according to your own policy

Network security

  • Network isolation: For on-prem, the system can be fully isolated from the internet

Advanced security configuration

  • Session timeout: Daily inactivity time for automatic logout
  • Password policy: You can configure complexity requirements and rotation rules for passwords