Information Security Policy

Orange Flower

Information Security Policy


for Capable Agents AB


Last updated: 19th of November 2025


1. Purpose


The purpose of this Information Security Policy is to define how Capable Agents AB (“Capable”, “we”) protects the confidentiality, integrity and availability of information processed in connection with our services (“the Services”).

The policy applies to:

  • all information and systems used to provide the Services;

  • all employees, founders and contractors with access to Capable systems or data;

  • both Customer Data and Capable’s own internal information.

This policy is supported by more detailed documents under Security and compliance and Terms, privacy, and DPA.


2. Objectives and principles


Our information security objectives are to:

  • protect Customer Data and Customer Personal Data from unauthorised access, disclosure, alteration and destruction;

  • maintain appropriate availability and resilience of our Services;

  • comply with applicable legal and contractual requirements, including GDPR;

  • integrate security into our product development and operations from an early stage.


We follow principles such as:

  • least privilege and need-to-know access;

  • defence in depth;

  • “secure by default” configurations where feasible;

  • simple, understandable processes that our small team can actually follow.


3. Roles and responsibilities


Information security is a shared responsibility, with defined ownership:

  • Information Security Lead – Adam Fakirni (CEO)

    • Owns this policy and coordinates overall information security.

    • Ensures that supporting security documents are maintained and followed.

  • CTO – Francisco Escobar Sabio

    • Leads implementation of technical security controls in infrastructure and applications.

    • Owns SDLC & Application Security Policy, Access Control & Identity Management Policy, and Logging & Monitoring Overview.

  • All team members

    • Follow this policy and supporting procedures.

    • Protect credentials and devices.

    • Report suspected incidents immediately.

Detailed role mappings are documented in Security & Privacy Roles and Contacts.


4. Scope of information and systems


This policy covers, at minimum:

  • Customer Data and Customer Personal Data processed in the Services;

  • Capable’s internal operational data (e.g. source code, configuration, logs, documentation, CRM data);

  • systems used to provide and manage the Services, including:

    • cloud infrastructure and hosting;

    • databases and storage;

    • CI/CD and source code repositories;

    • monitoring and logging tools;

    • collaboration and support systems.


5. Risk management


We identify and manage information security and privacy risks using our:

  • Risk Register (under Compliance Registers), and

  • supporting policies and procedures.

Key practices:

  • We log and track important security and privacy risks with owners, status and planned actions.

  • We review the Risk Register at least annually, and after major changes (e.g. new core vendors, architecture changes or serious incidents).

  • Significant risks and mitigation plans are reviewed by the founding team.


6. Access control and identity management


Our approach to access control is defined in more detail in the Access Control & Identity Management Policy. At a high level:

  • Access to systems and data is granted on a least privilege basis.

  • User accounts are individual and must not be shared.

  • Strong authentication (including MFA where supported) is required for:

    • cloud infrastructure and production systems;

    • source code repositories;

    • administration and configuration tools.

  • Onboarding and offboarding procedures ensure that:

    • access is provisioned based on role;

    • access is revoked promptly when someone leaves.


7. Asset, device and physical security


Physical and device security expectations are defined in the Physical & Asset Security Policy and People & HR Security Policy. Key points:

  • Laptops and other endpoints used to access Customer Data must use:

    • full-disk encryption;

    • automatic screen lock;

    • up-to-date operating system and security patches.

  • Devices are protected with strong passwords or passcodes.

  • Wi-Fi networks used for work are protected with strong encryption and credentials.

  • Any physical media or devices containing sensitive data must be handled and disposed of securely.


8. Secure development and change management


Security is integrated into software development and changes through the SDLC & Application Security Policy, including:

  • using version control for all code and infrastructure-as-code;

  • code review for changes that affect security, access control or data handling;

  • keeping dependencies and frameworks reasonably up to date;

  • avoiding hard-coded secrets in source code (using environment variables or secret management instead);

  • considering security and privacy risks when designing new features, especially those involving Customer Data or AI.

Production changes follow documented procedures in our engineering workflow (e.g. pull requests, CI/CD pipelines, approvals where needed).


9. Logging, monitoring and incident management


We log and monitor key events in line with the Logging & Monitoring Overview, and handle incidents according to the Incident Response Plan.

In summary:

  • We collect logs for core application and infrastructure components.

  • We monitor for errors, unusual behaviour and availability issues.

  • We define and follow a structured process to:

    • detect and triage suspected incidents;

    • contain and investigate confirmed incidents;

    • recover services and, where relevant, notify affected customers.


Personal data breaches are handled in line with the Incident Response Plan and our obligations as processor under the DPA.


10. Business continuity and backups


Our approach to continuity and recovery is described in Business Continuity & Disaster Recovery (incl. Backups). Key elements:

  • regular backups of production databases holding Customer Data;

  • target RPO and RTO values for core services (e.g. 24 hours);

  • documented recovery procedures to restore service from backups;

  • at least one disaster recovery / restore test per year, with findings logged and acted upon.


11. Vendor and sub-processor security


We manage third-party vendors and sub-processors according to the Vendor & Sub-processor Security Procedure:

  • vendors that process personal data are reviewed for security and privacy controls;

  • we prefer EU/EEA data centres where reasonably possible;

  • for data processed outside the EU/EEA, we rely on appropriate safeguards (e.g. Standard Contractual Clauses) and transfer assessments where needed;

  • we maintain a Vendor & Sub-processor Register with purpose, data categories and locations;

  • customer contracts and the DPA refer to this register.


12. Data protection and privacy


Information security and privacy are tightly connected. We address privacy through:

  • Privacy Policy – describes how we act as controller and how we handle personal data in our own operations;

  • Data Processing Agreement (DPA) – governs how we act as processor for Customer Personal Data in the Service;

  • Controller vs Processor Roles – clarifies roles and responsibilities;

  • ROPA – Record of Processing Activities;

  • Data Retention & Deletion Policy;

  • Data Subject Rights Procedure;

  • DPIA & TIA Status Note.


These documents ensure that:

  • we only process personal data lawfully and for defined purposes;

  • personal data is not kept longer than necessary;

  • data subjects’ rights can be fulfilled with reasonable effort;

  • AI-related processing is assessed and documented where needed.

13. People and HR security

People-related controls are described in the People & HR Security Policy. Core practices:

  • confidentiality obligations (NDA or equivalent) for employees and contractors;

  • security-conscious onboarding and offboarding procedures;

  • basic security awareness for all team members, with refreshers at reasonable intervals;

  • clear expectations for device security, password hygiene and reporting of incidents.


14. AI governance and EU AI Act

Use of AI in the Services is covered in the AI Governance & EU AI Act Note, which outlines:

  • how AI systems are used within the product (e.g. agent behaviour, external AI providers);

  • how we assess risks and apply appropriate controls, especially if any use case would be considered “high-risk” under the EU AI Act;

  • logging, oversight and incident handling for AI-related behaviour.


15. Policy maintenance and review


This Information Security Policy is owned by the Information Security Lead (Adam Fakirni) and is:

  • reviewed at least once per year; and

  • updated when there are significant changes to our Services, infrastructure, vendors or legal/regulatory requirements.


All changes are recorded in the Policy Review Log under Compliance Registers.

‹ Terms of Service

Privacy Policy ›