At Dubber, we unlock the value of every conversation, empowering Communication Service Providers with cloud-native data capture and AI-driven insights to differentiate offerings, innovate, and drive revenue growth.

Purpose

This policy defines Dubber’s commitment to protecting the Confidentiality, Integrity, and Availability (CIA) of information assets and ensuring compliance with ISO/IEC 27001, ISO 22301, PCI DSS, and all applicable legal, regulatory, and contractual requirements. Information security is integral to our business operations, customer trust, and compliance obligations.

Scope

This policy applies to:

• All Dubber employees, contractors, consultants, temporary staff, and third parties who access Dubber information systems, facilities, or data.
• All information assets (digital, physical, and cloud-based) within Dubber’s defined Information Security Management System (ISMS) scope, including systems in the PCI DSS-defined Cardholder Data Environment (CDE) and business continuity scope under the Business Continuity Management System (BCMS).

Policy Statement

Dubber will achieve and maintain robust information security by:

1. Maintaining Certified Management Systems
   • Establishing, operating, monitoring, reviewing, auditing, and continually improving our Information Security Management System (ISMS) in line with ISO/IEC 27001 and its integration with the Business Continuity Management System (BCMS) under ISO 22301.
   • Ensuring the Information Security Management System (ISMS) framework supports compliance with PCI DSS, and other applicable privacy and security regulations.
   • Ensuring that systems within the PCI DSS-defined CDE meet all applicable technical and operational security requirements, including:
     • Time synchronisation controls
     • Secure development and change control practices
     • Vulnerability and patch management

2. Compliance Commitment
   • Ensuring that the Information Security Management System (ISMS), this policy, and associated policies addresses all applicable PCI DSS requirements for systems within the PCI DSS-defined Cardholder Data Environment (CDE).
   • Ensuring that required resources and clearly defined roles including formal assignment of responsibility for information security, business continuity, resilience and PCI DSS compliance are allocated with the authority to enforce, maintain, and improve the Information Security Management System (ISMS).
   • Meeting all applicable business, contractual, legal, and regulatory requirements related to information security, data privacy and resilience.
3. Risk Management
   • Applying a risk-based approach to identify, evaluate, and manage current and emerging threats and vulnerabilities as applicable to our Organisation, our products and services, including those arising from environmental factors such as climate change.
   • Maintaining a documented risk assessment and treatment process.
4. Business Continuity & Resilience
   • Maintaining business continuity, operational resilience, and disaster recovery capabilities in line with ISO 22301.
   • Considering relevant and applicable risks and threats, including environmental risks and the potential impacts of climate change, within our business continuity and disaster recovery planning, to ensure resilience against events that could impact our staff’s health & safety, disrupt our systems, operations, or critical suppliers.
   • Testing BCMS arrangements at planned intervals, incorporating lessons learned into improvement actions.
5. Information Security Objectives
   • Establishing, reviewing, and communicating measurable information security and business continuity objectives, principles, and performance measures, ensuring they are periodically assessed and aligned with Dubber’s strategic goals and business requirements.
6. Continuous Improvement
   • Committing to continual improvement of our Information Security Management System (ISMS) by seeking and incorporating feedback from clients, staff, incidents, and internal/external audits to enhance our trust, security, and resilience posture.
   • Implementing corrective and preventive actions promptly and effectively.
7. Training and Awareness
   • Providing mandatory information security and data protection training to all personnel, and updated in line with emerging threats, vulnerabilities, and compliance requirements.
   • Delivering  role-specific training to individuals with elevated or specialised responsibilities.
8. Incident Response
   • Maintaining and testing incident response and breach notification procedures to meet applicable contractual and regulatory timelines.
   • Defining roles for incident escalation, communication with regulators, and customer notification.
9. Third-Party and Supply Chain Security
   • Extending security requirements to suppliers, partners, and service providers who process Dubber data or access our systems.
   • Managing third-party risk through contractual controls, onboarding due diligence, and periodic reviews.
10. Communication and Accessibility
    • Ensuring that the Information Security Management System (ISMS), this policy, associated policies, handling procedures and documentation are communicated within the Organisation and are accessible to all relevant parties.
    • Making this policy available to interested parties upon request.