SECURITY OVERVIEW
At Inderes, we understand that as a Nordic investor media company connecting investors with listed companies, we handle some of the most sensitive financial data in the market. Our comprehensive security framework is built on the foundation of Independence, Passion, Quality, and Longevity—ensuring that every security measure we implement supports these core values while protecting your data and maintaining the trust placed in us by our stakeholders.
INTEGRITY BY DESIGN
Security and data protection are woven into the fabric of everything we do at Inderes. Our commitment goes beyond compliance—we've architected our systems with privacy and security as core principles from the ground up. When you work with us, you can be confident that your sensitive financial information remains confidential, accessible only to authorized personnel, and protected by enterprise-grade security measures that meet the most demanding regulatory requirements.
OUR SECURITY COMMITMENTS
ISMS
We have implemented a comprehensive Information Security Management System (ISMS) based on ISO/IEC 27001 international standards. Our systematic approach covers all business functions, information assets, personnel, and IT systems supporting our operations across Nordics, as well as remote and cloud-based environments.GDPR COMPLIANT
As a European company, we fully comply with the General Data Protection Regulation (GDPR), ensuring your data is processed lawfully, transparently, and securely. We maintain strict data minimization practices, provide clear consent mechanisms, and guarantee your rights to access, rectify, and delete your information. Our GDPR compliance extends beyond mere legal requirements—it reflects our respect for your privacy and data sovereignty.
YOU RETAIN CONTROL
Your data belongs to you, period. We maintain clear data ownership boundaries and provide you with full visibility and control over how your information is used, stored, and shared. You can export your data at any time, modify access permissions, and request deletion in accordance with our data retention policies. We never use your proprietary data to benefit competitors or for purposes beyond our agreed service delivery.
GET TO KNOW OUR PRACTISES
Infrastructure Security
- *Multi-Region Deployment*: Our infrastructure spans multiple availability zones
- *Network Segmentation*: Virtual private clouds with segregated networks based on trust levels and organizational boundaries. Firewalls are also enabled.
- *Defense in Depth*: Multiple layers of security controls ensuring single point failures don't compromise the network
Data Protection
- Encryption at Rest: AES-256 encryption for all data stored in cloud environments.
- Encryption in Transit: TLS 1.2+ for all data transmission over public networks.
- Key Management: Secure cryptographic key lifecycle management with vendor-provided services where appropriate.
- Backup Security: Encrypted backups with 1-year retention for availability requirements.
Access Controls
- Principle of Least Privilege: Users receive only the minimum access required for their role.
- Multi-Factor Authentication: Enforced for critical systems and privileged accounts.
- Single Sign-On (SSO): Streamlined access management where security requirements permit.
- Regular Access Reviews: Systematic review of user permissions to identify unnecessary access.
- Session Monitoring: Privileged activities logged and monitored for security analysis.
- Secure Offboarding: Immediate access suspension upon employee departure.
Application Security
Secure Development
- Security by Design: Security considerations integrated into development phases.
- Peer Code Review: All code changes reviewed before deployment.
- Runtime Analysis: Automated security testing implemented into production environment.
- Vulnerability Management: Regular monitoring and patching of identified severe vulnerabilities.
Data Security & Privacy
GDPR Compliance
- Data Protection Officer: Dedicated role ensuring compliance with EU data protection regulations.
- Lawful Basis: Clear legal foundations for all personal data processing activities.
- Data Subject Rights: Comprehensive processes for handling access, rectification, and deletion requests.
- Privacy by Design: Privacy considerations built into data processing systems.
Information Classification
- Handling Procedures: Specific protection measures based on data sensitivity levels.
- Retention Policies: Clear guidelines for data retention periods and secure disposal.
Insider Information Management
Given our work with publicly listed companies, we maintain rigorous controls for handling insider information in full compliance with applicable laws and regulations, with designated personnel responsible for insider issues.
Incident Response & Business Continuity
- Disaster Response Team: Designated team with clear roles and escalation procedures.
- Impact Assessment: Systematic evaluation of incidents with High/Medium/Low prioritization.
- Containment Procedures: Immediate steps to limit incident impact and prevent spread.
- Recovery Planning: Comprehensive procedures for system restoration and business continuity.
Communication & Transparency
- Crisis Communication Plan: Formal procedures for internal and external incident communication.
- Regulatory Notification: Compliance with GDPR 72-hour breach notification requirements.
- Post-Incident Review: Systematic analysis and improvement planning after each incident.
Business Continuity
- Disaster Recovery: Documented procedures for maintaining operations during disruptions.
- Backup Systems: Redundant systems and data backups to ensure service availability.
Distributed Security Leadership
Our governance structure reflects our collaborative culture with distributed leadership across the organization:
- Management Team: Strategic oversight of information security aligned with company missio.
- IT Coordination Group: Tactical decisions and major security activities led by CFO.
- Technology Team: Handles security monitoring and implementation inside the teams.
Regular Audits & Reviews
- Internal Audits: Regular internal security audits conducted by trained personnel.
- Continuous Monitoring: Ongoing assessment of security controls effectiveness.
- External Validation: Plans for independent security assessments and certifications.
Vendor & Third-Party Security
Supply Chain Security
- Vendor Assessment: Formal security evaluation process for all third-party providers.
- Contractual Requirements: Security obligations built into all vendor agreements.
- Regular Reviews: Critical vendors are reviewed annually.
Physical Security
Office Security
- Secure Facilities: Physical security controls at our Helsinki and Stockholm offices.
- Access Controls: Restricted access to sensitive areas and equipment.
- Equipment Protection: Secure storage for network equipment and servers.
- Environmental Controls: Appropriate environmental conditions for data storage.
Training & Awareness
Security Culture
- Security Awareness: Regular training tailored to individual roles and responsibilities.
- Incident Recognition: Training on identifying and reporting security incidents.
- Policy Education: Comprehensive education on security policies and procedures.

.png)
.png)
Interviewee: Marleena Bask, Chief Communication & Marketing Officer, Eezy Plc
It is fascinating that the professionalism of earnings calls for some small cap companies like Toivo Group (TOIVO) is way more advanced than that of many of the world's biggest companies. Despite having smaller teams and more limited resources, these nimble organizations often deliver presentations that outshine their larger counterparts in clarity, engagement, and overall execution. I sat down with Markus Myllymäki, CEO of Toivo Group, to understand how they've mastered the art of compelling earnings calls and quarterly webcasts. What I discovered was a thoughtful approach to quarterly webcasts that combines simplicity with attention to detail, proving that impressive results don't necessarily require massive budgets or dedicated departments. His insights reveal that with proper preparation and attention to detail, companies can deliver professional and engaging earnings calls without significant investment in expensive equipment or dedicated IR personnel.