# FAQ on risk management

This page list frequently asked questions on risk management.

TIP

This section prosper on questions. Contact us with your burning topics so we can grow the page together.

# Dialogues

# Do you participate in risk assessment meetings?

Yes. We prioritize risk assessment meetings with data controllers to assist with information and clarifications. For DPIAs and RARs in data spaces and labs, we will be able to respond quicker if we can comment on written drafts.

# Can we propose security or privacy improvements?

Yes! As science develop, so do our need to evolve environments that give your scientists the "freedom to explore". We are truly appreciative for all suggestions on how to improve our security and/or privacy controls. Such dialogues may both focus on the "freedom"-side of things (proposing relaxation of measures) or focus on the "control"-side of things (proposing restriction of features). Please contact us with your suggestions.

# Documentation

# Do you have additional security documentation?

Yes. We hold an extensive collection of security documentation that is not available on these pages. These are available for data controllers on requests under some conditions. Contact us if you need additional information for your assessments.

# Audits

# Do you allow audits?

Yes. We encourage data controllers to audit our systems to ensure that they are implemented and operated as we state in our policies. Our Compliance coordinator will coordinate the audit with your auditor team, and we will invite relevant team members for interviews in accordance on your audit scope. We are happy to arrange both physical and digital audits. Contact us for arrangements.

# Do you allow third-party audits?

Yes. Data controllers may hire external companies to conduct audits of our systems and services on their behalf.

# Do you allow technical security tests?

Yes. However, please note that you will need written approval of such testing before your start. Contact us for arrangements and agreements.

# Can we view your third-party audit results?

Yes. Data controllers may contact us for copies of our yearly third-party certification reports.

# Can we view your internal audit results?

Yes. Data controllers may contact us for status and results from our internal audit program.

# Can we join an internal audit session?

Yes. Representatives from our data controllers may join one or more of our internal audits for educational purposes. We provide this service to elevate and strengthen the audit expertise in your team. These sessions differ from an audit that you conduct in that it will be headed by our compliance officer and the audit program will be defined by us. You can choose if you would like to observe or join the auditor team alongside our compliance officer. On your request, we may arrange a pre-audit session where we discuss ISO standards, compliance criteria, common audit techniques, reporting and internal follow-ups. Contact us for arrangements.

# Assessments

# Do you have standardized text that we can use?

No. You will need to make your own assessment of risks that you find relevant in your specific scientific context. When that is said, we are happy to share and discuss potential scenarios, threats and assessments.

# Can we review your internal risk assessments?

Yes. We share our internal Risk Assessment Report (RAR) with data controllers on request. This is a summary of our current risk evaluation of organizational environments, technical environments and services environments. Data controllers are also welcome to see our full risk management assessments under some conditions. Contact us for such arrangements.