Last updated: Oct 6, 2025

1. Purpose

The purpose of this policy is to describe how Fusebox OÜ protects the information entrusted to us. It sets out our commitment to keeping data secure and managing information security risks in a systematic way.

Fusebox operates an Information Security Management System (ISMS) in accordance with the ISO/IEC 27001:2022 standard. Our ISMS supports our business objectives, legal obligations, and the trust of our customers, partners, and employees.

2. Scope

This policy applies to all information processed or stored by Fusebox, including:

  • data related to our Virtual Power Plant (VPP) and Energy Management System (EMS) platforms;

  • personal data of clients, partners, and employees; and

  • internal business information and systems used to manage and deliver our services.

It covers Fusebox employees, contractors, and third-party partners, regardless of their location or working arrangement.

3. Information Security Objectives

Fusebox’s information security objectives are to:

  • protect the Confidentiality, Integrity, and Availability of information;

  • prevent unauthorized access, alteration, or loss of data;

  • maintain reliable and resilient systems that support continuous service availability; and

  • ensure all employees are aware of and competent in information security responsibilities.

These objectives are reviewed regularly as part of our ISMS performance monitoring.

4. Key Security Principles

Our information security practices are built around three core principles:

  • Confidentiality – information is only accessible to authorized individuals.

  • Integrity – information remains accurate and complete, protected from unauthorized modification.

  • Availability – information and systems are accessible when needed to support business operations.

5. Responsibilities

Information security is a shared responsibility across Fusebox.

  • Management provides leadership, resources, and oversight of the ISMS.

  • All employees and contractors are required to handle information securely, complete training, and report potential incidents promptly.

  • Suppliers and partners must comply with Fusebox’s contractual information-security requirements.

6. Risk Management

Fusebox applies a risk-based approach to identify, assess, and manage information security risks.
Risks are reviewed regularly, and controls are updated in line with evolving threats, business priorities, and legal requirements.

7. Security Controls

We maintain a comprehensive set of security measures, defined and managed through internal policies and procedures. These cover areas such as:

  • access control and user management,

  • data protection and privacy,

  • incident response and business continuity, and

  • secure software development and supplier management.

Each topic is governed by dedicated internal policies reviewed at least annually.

8. Awareness and Training

All employees receive information security training at the start of their employment and participate in regular refresher sessions.
We continuously raise awareness about current risks, secure practices, and lessons learned from incidents and audits.

9. Compliance and Standards

Fusebox complies with:

  • the ISO/IEC 27001:2022 international standard;

  • the General Data Protection Regulation (GDPR) and other applicable privacy laws; and

  • relevant contractual and regulatory requirements from clients and partners.

10. Continual Improvement

Fusebox continually improves its information security management system through regular audits, performance reviews, and corrective actions.
Our goal is to ensure that our security practices evolve with technology, business needs, and regulatory expectations.

11. Commitment

Fusebox is fully committed to protecting information assets and maintaining the trust of our clients and stakeholders. Questions about this policy or Fusebox’s ISMS can be directed to privacy@fusebox.energy.