DORA and PRoMMiSe
We would like to inform you of Hypoport’s developments concerning the Digital Operational Resilience Act (DORA), which has been in effect since the start of 2023. DORA represents a crucial augmentation to the existing frameworks of the Network and Information Systems Directive (NIS2) and the General Data Protection Regulation (GDPR), aiming to enhance the resilience of financial institutions against escalating threats posed by both external adversaries and internal vulnerabilities.
Both the Dutch Authority for the Financial Markets (AFM) and the Dutch Central Bank (DNB) have been appointed with the oversight of ensuring compliance with the stipulations of DORA by the end of 2024. Given that our Dutch clientele operates under the supervision of either the DNB or AFM, there is a consequential impact on the services provided by Hypoport, particularly concerning our PRoMMiSe software. This necessitates a proactive alignment with the regulatory mandates of DORA.
To kick off on a positive note: the necessary groundwork was already laid some years ago, notably through our ISAE 3402 type II certification. This certification, alongside our approach encompassing business continuity management, data & privacy governance and employee training & awareness programs, positions us favourably within the landscape DORA seeks to address. Additionally, our proven track record with the implementation of regulatory mandates such as GDPR has enabled us, in collaboration with our clients, to establish a reliable and regulated operating environment.
Nonetheless, an effort has been made towards the formalization and documentation of certain processes within an ICT Risk Management Framework. This framework, which demands periodic evaluation and refinement, is instrumental in our ongoing efforts to comply with regulatory standards and we are committed to improving and formalizing it.
So far, our control framework has been enhanced with several significant new features, including:
- The introduction of daily vulnerability scans within our source code to proactively identify and address potential security issues.
- A robust logging system that meticulously tracks user activity and the actions of administrators, ensuring a high level of oversight and auditability.
- The deployment of an emergency ‘panic button’ feature designed to quickly contain malware outbreaks or any other unauthorized usage, thereby bolstering our defensive capabilities.
We remain committed to continuous improvement and will persist in expanding and refining our control framework to meet evolving security challenges and regulatory requirements. Through LinkedIn and in reaching out personally with our clients we will keep you updated and involved with our progress. Please do reach out if any questions might arise.
The Hypoport security team
ISAE 3402 Type II
International Standard on Assurance Engagements (ISAE) 3402 ‘Assurance Reports on Controls at a Service Organization’ deals with assurance engagements undertaken by a professional auditor in practice to provide a report that is likely to be relevant to user entities’ internal control as it relates to financial reporting. Both management of the service organization as well as an independent auditor make an assertion about the degree of control. The controls detailed in the ISAE3402 Type II framework aim to ensure Hypoport operates according to its own defined business processes and guidelines when it comes to developing, testing, releasing, maintaining and hosting software solutions to its customers. The processes in scope are:
- Access Management process.
- Change Management process.
- Continuity Management process.
- Incident Management process.
- Vendor Management process.
- Security Management process.
- Hosting management process.
Subservice organisations: ISO 27001 : 2017 / SOC 1 Type II
Most relevant subservice organizations for Hypoport are:
- Quaere: acts as the ICT partner for maintenance of the ICT environment (PC’s, servers, back-up facilities);
- Microsoft Azure: acts as cloud provider for Hypoport’s ‘PRoMMiSe As A Service’ solution and the LoanByLoan platform. The ‘PRoMMiSe As A Service’ solution can be facilitated for customers directly and/or used for the BPO activities.
We have service level agreements in place with these companies, detailing the level of service we agreed on, as well as the timeframe(s) in which we expect those services to be delivered, should we require them. These SLA’s serve as our controls when dealing with these subservice companies. Specific for Microsoft Azure we rely on the SOC 1 Type II report and follow up if needed. Quaere is certified ISO 27001 : 2017 on information security related to supplying and maintaining of workplaces, servers and networks. Delivering of Cloud Services, Server hosting, Website hosting, Internet connections, VoIP and support for customers through their service desk.
Hypoport Group Code of Conduct
The Management Board of Hypoport SE is committed to maintaining high standards of lawful and ethical behaviour within the holding company and in all other Hypoport Group companies (collectively: ‘Hypoport’). This Code of Conduct (‘CoC’) sets out Hypoport’s expectations in this regard and is intended to inform the way we behave towards one another and towards our customers, business partners and other third parties. The Code of Conduct brings together in one document the most important basic rules and principles that are binding upon us, both now and in the future. It provides guidance and applies equally to every single member of the Hypoport family – to Management Board members and directors, to senior managers and to every individual employee. It sets out the standards we expect from ourselves, and at the same time enshrines our promise to those outside the Company that we will act responsibly towards business partners and the general public, and also in our dealings with one another within the Company. We share responsibility for our Company’s reputation. The misconduct of any individual person can cause immense harm to all of us. However, it is clear that it is not possible to regulate behaviour through guidelines alone. If you are uncertain in any given situation, think about what you are intending to do and ask yourself the following questions:
- Legality test: Am I sure that I am acting within the law and in compliance with the Company’s rules?
- Publicity test: Could I stand by my decision if it were to become public?
- Reversibility test: Would I still think this was a good decision even if I were the one adversely affected by it?
You are acting in accordance with our rules and principles only if you can answer ‘yes’ to all these questions. Compliance with the law We regard compliance with the law as the most important basic principle for ethical behaviour in business. We expect every Hypoport employee – without exception – to obey the law. You are responsible for making sure you know what this entails. Infringements of legal provisions can cause severe reputational damage and may result in fines, compensation claims and/or prosecution for administrative or criminal offences, which in turn can cause serious harm to Hypoport or for you personally. We will not tolerate any violation of the law and will take action whenever this occurs. The following areas are particularly important, although the list is not exhaustive. Data protection: The protection of personal data, particularly that of employees, customers and suppliers, is particularly important to Hypoport. We process personal data only where this is absolutely necessary to fulfil a particular task, or where we are required to do so by law. No personal data may be processed unless the data subject has given their consent or there is another legal basis for doing so. Every member of the Hypoport family shares responsibility for ensuring that our stringent data protection standards are respected – without exception. We have established a Privacy Policy and an IT User Policy and embedded them within the Company in order to ensure adherence to our standards. Prevention of insider trading: Hypoport is a publicly listed company, and as such is subject to the rules of the capital markets. We provide ongoing information and training for all Hypoport employees who are involved in activities that may give them access to inside information. Essentially, if you are in possession of information that is not generally available and which would, if generally available, be likely to have a significant effect on the price of Hypoport shares, you are not allowed to trade in shares or other financial instruments of Hypoport AG. Nor are you allowed to pass on such inside information. Please see our Insider Compliance Policy for further details. Prevention of money laundering and terrorist financing: Hypoport complies with its statutory obligations regarding the prevention of money laundering and terrorist financing and does not participate in such activities under any circumstances. If in doubt, every Hypoport employee is required to report unusual financial transactions that could give rise to a suspicion of money laundering or the financing of terrorism, particularly those involving cash, so that they can be investigated by the competent finance or legal team. Our business relationships Fair competition: We are committed to the principles of fair competition and the free market economy. We do business solely on the basis of merit and in accordance with the principle of free, unhindered competition. We only work with suppliers and service providers after carrying out thorough and fair performance assessments. Please see our Procurement Policy for further information. Combating corruption: Hypoport does not tolerate any form of corruption or other criminal activity such as extortion, fraud or the giving or acceptance of bribes. We expect you to act in accordance with the law and our policies and guidelines to prevent even the appearance of corrupt behaviour. Please see our Benefits & Gifts Policy for further information. Avoiding conflicts of interest: We expect every Hypoport employee to act in the best interests of Hypoport. Any personal conflicts of interest or conflicts of interest with other business activities or with other activities, including of family members or other related parties or organisations, must be completely avoided. If they nonetheless occur, they must be resolved in accordance with the law and the applicable Hypoport policies and guidelines. This requires you to be fully open about any potential conflict. Behaviour towards colleagues We have drawn up the Hypoport Principles, a comprehensive set of guidelines governing the way we work together at Hypoport. We also foster a culture of equal opportunity, reciprocal trust and mutual respect. We promote equal opportunities and do not tolerate discrimination in recruitment or when promoting employees or offering further professional training. We treat all employees equally, regardless of gender, age, skin colour, culture, ethnic origin, sexual identity, disability, religious affiliation, or world view. Implementation of the compliance principles Every individual member of the Hypoport family is responsible for ensuring compliance. If there is any breach of the law, of Hypoport policies and guidelines, or of this CoC we will take the organisational, disciplinary and legal measures necessary to prevent any future infringements, regardless of the hierarchical level or position of the person responsible. Our internal auditors carry out regular assessments and we have implemented a compliance management system to ensure that the law, Hypoport policies and guidelines and this CoC are properly adhered to. Every individual Hypoport employee – and also every person outside the organisation – is urged to report any violation of a legal provision, a Hypoport policy or guideline, or this CoC. Violations can be reported anonymously by the following channels: Telephone: +49 30 420 86 1920 In writing: Hypoport SE / Compliance / – Confidential – / Heidestrasse 8 / 10557 Berlin / Germany By email: pbzcyvnapr@ulcbcbeg.qr.If you have any questions about compliance at Hypoport, you can email them to pbzcyvnapr@ulcbcbeg.qr.
Here you can find the latest Constitution of Hypoport SE (German only).
Hypoport SE Non-Financial report / ESG reports
For information about the treatment of employees, environmental matters, combatting corruption, social responsibility and humans rights please refer the Hypoport Non-Financial Report 2020
Hypoport-SE-CSR-Bericht-2020-ENG
Hypoport supplies consultancy and proven software for the structured finance market. At Hypoport, we believe we need to be invested in a more sustainable society. As such we make an effort to advance structured finance technology and consumer mortgage products while limiting our company and our clients carbon footprints.
Since residential properties are a substantial part of consumer energy usage and makes up about 26 percent of all energy usage in the European Union, we looked into the ways Hypoport could help in decreasing energy usage for households. By being a part of the market-led Energy Efficient Mortgages Initiative (2018-2020) we used our market and product knowledge to co-create a credible, workable and pan-European energy efficient mortgage product. The EEDAPP working group reported its findings to the European Commission.
Also, in 2021, Hypoport co-created the Energy Efficient Mortgage Hub – Netherlands, a knowledge hub where we aim to align European and national interest, regulation and reporting initiatives. This hub consists of representatives throughout the mortgage chain: banks, insurers, data and IT, legal forms, investors and (semi-)government organisations. Its goal is to accelerate and advance the adaptation of energy efficient housing and financing options in the Netherlands.
CONTACT
Please contact us directly for product demonstrations
and discuss ways to improve your operations
Legal Notice
Privacy Policy