Trust, Security & Compliance at IMG Play
The IMG Play Information Security Management System (ISMS) encompasses our complete security governance framework, including 8 core policies, 4 operational processes, 4 technical specifications, and 3 security appendices.
We maintain full Security & Compliance with NIS2 and GDPR directives while adhering to ISO 27001 and SOC 2 principles across all operations.
Your Content Stays Yours
IMG Play acts solely as a technical integrator and consultant. All customer content remains within your chosen enterprise platforms, managed by certified providers. We provide configuration, integration, and support services only — we never process your end-user data or content.
Our Security & Compliance Framework
IMG Play maintains comprehensive policies covering all aspects of information security, data protection, and operational resilience. Our framework includes dedicated policies for IT Security, Training and Awareness, Access Management, Data Ethics and AI, Business Continuity, Security Testing, Supplier Management, and Personal Data Protection.
Supporting these policies are detailed processes for Risk Management, Software Development, Incident Handling, and Vulnerability Management. Technical specifications document our IT Contingency Plan, Asset Management, Continuous Control Evaluation, and Record of Processing Activities.
Additional appendices provide in-depth coverage of Encryption and Monitoring Standards, Network Security with Zero Trust Architecture, and HR Security Procedures. This complete governance structure ensures consistent security practices across all operations while meeting the requirements of NIS2, GDPR, and ISO 27001 frameworks.
Explore how IMG Play protects your business. This trust center provides detailed information about our security controls, compliance certifications, and operational practices. Review our approach to encryption, access management, incident response, and business continuity. Download our public security documentation or request detailed policies under NDA to conduct your due diligence.
Security & Compliance Overview
Security & Compliance Overview
IMG Play implements comprehensive security controls across all operations, validated through rigorous third-party audits and customer security assessments. Our security framework has been proven through entertainment industry validation and maintains the highest standards for protecting sensitive media assets.
Multi-Factor Authentication
Every IMG Play-controlled system requires multi-factor authentication. This mandatory security layer ensures that access to customer environments and technical infrastructure requires both credentials and device verification, eliminating password-only vulnerabilities.
Encryption Everywhere
We protect data at every stage using industry-standard encryption. All data in transit uses the latest transport security protocols, while data at rest is encrypted using AES-256. This ensures your information remains protected whether it’s moving between systems or stored on our infrastructure.
Access Control & Reviews
Role-based access control enforces the principle of least privilege across all systems. Access rights are reviewed quarterly, with immediate revocation protocols for departing personnel. Every team member has exactly the access they need — nothing more.
Zero Trust Architecture
Our network implements zero trust principles with continuous verification and network segmentation. No system or user is automatically trusted based on network location. Every access request is verified, logged, and monitored regardless of origin.
24/7 Security Monitoring
Security logging and alerting run continuously across all critical systems. Automated monitoring detects anomalies, unauthorized access attempts, and potential security incidents in real-time, enabling rapid response to any threats.
Security Testing
Quarterly vulnerability assessments using industry-standard tools identify potential weaknesses before they can be exploited. Annual third-party security audits provide independent validation of our controls, while continuous automated scanning catches newly discovered vulnerabilities.
Incident Response
Our comprehensive incident response capability includes 24/7 monitoring, documented procedures with clear escalation paths, and NIS2-compliant notification timelines. Significant incidents are reported within 24 hours, with quarterly testing ensuring our team stays prepared.
Information Security Compliance & Certifications
Security & NIS2 Directive Compliance
IMG Play maintains full compliance with EU cybersecurity requirements under the NIS2 Directive. All ten mandatory risk management measures are implemented and regularly audited. Our incident reporting procedures align with NIS2 timelines, ensuring prompt notification of any significant security events.
GDPR & Data Security Protection
Full compliance with EU data protection regulation governs how we handle personal data. Privacy by Design and Default principles are embedded in every system and process. Data Protection Impact Assessments evaluate high-risk processing activities, while clear data processing agreements define responsibilities with every customer.
We guarantee complete access removal within 30 days of termination, ensuring former employees and contractors have no residual system access.
ISO 27001 Security Alignment
Information Security Management System principles guide our security program. A risk-based approach ensures resources focus on the most critical threats, while continuous improvement processes adapt to evolving challenges. Regular management reviews maintain executive oversight and accountability.
Industry Recognition
Enterprise technology partner certifications validate our technical capabilities and security standards. Major entertainment industry clients have validated our security through their own rigorous audit processes, while our NIS2 compliance demonstrate commitment to regulatory excellence.
Privacy & Data Protection Framework
What We Process
IMG Play processes only the data necessary to deliver our services: customer contact information for business operations, technical account credentials secured with enterprise password management, support tickets and communication logs, and platform configuration metadata. This minimal data footprint reduces risk and simplifies compliance.
What We Don’t Process
IMG Play does not collect or process end-user personal data from video viewers. The enterprise video platforms we integrate may collect anonymized analytics and support cookie-less operation. Any platform data is processed by providers under customer agreements. We have no access to viewer analytics or personal information.
Your Data, Your Control
All customer content and end-user data remains within your chosen enterprise platforms, managed by certified providers. IMG Play maintains administrative access for configuration purposes only. We never access or process end-user data as part of our integration and support services.
Data Ethics & Transparency
Responsible data practices guide every decision. Transparency in our processing activities ensures customers understand exactly how we handle their information. Human oversight governs all automated systems, while regular data ethics training for senior management maintains awareness of emerging best practices. Our approach aligns with EU AI Act principles.
Data Processing Agreements
Clear agreements define responsibilities, processing purposes, and security requirements for every customer relationship. These contracts ensure mutual understanding of data protection obligations and provide legal framework for our integrator role.
Business Continuity & Operational Security
Operational Security & Resilience
Robust business continuity capabilities ensure uninterrupted service delivery. Regular backups across critical systems combine with tested recovery procedures to minimize downtime risk. Our 24/7 availability for critical incidents means technical emergencies receive immediate attention regardless of time or day.
Disaster Recovery
Documented procedures define recovery steps for various scenarios. Recovery time objectives and recovery point objectives establish clear targets for system restoration. Redundancy and failover capabilities provide alternative processing capacity when primary systems experience issues.
Continuous Testing
Regular business continuity exercises validate our procedures and team preparedness. These tests identify gaps in documentation, verify backup integrity, and ensure team members understand their roles during incidents. Lessons learned drive continuous improvement of our resilience capabilities.
Service Continuity & Security
Geographic redundancy distributes critical functions across multiple locations. Failover capabilities enable automatic switching to backup systems. This architecture ensures a single infrastructure failure doesn’t halt service delivery to customers.
Supply Chain Security
Trusted Technology Partners
Careful selection and management of technology partners protects your data throughout the service delivery chain. Every supplier undergoes evaluation against strict security criteria before engagement. Ongoing monitoring ensures continued compliance with our requirements.
Supplier Requirements
Critical suppliers must maintain ISO 27001 or SOC 2 Type II certification. Regular security assessments validate their controls remain effective. Data processing agreements establish clear responsibilities, while incident notification obligations ensure prompt communication of any supplier security events. Right to audit provisions enable independent verification when needed.
Supplier Categories
Critical suppliers provide cloud infrastructure, productivity platforms, and security tools essential to our operations. Essential suppliers deliver development platforms, backup systems, and monitoring tools that support service delivery. All suppliers undergo regular review and must maintain current security certifications.
Risk Management
Supply chain risk assessment evaluates each partner’s security posture, financial stability, and operational reliability. This analysis informs engagement decisions and monitoring intensity. Regular reviews adapt to changing risk profiles.
People & Training
Security-First Culture
Continuous investment in security awareness and training maintains high competence across the team. All employees complete comprehensive annual security certification covering current threats, security best practices, and their specific responsibilities for protecting customer data.
Specialized Training
Management receive annual IT security and governance training focused on strategic oversight and compliance obligations. Senior management completes data ethics training covering responsible data practices and emerging regulatory requirements. Developers train in secure coding practices and vulnerability prevention.
Ongoing Awareness
Quarterly security bulletins keep the team informed of emerging threats and new security measures. Simulated phishing attacks test awareness and provide immediate feedback. This continuous reinforcement ensures security remains top of mind throughout daily operations.
Onboarding
New team members complete security training within their first week. This immediate focus establishes expectations and provides essential knowledge before they access customer systems. The program covers company policies, regulatory requirements, and practical security procedures.
Team Expertise
Experienced security and technology professionals bring deep expertise to customer challenges. All personnel undergo security vetting before engagement. Clear roles and responsibilities ensure accountability for security outcomes. Our small team size enables direct communication and rapid response to customer needs.
Detailed security policies and procedures
Request Documentation
Detailed security policies and procedures are available to qualified prospects and customers under non-disclosure agreement. Comprehensive security policies, compliance documentation, audit reports, and custom security questionnaire responses demonstrate our security posture and regulatory compliance.
Available Under NDA:
Policies (8):
- IT Security Policy
- Training and Awareness Policy
- Access Management Policy
- Data Ethics & AI Policy
- Business Continuity Policy
- Security Testing Policy
- Supplier Policy
- Personal Data Policy
Processes (4):
- Risk Management Process
- Development Process
- Incident Handling Process
- Vulnerability Management Procedure
Technical Specifications (4):
- IT Contingency Plan
- Asset Register
- Continuous Control Evaluation Policy
- Record of Processing Activities (ROPA)
Appendices (3):
- Appendix A – Encryption, Logging & Monitoring
- Appendix B – Network Security & Zero Trust
- Appendix C – HR Security Policy
Contact & Support
Security Contact
Security-related questions, vulnerability reports, and incident notifications receive direct attention from executive leadership. This personal accountability ensures rapid response and appropriate escalation for security matters.
Karsten Vandrup Westh
Chief Executive Officer
karsten@imgplay.com
+45 30 65 46 04
General Inquiries
IMG Play ApS
Rahbeks Allé 21
1801 Frederiksberg, Denmark
CVR: 37000728
