Services GIES SaaS in the Cloud

Secure cloud solutions compliant with ACN requirements, designed for asset management and the monitoring of tourism flows for Public Administrations.

Download the white paper on GIES Cloud SaaS Services in PDF format

Software

BabylonWeb

The platform for the technical and administrative management of the organization's inventory and assets. It enables the management of concessions and leases, utility monitoring, financial reporting, and the proper fulfillment of obligations toward supervisory authorities. ACN Qualification

ROSS 1000

The platform for collecting territorial tourism flow data and managing related technical and accounting services. It includes specialist support and, where required, the outsourcing of technical, accounting, and statistical activities. ACN Qualification

What We Guarantee

  • Scalable cloud infrastructure
  • High security standards
  • Compliance with regulatory requirements and ACN provisions
  • Subscription-based model with no investment required in proprietary infrastructure

The SaaS service is delivered entirely by GIES, which retains full ownership of the software and grants its use to public entities under a licensing agreement.

Infrastructure and Data Location

ACN-qualified infrastructure, data hosted in Italy and fully managed operations: security and control are ensured throughout the entire service lifecycle.

The cloud service is delivered through Aruba S.p.A., a Cloud Service Provider qualified for the Public Administration in accordance with the ACN Cloud Regulation.

Data Hosted in Italy, in Compliance with National Regulations
The data is stored in Italy, in the “IT1” data center. It is managed in accordance with Italian and European regulations on personal data protection, in compliance with the GDPR and ISO/IEC international information security standards.

Fully Managed OperationsGIES directly handles:

  • continuous monitoring of the infrastructure and services
  • software updates
  • regular backups
  • response to critical events and incidents
Information Security and Certified Compliance

Data is accessible only to authorized users, protected against unauthorized alterations, and always available whenever needed.

This commitment is supported by a system of internationally recognized certifications:

ISO/IEC 27001:2022 – Information Security Management System, with extensions ISO/IEC 27017:2015 and ISO/IEC 27018:2019

ISO/IEC 27701:2019 – for the secure management of personal data

UNI ISO 9001:2015 – for the design and delivery of computerized services

ISO/IEC 20000-1:2018 – IT Service Management System

Security and Compliance
Operational Communication
Secure connections, controlled access, and integrated security measures to protect data.

Communications with the cloud service take place through encrypted and secure channels.
Access to the systems is restricted to authorized personnel using multi-factor authentication.
The management of cryptographic keys is contractually regulated in accordance with the Cloud Regulation.
Data transfers are carried out through protected channels, and the software includes measures to safeguard user accounts and personal data.

Backups
Encrypted Backups, Segregated Environments, Regular Checks, and Defined Retention Periods

Backups are encrypted (AES-256), transferred through secure channels, and stored in environments separate from the production infrastructure, located in the Republic of San Marino or within the European Union.
Access is restricted to authorized personnel, and regular integrity and restore tests are carried out.
Retention period: a minimum of 1 year and a maximum of 5 years, or until contract termination, unless otherwise specified.
The Customer may request evidence of these verification activities through the Technical Support Channel.

Change Management
Changes are managed in a controlled manner and communicated transparently with adequate advance notice.

Changes to the cloud service, whether planned or urgent, follow a structured process that includes risk assessment and formal approval, and applies to both infrastructure and applications.
Interventions are communicated with details regarding their nature and timing; any impacts arising from the IaaS provider are promptly notified to Customers.
The service is updated at least monthly. Significant changes are communicated with a minimum of 30 days’ notice, specifying any impacts and required actions.

Logging and Monitoring
Protected logs, guaranteed traceability, and compliance with cloud standards.

GIES manages and monitors access logs to support security and incident management. Logs are stored on separate systems, encrypted, tamper-resistant, and accessible only to authorized personnel, for a period ranging from 6 months to 1 year.
The practices adopted are aligned with the ISO/IEC 27017:2015 standard.

Incident Management
GIES has established controls and procedures to manage security incidents throughout every phase of the event, in compliance with the Privacy by Design and Privacy by Default principles (Article 25 of the GDPR), ensuring the protection of data from the ea

Operational Approach
The incident management plan combines both proactive and reactive measures: incidents are identified, analyzed, and resolved promptly, according to internal methodologies based on their level of criticality and the type of impact.

Customer Communication
In the event of incidents that may pose a high risk to the fundamental rights and freedoms of data subjects, GIES will notify the Customer as quickly as possible.
In all cases, notification will be provided within 24 hours of detection and will include:

  • a description of the incident
  • the corrective actions taken
  • the estimated time for resolution

The communication channel and notification methods are defined according to the nature of the breach. The designated contact person will be the Entity’s appointed representative, as specified in the contract.

Regulatory Compliance
The procedures are aligned with the ISO/IEC 27001:2022 standard and the GDPR.
Further details are available in the company's policies and may be requested through the Technical Support Channel.

Data Portability
GIES guarantees full data portability, ensuring that a complete copy of data, metadata, and documents can be extracted at any time in public and open formats.

In the event of migration, data can also be imported into the service using open standards, facilitating integration and the transfer of information to and from other systems.
Technical documentation for management and API integration is available upon request.

Supported Standards
The service supports the main open standards, including:

  • OpenAPI
  • JSON
  • XML
  • ODF
Support

GIES adopts a centralized support model designed to handle support requests in a unified manner and to continuously monitor service performance.

Service LevelsLivelli di servizio
99.5% Monthly Availability SLA

An availability SLA is provided: the SaaS applications guarantee a monthly availability level of 99.5%.

Contacts

For reports concerning software errors, security incidents, or the management of user accounts and access to SaaS services, Support can be contacted at the following addresses:

Asset Management Support

assistenza@gies.sm

Tourism Support

giesturismo@gies.sm

Other Useful Contacts

To report an alleged infringement of third-party intellectual property rights, please send an emailto: documenti@gies.sm

Information on the Processing of Personal Data:

privacy@gies.sm Tel. +39 0549 999 497
Pursuant to Regulation (EU) 2016/679 (GDPR), GIES has appointed ICTLC S.p.A. as its Data Protection Officer (DPO), who can be contacted at the following details: Tel. +39 0284 247 194DPO-outsourcing@ictlc.comictlc@pec.it

Audits and Reviews of Information Security

sistemi@gies.sm