GDPR – live/BACKEND is ISAE 3000 certified

We understand that it is of utmost importance how your company’s data is handled. To give you insight into how we make sure that everything is up to code and beyond, our in-house GDPR-expert, Dennis Grade, has written a detailed account of how we handle your data.

Your data is in good hands

Have you ever asked yourself whether you can truly trust another entity with your company’s data? With a new focus on protecting individuals’ rights and privacy (in regard to personal data), a lot of confusion, misinformation, and uncertainty about whether a data processor is actually protecting your data or not – and whether a data processor can be trusted – has arisen.

So how do you make sure that your data is protected? On what basis can you trust a company with your data or the data of your clients? How can you be sure that your data processor is qualified to ensure data protection?

ISAE 3000 certification

We at live/BACKEND are constantly improving our data protection – both in regard to securing the data that is shared with us, as well as complying with the laws and regulations on data protection. We just didn’t have anything to show our efforts by.

Therefore, we have worked tirelessly the last 8 months to achieve an ISAE 3000 certification (comparable to an SOC 2 report). An independent third party – a state-certified company auditor – has controlled and certified our security measures, our compliance and more (for a full list of certified areas, please contact gdpr@onlinecity.dk).

The report clarifies that we have implemented security measures and that those measures work efficiently. The report can also help you when it comes to performing the regular supervision of our compliance with your instructions and the data processing agreement that we have entered into with you.

Our security measures

The list of security measures is long, as is the report and the documents that make up the basis for this report. Although we cannot explain everything in this blog post, we would still like to give you an overview of our security measures.

We have set up the following security measures

Technical security measures:

Data Centres in EU (Tier 4)
Password-protected login
Antivirus and Firewall protection
Strong encryption at transmission and rest
Backup measures
Automated anonymisation of personal data (SMS content and receiving phone number) after 30 days
Hashing and salting of sensitive data
High quality software and hardware

Organisational measures:

Securing guarantees for data protection with new suppliers and sub-processors
Securing that data processing by suppliers outside of the EU/EEA is covered by the EU-US Privacy Shield Framework
Contractually binding obligations are agreed with our suppliers, sub-processors, and other affiliates via data processing agreements, standard contractual clauses, confidentiality agreements etc.
Regular checkups of our suppliers level of IT-security and compliance with data processing standards and/or ISAE 3000/SOC 2 Reports
Separation of functions in authorisation level of employees, meaning that we only give access to personal data to employees with relevant functions for work-specific purposes
Secure storage of data storage media
Systems and buildings related to data processing are secured and safe
Awareness training of employees
Regularly updated guidelines, processes, and policies that are provided to employees, which ensure compliance with relevant law and effectiveness of our security measures.
Confidentiality agreements are entered into with all employees
Personally identifiable information is used, solely on behalf of the data controller and on their direct instructions, and is never used for marketing purposes or commercial use, neither sold to any third party
Risk assessments to help us better understand the risks we potentially face, in order to set up security measures to decrease the level of risk

Other measures:

A compliance specialist in charge of GDPR-matters, ISAE 3000, etc.
An IT-security council in charge of maintaining and evolving the IT-security measures and potential breaches of personal data security and IT-security incidents

The list above is our current security measures. We will continue to review and improve them to ensure your Company’s data is safe.

Update of personal data policy and cookie policy

We have also updated our Privacy Policy (also known as Privacy Policy or Data Protection Policy), which we invite you to read. The changes include explanations of the legality of the processing of personal data through the website (for example newsletters, tip-a-friend, etc) and an updated list of your rights as an individual – for example the right to gain access to collected personal data, to be deleted or to correct the information we have on you.

We have also updated the cookie policy, which now includes a better overview of cookies, how we use cookies and a brand new cookie banner.