Your data is in good hands
Have you ever asked yourself whether you can truly trust another entity with your company’s data? With a new focus on protecting individuals’ rights and privacy (in regard to personal data), a lot of confusion, misinformation, and uncertainty about whether a data processor is actually protecting your data or not – and whether a data processor can be trusted – has arisen.
So how do you make sure that your data is protected? On what basis can you trust a company with your data or the data of your clients? How can you be sure that your data processor is qualified to ensure data protection?
ISAE 3000 certification
We at live/BACKEND are constantly improving our data protection – both in regard to securing the data that is shared with us, as well as complying with the laws and regulations on data protection. We just didn’t have anything to show our efforts by.
Therefore, we have worked tirelessly the last 8 months to achieve an ISAE 3000 certification (comparable to an SOC 2 report). An independent third party – a state-certified company auditor – has controlled and certified our security measures, our compliance and more (for a full list of certified areas, please contact gdpr@onlinecity.dk).
The report clarifies that we have implemented security measures and that those measures work efficiently. The report can also help you when it comes to performing the regular supervision of our compliance with your instructions and the data processing agreement that we have entered into with you.
Our security measures
The list of security measures is long, as is the report and the documents that make up the basis for this report. Although we cannot explain everything in this blog post, we would still like to give you an overview of our security measures.
We have set up the following security measures
Technical security measures:
- Data Centres in EU (Tier 4)
- Password-protected login
- Antivirus and Firewall protection
- Strong encryption at transmission and rest
- Backup measures
- Automated anonymisation of personal data (SMS content and receiving phone number) after 30 days
- Hashing and salting of sensitive data
- High quality software and hardware
Organisational measures:
- Securing guarantees for data protection with new suppliers and sub-processors
- Securing that data processing by suppliers outside of the EU/EEA is covered by the EU-US Privacy Shield Framework
- Contractually binding obligations are agreed with our suppliers, sub-processors, and other affiliates via data processing agreements, standard contractual clauses, confidentiality agreements etc.
- Regular checkups of our suppliers level of IT-security and compliance with data processing standards and/or ISAE 3000/SOC 2 Reports
- Separation of functions in authorisation level of employees, meaning that we only give access to personal data to employees with relevant functions for work-specific purposes
- Secure storage of data storage media
- Systems and buildings related to data processing are secured and safe
- Awareness training of employees
- Regularly updated guidelines, processes, and policies that are provided to employees, which ensure compliance with relevant law and effectiveness of our security measures.
- Confidentiality agreements are entered into with all employees
- Personally identifiable information is used, solely on behalf of the data controller and on their direct instructions, and is never used for marketing purposes or commercial use, neither sold to any third party
- Risk assessments to help us better understand the risks we potentially face, in order to set up security measures to decrease the level of risk
Other measures:
- A compliance specialist in charge of GDPR-matters, ISAE 3000, etc.
- An IT-security council in charge of maintaining and evolving the IT-security measures and potential breaches of personal data security and IT-security incidents
The list above is our current security measures. We will continue to review and improve them to ensure your Company’s data is safe.
Update of personal data policy and cookie policy
We have also updated our Privacy Policy (also known as Privacy Policy or Data Protection Policy), which we invite you to read. The changes include explanations of the legality of the processing of personal data through the website (for example newsletters, tip-a-friend, etc) and an updated list of your rights as an individual – for example the right to gain access to collected personal data, to be deleted or to correct the information we have on you.
We have also updated the cookie policy, which now includes a better overview of cookies, how we use cookies and a brand new cookie banner.