Compliance SECURITY MEASURES (2022/01)
Hihaho, as a processor, uses in its organization a comprehensive Internal Protocol Cybersecurity and Data Protection (IPC&DP), describing the specific measures intended:
- to ensure that only authorized personnel (will) have access to personal data processed by hihaho for specifically defined purposes;
- to ensure that hihaho only gives its employees and sub-processors access to personal data via registered accounts, whereby the use of these accounts is adequately logged and where the accounts concerned only give access to those personal data to which access is necessary for an adequate service;
- to protect personal data against unintentional deletion, wrongful destruction, accidental loss or change, unauthorized and/or wrongful storage, processing, access or publication;
All hihaho employees involved in the processing of personal data have stated in writing that they have taken note of the IPC&DP and that they will act accordingly.
Internal System Security:
By design and by default, the (digital) systems used by the processor have internal system security and other functionalities that are, among other things, intended:
- to identify vulnerabilities with regard to the processing of personal data in the relevant systems used by the processor and sub-processor for the provision of services to the controller.
- to guarantee timely availability of personal data on the request of legal authorities;
- to ensure that the processing of personal data is executed, logically separated from personal data processed by the processor on behalf of itself or third parties.
Further Security Measures (generic):
The further security measures are specified as follows:
With regard to the software application:
The interception of information by unauthorized persons is covered as far as possible thanks to the following measures:
- Transport security data traffic SSL/TLS and other measures against ‘Man in the Middle’ attacks.
- Careful layout of the infrastructure, separation of server by means of a firewall.
- Encryption of sensitive information.
With regard to the user(s)/author(s), designated by the controller:
- Only the author(s) and/or license holder(s) are permitted to have access to or to inspect the user information entered by themselves, and in the user information automatically registered by hihaho, including the stored information about logging in and out, interactions and results.
- Access to said information is only possible for data subjects (author[s]/license holder[s]) on the basis of Two-Factor Identification (2FA).
- A limited number of persons who have an administrator account under strict conditions, including a signed confidentiality agreement, on the authority of the processor, can, if necessary, only access the registered personal data at the explicit written request of the author/license holder.
Additional Security Measures (specific):
The application/product (hihaho) is in accordance with the applicable Dutch laws and regulations – including the General Data Protection Regulation (AVG [GDPR]) and demonstrably meets the requirements arising from the applicable version of NEN7510 and NEN7512. This implies:
- If the supplier supplies products, these comply with the specification of requirements in the agreement.
- If the supplier processes or edits data, then the supplier subscribes to the processing agreement concluded, including attachments.
- If the supplier has external access for maintenance/support of the application, then the supplier subscribes to the external access statement (including procedure and guideline/code of conduct) without which the supplier cannot access the network and the application.
- Information security is up-to-date on a daily basis, i.e. the supplier guarantees that the product continues to comply with changes in legislation and regulations in the field of information security and data protection.
- Authorization and identification meet the requirements of NEN7510.
- The processor offers storage and management of information in accordance with the statutory retention periods, with due observance of the statutory rights attributed to the client/customer (= hihaho license holder).
As a rule, the retention periods prescribed by the user of the hihaho application are used; in the absence of instructions, the statutory retention periods are used.
- The actual input, registration and/or storage of confidential (personal) data in or via the hihaho application is entirely the responsibility of the controller and/or authorized users designated for this purpose by the controller.
- If confidential information is placed online, the system or the service is subject to an independent pen test.
The sub-processors that are permanently engaged are the following with – where relevant – indication of the types/categories of data that are processed:
Error logger: Sentry
– All data that is relevant at a given moment in connection with error detection
Statistics database: MongoDB Atlas
– All data that is relevant at a given moment for registering statistics
– Entry of personal data is under the control of the controller
Emailservice: AWS SES
– Name, e-mail address, IP-address
CRM for Pre-sales, Sales and Sales Maintenance activities: Pipedrive
Customer Support activities: Intercom