Our answers to 11 security questions as set out by the Danish government’s Agency on Digitization:

Where is the company’s data physically located?

Microsoft Azure in Amsterdam, Holland. We and Microsoft guarantee that the data will not be moved to servers located outside of EU.
How and where is the backup made?
We continuously do automatic backups of our database. A full backup is done weekly, another backup is done twice daily, and we do a backup of the transaction log every 5 minutes.
An automatic security copy of all users’ data is done to guard against system errors. This copy is deleted together with the primary data if the customer relationship ends.
All backup data is encrypted with AES 256-bit encryption.
What is the process for updates and changes to IT systems and programs?
We update the system continuously as new features are added. We always try to update when user activity is at its lowest, so our customers experience the least possible downtime.
How do you control user access and privileges for the IT systems?
There is, as a rule, no access to the production systems. However, for technical reasons or for troubleshooting, access may occur if the administrator gives access to the technical manager. All traffic and changes that may occur during this period will be logged.
When an end-user has purchased access to the system, the user gets a unique login that can only be used by that user. This data is saved so we are able to reset the user’s login ID and password. Only our IT support team can access to this data and they will only access it at the request of the user.
How do you ensure the security of data networks? (For example, by logging networks, networking or firewall segmentation.)
Our network is segmented and protected by a firewall. All machines in the same segment only have access to each other through defined ports.
Do you have an IT emergency plan? (For example, it should be stated that the supplier notifies the company of security incidents.)
In the event of a security breach and/or a third party’s unauthorized access to our data we have the following in place:
  1. Data Breach Procedures
  2. Data Breach Notification Procedures
  3. Data Breach Log
Firstly, all identified security breaches or unauthorized access to data are communicated to our data protection officer. He will make an initial assessment based on the severity of the breach and the data involved, to define which measures should be taken. He will make the assessment based on the likelihood of the breach resulting in a risk for the persons involved. Here are some examples:
  1. If you lose your work computer but it is password protected, it is probably unlikely to pose a big risk. However, this depends of what kind of data you have how much, where you lost it etc.
  2. If your organization is hacked and all your data is stolen, there is no doubt you must inform the competent supervisory authority as well as the people involved.
  3.  If you have a break-in at the office and your hard-drives with sensitive data are stolen, there is no doubt you must inform the competent supervisory authority unless everything is thoroughly encrypted and doesn’t pose a risk for the involved.
All breaches will be logged, no matter the severity, but it is up to the data protection officer to assess which measures should be taken after a breach has been identified.
Do you regularly test the IT security within the company?
Our servers are protected by Microsoft Azure’s Integrated Security Solutions and other anti-fraud and-malware services.
To help ensure our solution detects the latest threats, we have enabled automatic updates.
How do you handle personal data and how do you ensure the confidentiality of the personal data you process for us?
At Safe Online, we are dedicated to protecting all the personal data of our employees as well as our customers, business partners; and anyone else whose data we may be storing or processing.
We have in place policies and procedures on both internal processing of personal data for each specific area such as customer data, job applications, marketing tools, etc. along with an overall data protection policy that outlines how we are handling personal data in a secure and orderly manner.

Security details:

User controls access

The user chooses which files DataMapper can access and retains full control to manage data access over time. 

Users are authenticated
The verified creator of an account is given admin status and is the only one who can invite users to that team and the only one who can view a complete dashboard of all results. Users are identified by an administrator’s invite and a dedicated sign-up flow ensuring each user is verified.  
Password and access tokens 
Password and access tokens are signed with a shared secret signature key and the password is hashed with sha256_cryp.t. Every access to your data is securely logged.
Network and Access
All communication between your computer and our servers is encrypted using 2048-bit RSA encryption. To prevent man-in-the-middle attacks, all our servers are certified with X.509 certificates provided by WebTrust certified certificate authorities. Finally, all your data is hosted on trusted third-party services (e.g., Azure) that use state-of-the-art access control and operate server facilities that are physically guarded.
Data encrypted in transit  
HTTPS in transit, TLS 1.0, Shared access signature 

Data encrypted at rest

Azure private blob storage encrypted at rest with Azure managed AES 256 bit keys 

Still need help? Contact Us Contact Us