Security questions answered
Our answers to 11 security questions as set out by the Danish government’s Agency on Digitization:
Where is the company’s data physically located?
Microsoft Azure in Amsterdam, Holland. We and Microsoft guarantee that the data will not be moved to servers located outside of EU.
How and where is the backup made?
We continuously do automatic backups of our database. A full backup is done weekly, another backup is done twice daily, and we do a backup of the transaction log every 5 minutes.
An automatic security copy of all users’ data is done to guard against system errors. This copy is deleted together with the primary data if the customer relationship ends.
All backup data is encrypted with AES 256-bit encryption.
What is the process for updates and changes to IT systems and programs?
We update the system continuously as new features are added. We always try to update when user activity is at its lowest, so our customers experience the least possible downtime.
How do you control user access and privileges for the IT systems?
There is, as a rule, no access to the production systems. However, for technical reasons or for troubleshooting, access may occur if the administrator gives access to the technical manager. All traffic and changes that may occur during this period will be logged.
When an end-user has purchased access to the system, the user gets a unique login that can only be used by that user. This data is saved so we are able to reset the user’s login ID and password. Only our IT support team can access to this data and they will only access it at the request of the user.
How do you ensure the security of data networks? (For example, by logging networks, networking or firewall segmentation.)
Our network is segmented and protected by a firewall. All machines in the same segment only have access to each other through defined ports.
Do you have an IT emergency plan? (For example, it should be stated that the supplier notifies the company of security incidents.)
In the event of a security breach and/or a third party’s unauthorized access to our data we have the following in place:
- Data Breach Procedures
- Data Breach Notification Procedures
- Data Breach Log
Firstly, all identified security breaches or unauthorized access to data are communicated to our data protection officer. He will make an initial assessment based on the severity of the breach and the data involved, to define which measures should be taken. He will make the assessment based on the likelihood of the breach resulting in a risk for the persons involved. Here are some examples:
- If you lose your work computer but it is password protected, it is probably unlikely to pose a big risk. However, this depends of what kind of data you have how much, where you lost it etc.
- If your organization is hacked and all your data is stolen, there is no doubt you must inform the competent supervisory authority as well as the people involved.
- If you have a break-in at the office and your hard drives with sensitive data are stolen, there is no doubt you must inform the competent supervisory authority unless everything is thoroughly encrypted and doesn’t pose a risk for the involved.
All breaches will be logged, no matter the severity, but it is up to the data protection officer to assess which measures should be taken after a breach has been identified.
Do you regularly test the IT security within the company?
Our servers are protected by Microsoft Azure’s Integrated Security Solutions and other anti-fraud and-malware services.
To help ensure our solution detects the latest threats, we have enabled automatic updates.
How do you handle personal data and how do you ensure the confidentiality of the personal data you process for us?
At Safe Online, we are dedicated to protecting all the personal data of our employees as well as our customers, business partners; and anyone else whose data we may be storing or processing.
We have in place policies and procedures on both internal processing of personal data for each specific area such as customer data, job applications, marketing tools, etc. along with an overall data protection policy that outlines how we are handling personal data in a secure and orderly manner.