AskCody's Commitment to GDPR, Data Privacy and Information Security
The European Union General Data Protection Regulation (GDPR) is a set of rules about how companies should process the personal data of data subjects. GDPR lays out responsibilities for organizations to ensure the privacy and protection of personal data, provides data subjects with certain rights, and assigns powers to regulators to ask for demonstrations of accountability or even impose fines in cases where an organization is not complying with GDPR requirements.
Here are some of the basic facts about GDPR (General Data Protection Regulation) that are important to know:
- The law was adopted in 2016 and became enforceable in May 2018
- It updates and replaces Directive 95/46/EC (the 1995 Data Protection Directive) and strengthens rights of the data subjects while at the same time facilitating free flow of data
- Applies to organizations that perform data processing of private data on the territory of the EU but also those outside of it that operate with private data of EU citizens
- Infringement fines reach up to 4% of annual revenue
- GDPR sets out a set of key requirements:
- Lawful, fair and transparent processing
- Limitation of purpose, data and storage
- Data subject rights
- Personal data breaches
- Privacy by Design
- Data Protection Impact Assessment
- Data transfers
Understanding GDPR requirements can sometimes be a daunting task. Especially around how organizations comply with GDPR. In this post we want to highlight the AskCody approach to GDPR and our commitment to ensure the privacy of your data by having the highest standard on Information Security
AskCody’s Information Security Policy
Information is an asset that is essential to AskCody and consequently needs to be suitably protected. Especially this is vital in the increasingly interconnected business environment.
Because of this increasing interconnectivity, information is exposed to a growing number and a wider variety of threats and vulnerabilities that need to be addressed accordingly.
Information Security is achieved by implementing a suitable set of controls and standards, including policies, processes, communication channels, procedures, organizational structures, software, and hardware systems, that enable and empowers us to achieve the right level of Information Security.
These controls and standards need to be established, implemented, monitored, reviewed and improved, where necessary, to ensure that the specific security and business objectives of AskCody, our partners and customers, users, and purposes of the data protection law are met.
In AskCody, we have implemented an Information Security Policy that helps us achieve the highest standards of Information Security, fulfil and meet the requirements from the market while allowing us to comply with legislation and comply with GDPR. Our Information Security policy and the independent third-party ISAE 3000 audit is therefore designed for and based on GDPR.
Our Information Security Policy includes, but is not limited to; technical risks, human risks, and physical risks. Any risk has been evaluated and if required a given set of procedures and controls have been implemented to mitigate that risk. These procedures and controls are detailed in the form of what problem they address, how they try to mitigate or alleviate this problem, and how the controls are tested and verified. Each procedure will detail how often it is tested, by whom and by which authority the validity of the test is acknowledged and signed. Further it is detailed which version of the procedure is in effect, and which date it was effectuated.
Please request our updated Information Security Policy to learn more about how AskCody work to meet the highest standards on Information Security.
The AskCody Information Security Policy and Rules
The AskCody Information Security Policy and Rules contain the basic requirements for Information Security implemented in AskCody. Information Security and the related policies, controls, processes and procedures, are an essential part of Corporate Governance. In addition, these requirements are also demanded by External Auditors to rely on the validity of AskCody’s cloud platform.
All rules and implementation requirements are implemented and will be continuously evaluated and improved, unless rules are conflicting with local laws and regulations.
The rules contain directions for the design of Information Security and controls. In case certain type of information needs to be processed and protected in other ways than the AskCody Workplace Platform allows, and AskCody’s current Information Security rules cover, additional rules will be issued, which are only applicable in case this type of information is processed, stored or transmitted.
The Information Security rules consist of eight chapters grouped around specific security areas that all in all contains the relevant control objectives and implemented control activities, designed to achieve the control objectives, that are selected by AskCody to comply with GDPR:
- Organization of Information Security: Management direction & governance of Information Security
- Asset Management: Inventory and classification of information assets
- Human resources security: Security aspects for employees joining, transferring and leaving AskCody
- Operations Management: Management of technical security controls in systems and networks
- Access Control: Restriction of access rights to networks, systems, applications, functions and data
- Inhouse application security: Building security into applications
- Incidents Management: Anticipating and responding appropriately to Information Security breaches
- Compliance: Ensuring conformance to Information Security policies, standards, laws and regulations
Please request our updated Information Security Policy to learn more about how AskCody work to meet the highest standards on Information Security and how our Information Security Policy comply with GDPR.
Data Processing in AskCody
AskCody is a SaaS (Software as a Service) solution for Meeting Management and Resource Scheduling, Visitor Management, and Workplace Insights & Analytics and is built for that purpose. The data processing instructions regarding purpose and subject matter is therefore to process data to provide, deliver and improve the services we offer (The AskCody Platform) and perform essential business operations related to our Platform (which may include the detection, prevention and resolution of security and technical issues). This includes operating the services, maintaining, and improving the performance of the services, including developing new features, research and providing customer support, for customers using and leveraging our platform and services.
AskCody use the data and information collected from the AskCody Platform to:
- Provide the Services in the AskCody Platform to operate our business
- Maintain, protect, and improve the Platform,
- Develop new features and improve existing features
- Protect AskCody and our Controller’s (Customer's) data.
- Improve and personalize the AskCody Platform
AskCody will process Personal Data as necessary to perform the Services pursuant to the agreement made with the customer, as further specified in the Documentation, and as further instructed by Controller in its use of the AskCody Services.
To better understand how Data is processed, stored, handled, and managed, which data types, subject matters and categories is processed, and with what purpose, which security requirements we have implemented for processing these data types and subject matters, and which sub-processers AskCody may use, to deliver our platform and services, we recommend that you visit our Help Center and read our documentation on the topic.
Independent Audit Report
As regulated in our Data Processing Agreement entered with all client using the AskCody Workplace Platform, and as part of promise to providing an enterprise grade platform with the highest security standards, we must on a yearly basis perform a third party audit and inspection to verify the compliance of data processing with respect to the Data Processing Agreement, GDPR, our Information Security Policy, or Secure Development Policy and all other security and compliance matters in AskCody.
Therefore, we have performed a third-party audit and achieved an ISAE 3000 report that ensures that our data security continuously is revised, updated and implemented in accordance with GDPR, data protection laws and policies, and best practices in all levels and aspects of AskCody.
Please request the Independent Auditor’s (by BDO) ISAE 3000 report dated for the period from July 15th, 2019 to May 31st 2020 on the description of the AskCody Platform and related technical and organizational measures and their design relating to processing and protection of personal data in accordance with the EU General Data Protection Regulation (GDPR) and the Danish act on supplementary provisions here.
The ISAE 3000 report
AskCody is responsible for processing of personal data of our customers, who are Controllers according to the Regulation of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (the EU General Data Protection Regulation) and the Danish Act on Supplementary Provisions.
The description in the ISAE 3000 report is intended for AskCody’s customers (Controllers) using the AskCody Platform, and who have a sufficient understanding to consider the description along with other information, including information about controls operated by the Controllers themselves, when assessing whether the requirements of the EU General Data Protection Regulation and the Danish Act on Supplementary Provisions are fulfilled.
By this report, AskCody confirms that the accompanying description presents fairly at pages 7 to 16 the AskCody Platform that has processed personal data for Controllers subject to the EU General Data Protection Regulation, and the related technical and organizational measures (controls) for the period from July 15th, 2019 to May 31st 2020.
In the report a thorough description of the AskCody Information Security Policy and Rules, our guarantees, processing activities, technical and organizational measures, safety measures, our controls and procedures, and breach procedures are tested and documented.