nlenbe-nlThe best software for quality and risk management.

Security & Privacy

Your data is in good hands

Zenya Software voor Kwaliteits- en Risicomanagement - Favicon

Security and privacy are fundamental issues when choosing SaaS. Rightly so, because you must always be able to trust that the data of your organisation – personal data in particular – is safe. We understand that. Therefore, the security of our platform, network, and products has top priority, day and night.

GDPR-proof

  • All data stored in Infoland’s software is guaranteed to remain within the EEA, therefore, falling under European legislation. 
  • Infoland complies with the legislation regarding the processing of personal data and the notification obligation regarding data leaks. 
  • Security & privacy are fixed points of attention in our software development process. 
  • Our software requires a minimum of personal data. Organisations can decide for themselves which relevant personal data they register. 
  • Our software offers possibilities for removing/anonymising personal data. Organisations decide for themselves which retention periods they use. 
  • We conclude a processor’s agreement with every organisation that uses our SaaS services. 
  • Data is secured through a comprehensive range of measures. 
  • We help organisations, when they carry out a DPIA in their capacity as the responsible party, by answering questions, supplying information, etc. 
  • Organisations that use our software can implement the rights of data subjects themselves (inspection, correction, deletion, objection and data portability). 
  • Infoland makes it easy for organisations to publish a privacy statement in the software.

Safeguarding privacy

Safeguarding privacy is something we do together

Infoland supplies smart software which organisations like yours use. We ensure 24/7 that the software is safe, available and in top condition. What happens within the software is determined by your organisation. For example, you decide who gets access to the software and what these people are allowed to see and do within the software. In addition, you decide how (personal) data stored in the software is dealt with.

Therefore, safeguarding the privacy of people who work with the software is not just a matter for Infoland. It is something we do together with you.

We find it essential to be transparent about how our software handles personal data. Therefore, we have made it easy for users to view the applicable privacy statement. What exactly is in that statement is up to your organisation. We are happy to help you on your way; you can use our standard text as a starting point.

A European policy

All data stored in Infoland software are guaranteed within the European Economic Area (EEA). These data are therefore subject to European legislation.

Infoland is fully in control of the locations where your data is stored. We use the Microsoft Azure cloud but apply the strict policy that application, live data and backups may only be placed in Azure regions within the EEA. In practice, we currently use Azure data centres in the Netherlands and Ireland.

Legislation mandatory data breach notification

The GDPR (General Data Protection Regulation) requires organisations that process personal data to report data breaches to the correct authority (depending on the nationality of the person(s) involved). In case of a data breach, the ‘responsible party’ of the data must make the report. Infoland is not the ‘responsible party’ of the data but the ‘processor’. In the event of a data breach, Infoland will inform the contact person within your organisation in a timely and complete manner. This way, you, as an organisation, can meet your obligations as a ‘responsible party’.

When is there a data breach?
Suppose there has been a breach of security (security incident). In that case, we will determine whether there is a data breach based on the policy rules for reporting data breaches of the European supervisory authorities. There is only a data breach if unlawful processing has taken place.

Will Infoland report to the correct authority or those involved?
No. Your organisation (as the person responsible for the personal data) is primarily responsible for making a report to the correct authority or parties involved. Infoland will provide your organisation with all necessary information to make the report promptly.

Within what time frame does Infoland contact you, and with whom?
The policy rules on mandatory data breach reporting set a deadline of 72 hours before the report must be made to the correct authority. As soon as we or one of our auxiliary suppliers has discovered a data leak, we will inform you as quickly as possible – at the latest within 48 hours. The schedule below shows who we will contact:

  • A specific contact person provided by you for the reporting of data breaches
  • Primary contact person hosting service
  • Commercial contact

What information will Infoland provide?
We will describe the nature and scope of the data breach, an estimate of the number of data subjects affected, and an indication of the heart of the personal data affected. You will also receive a description of those affected and a proposal for preventive and corrective measures to be taken.

Please note!
If additional agreements have been made with your organisation (in a processing agreement), these will prevail.

Protecting your data

Our staff

At least as important as all technical security measures is the factor “people”. Therefore, we make high demands on all our employees at Infoland. Especially to those who encounter customer data to execute their function.

  • Every employee who encounters your data in their daily work must be able to show a Certificate of Good Behaviour (NL) or Proof of Good Conduct (BE).
  • Every Infoland employee has a duty of strict confidentiality; this is included in our employment contract.
  • Our employees do not have access to more systems and/or data than necessary to perform their duties. When access is given to customer environments in the software, use is made of privileged access and conditional access, among other things.
  • Every employee is encouraged to report all information security incidents (internal or external). To this end, we use our own Reporting & Analysis software Zenya FLOW.
  • We have appointed a Security Officer, who reports and advises our management about information security in the broadest sense of the word.
  • Our Security Officer organises activities throughout the year to ensure that every Infoland employee is and remains aware of the risks and acts accordingly.
  • Specifically for our software developers, much attention is paid to security. Every piece of software that is delivered must meet the demands of the customer, be user-friendly, look good and be robust, and be safe! We use the OWASP top 10 for this purpose, among others.
  • Physical and organisational measures have been taken at our sites to ensure that unauthorised persons cannot gain access to rooms and equipment that may contain confidential data.

Highly secure infrastructure

Your data is held in highly secure data centres. For more information about the (physical) security of the Azure platform, see: https://docs.microsoft.com/en-us/azure/security/fundamentals/.

The Infoland SaaS environment is housed within the Microsoft Azure cloud. We use services such as Azure DDos Protection and Azure Web Application Firewall for access security.

Within our SaaS service, the data of each customer is strictly separated. The software architecture ensures that users can never access other customers’ data. This means that each customer environment has its security key. If one is compromised, it does not affect other customers.

All software is up to date

We use platform-as-a-service services for the hosting of our software within Microsoft Azure. A major advantage of this is that Microsoft continuously ensures that all platform parts are up to date. This ultimately ensures fewer risks, security patches, etc.

For the software components that run within virtual machines, we are constantly alert to new vulnerabilities in third-party software (e.g., operating systems, software frameworks) and ensure that the necessary updates are rolled out as quickly as possible.

Strict access controls in the software

Access to the software is only possible after successful authentication. A combination of usernames and passwords forms the basis. A higher level of security can be obtained by enabling 2-factor authentication (One-Time-Password algorithm) and/or limiting access to the software to specific IP ranges.

It is also possible to have authentication performed by dedicated identity management/SSO solutions based on the SAML 2.0 protocol. See also integration with other systems.

Within the software, employees only get access to the data to which they are authorised. To this end, our software has a finely meshed system of rights and roles that can be assigned to groups or individuals. Furthermore, every login attempt and mutation that is made within the system is logged.

Encrypted data

All data traffic between your browser, mobile device, and software is encrypted using 2048-bit SSL certificates. In addition, passwords are stored in an irreversible form using a salted hash algorithm.

External parties test our security

Information security never finishes. New threats can arise every day. That is why we have our software penetration tested at least once a year by an external, specialised party. In addition, we continuously use online monitoring and detection tools that test our software and infrastructure against (amongst others) the OWASP top 10.

computest-logo

We use the services of (a.o.) Computest to perform penetration tests and code security reviews. This contributes to the security of our SaaS service.

Information security incident

In the unlikely event of an information security incident, we are ready to act, for example, by quickly rolling out an update for our software. In addition, in the event of calamities, we can use a specialised cyber response team.

Agreements made

We like clear agreements. That is why we strive to enter into a processing agreement with every organisation that uses our SaaS services. European privacy legislation, also known as GDPR or AVG, obliges clients and suppliers to enter into processing agreements that set out the arrangements for processing personal data.

To make it easy for you, we have developed a standard processing agreement that does justice to the interests of both parties. A model agreement drawn up by a sector/ umbrella organisation can also serve as a starting point.

Read more about model and processor agreements (in Dutch) for the Zenya software on the Infoland website.

Do you have any questions?

Get in touch with us. We will be pleased to help you.

Share this information

Our modules

Maximum performance with smart solutions

Zenya DOC - Module logo full-color

Document
management


The right information quickly available


Interactive documents for a perfect user experience


Full quality assurance and feedback loop


Easy knowledge sharing with external parties


Available, anytime, anywhere with the Search App


Learn More
Zenya FLOW - Module logo full-color

Incident
management


For various alerts, inside and outside the organisation


Flexible workflows, easy to set up and run


Valuable reports and analyses


Actions for individuals and teams


Reporting, anytime and anywhere, with the Capture App


Learn More
Zenya CHECK - Module logo full-color

Audit
management


For audits, checks, inspections and investigations


Surveys for internal and external use


For the execution of the entire audit process


Actions for individuals and teams


Learn More
Zenya RISK - Module logo full-color

Risk
management


Chart all organisation-wide risks


Risk dialogue for greater involvement


Control measures and control tests


Monitoring and adjusting via integral dashboard


Learn More

You are in good company

Want to find out what Zenya
can do for your organisation?

Contact our experts without obligation! We will be pleased to brainstorm with you.