Security and privacy are fundamental issues when choosing SaaS. Rightly so, because you must always be able to trust that the data of your organisation – personal data in particular – is safe. We understand that. Therefore, the security of our platform, network, and products has top priority, day and night.
Infoland supplies smart software which organisations like yours use. We ensure 24/7 that the software is safe, available and in top condition. What happens within the software is determined by your organisation. For example, you decide who gets access to the software and what these people are allowed to see and do within the software. In addition, you decide how (personal) data stored in the software is dealt with.
Therefore, safeguarding the privacy of people who work with the software is not just a matter for Infoland. It is something we do together with you.
We find it essential to be transparent about how our software handles personal data. Therefore, we have made it easy for users to view the applicable privacy statement. What exactly is in that statement is up to your organisation. We are happy to help you on your way; you can use our standard text as a starting point.
All data stored in Infoland software are guaranteed within the European Economic Area (EEA). These data are therefore subject to European legislation.
Infoland is fully in control of the locations where your data is stored. We use the Microsoft Azure cloud but apply the strict policy that application, live data and backups may only be placed in Azure regions within the EEA. In practice, we currently use Azure data centres in the Netherlands and Ireland.
The GDPR (General Data Protection Regulation) requires organisations that process personal data to report data breaches to the correct authority (depending on the nationality of the person(s) involved). In case of a data breach, the ‘responsible party’ of the data must make the report. Infoland is not the ‘responsible party’ of the data but the ‘processor’. In the event of a data breach, Infoland will inform the contact person within your organisation in a timely and complete manner. This way, you, as an organisation, can meet your obligations as a ‘responsible party’.
When is there a data breach?
Suppose there has been a breach of security (security incident). In that case, we will determine whether there is a data breach based on the policy rules for reporting data breaches of the European supervisory authorities. There is only a data breach if unlawful processing has taken place.
Will Infoland report to the correct authority or those involved?
No. Your organisation (as the person responsible for the personal data) is primarily responsible for making a report to the correct authority or parties involved. Infoland will provide your organisation with all necessary information to make the report promptly.
Within what time frame does Infoland contact you, and with whom?
The policy rules on mandatory data breach reporting set a deadline of 72 hours before the report must be made to the correct authority. As soon as we or one of our auxiliary suppliers has discovered a data leak, we will inform you as quickly as possible – at the latest within 48 hours. The schedule below shows who we will contact:
What information will Infoland provide?
We will describe the nature and scope of the data breach, an estimate of the number of data subjects affected, and an indication of the heart of the personal data affected. You will also receive a description of those affected and a proposal for preventive and corrective measures to be taken.
If additional agreements have been made with your organisation (in a processing agreement), these will prevail.
At least as important as all technical security measures is the factor “people”. Therefore, we make high demands on all our employees at Infoland. Especially to those who encounter customer data to execute their function.
Your data is held in highly secure data centres. For more information about the (physical) security of the Azure platform, see: https://docs.microsoft.com/en-us/azure/security/fundamentals/.
The Infoland SaaS environment is housed within the Microsoft Azure cloud. We use services such as Azure DDos Protection and Azure Web Application Firewall for access security.
Within our SaaS service, the data of each customer is strictly separated. The software architecture ensures that users can never access other customers’ data. This means that each customer environment has its security key. If one is compromised, it does not affect other customers.
We use platform-as-a-service services for the hosting of our software within Microsoft Azure. A major advantage of this is that Microsoft continuously ensures that all platform parts are up to date. This ultimately ensures fewer risks, security patches, etc.
For the software components that run within virtual machines, we are constantly alert to new vulnerabilities in third-party software (e.g., operating systems, software frameworks) and ensure that the necessary updates are rolled out as quickly as possible.
Access to the software is only possible after successful authentication. A combination of usernames and passwords forms the basis. A higher level of security can be obtained by enabling 2-factor authentication (One-Time-Password algorithm) and/or limiting access to the software to specific IP ranges.
It is also possible to have authentication performed by dedicated identity management/SSO solutions based on the SAML 2.0 protocol. See also integration with other systems.
Within the software, employees only get access to the data to which they are authorised. To this end, our software has a finely meshed system of rights and roles that can be assigned to groups or individuals. Furthermore, every login attempt and mutation that is made within the system is logged.
All data traffic between your browser, mobile device, and software is encrypted using 2048-bit SSL certificates. In addition, passwords are stored in an irreversible form using a salted hash algorithm.
Information security never finishes. New threats can arise every day. That is why we have our software penetration tested at least once a year by an external, specialised party. In addition, we continuously use online monitoring and detection tools that test our software and infrastructure against (amongst others) the OWASP top 10.
We use the services of (a.o.) Computest to perform penetration tests and code security reviews. This contributes to the security of our SaaS service.
In the unlikely event of an information security incident, we are ready to act, for example, by quickly rolling out an update for our software. In addition, in the event of calamities, we can use a specialised cyber response team.
We like clear agreements. That is why we strive to enter into a processing agreement with every organisation that uses our SaaS services. European privacy legislation, also known as GDPR or AVG, obliges clients and suppliers to enter into processing agreements that set out the arrangements for processing personal data.
To make it easy for you, we have developed a standard processing agreement that does justice to the interests of both parties. A model agreement drawn up by a sector/ umbrella organisation can also serve as a starting point.
Read more about model and processor agreements (in Dutch) for the Zenya software on the Infoland website.
Do you have any questions?
Get in touch with us. We will be pleased to help you.