Security of the SafetyHeads Training Platform and GDPR
We have performed a risk analysis and documented it. We know what and who can threaten us and what real risks exist. We have planned adequate security controls and implemented them. We periodically verify the validity and adequacy of the document.
We use the Microsoft Azure cloud hosting – a proven and secured infrastructure. All application components are located on servers in Europe. We do not store and process personal data outside the European Economic Area. Your personal data are not transferred to other entities.
Personal data scope
We process the necessary minimum of personal data to provide a training platform service for your employees and to manage your subscription.
Retention and access to data
Your and your employees personal data are deleted within 30 days after the end of the training platform service contract. You have access to the data of all your employees at any time and you can freely edit and delete it by yourself.
We regularly back up databases. Their location is secret, but we will disclose that it is also in the European Union.
We have Personal Data Inspector. If you have questions, please contact him via email: firstname.lastname@example.org.
We have implemented a number of technical security controls in the application. The application is protected against errors described, among others, in OWASP TOP 10, but also those that we included in the risk analysis based on our experience. We are not afraid of XSS, CSRF or deserialization mechanisms.
The application uses an encrypted HTTPS connection with TLS 1.2 or higher. We have an A+ rating in Qualys SSL Labs.
We do not make changes directly on production environment. Each code change first undergoes a number of tests in non-production environments. It is thoroughly analyzed and consulted with the DPI if necessary. When we are certain that it is ready, without unnecessary rush, we introduce it to production.
We have and use a rigorous password policy. Our passwords are long and complex. We use password managers. We store passwords in non-plain format, and if they leak, we effectively protect them against brute force attacks and rainbow tables. We use two-factor authentication where possible.
We train our staff regularly about cyber security, social engineering and phishing. We make sure that we don’t get phished. Actually, we regularly phish each other ;-).