Information security policy
Who manages your data? That’s us!
An overview of the measures that El Niño has in place with regard to GDPR.
Preface
El Niño considers it important to ensure that (personal) data is processed and stored securely in all applications. Privacy and security are our main concerns during the development of new applications and while maintaining existing systems.
To underline this, the most important measures that El Niño takes in the context of processing personal data are described in this document.
Servers
Applications developed by El Niño can be hosted in five different places:
At Hetzner in their data centers in Falkenstein, Germany and Helsinki, Finland.
At Webguru in the Netherlands.
As a server at Hipex (only for Magento webshops).
As a Hypernode server at Byte (only for Magento webshops).
As a Droplet on DigitalOcean (being deprecated in favour of Hetzner).
All hosting solutions use data centers that are located within the European borders and implicitly fall under GDPR jurisdiction.
In most cases, the applications run on a shared environment with other El Niño customers (own servers) and applications from other parties (Digital Ocean and Byte).
In some situations, customers can rent their own dedicated server from El Niño. In this case, the hosting is not shared with other parties.
El Niño has agreements with all four parties involved (DigitalOcean, Hipex, Hetzner, Webguru and Byte) to ensure the privacy of the data on the servers and the security of the servers/applications.
Backups
Backups of application data are performed every day on all servers maintained by El Niño. The backups have a retention time of at least 2 weeks and are stored encrypted at Digital Ocean Spaces in Amsterdam or Frankfurt.
Local backups of computers used by employees are performed automatically and securely on a NAS several times a day. The NAS is then synchronized to our 2nd location (Enschede to The Hague, and The Hague to Enschede) through a secure connection. These backups do not contain information from external customers and/or users of our applications, nor information about customers of El Niño (for example invoices, quotations and agreements).
All code of all applications developed by El Niño is also stored in so-called GIT repositories (version control) on our own Gitlab server. These GIT repositories do not contain data/information from customers and/or users of our applications.
Security of servers
Access to the servers is only possible through the use of public and private keys. In principle, only employees of El Niño and the hosting parties have access to the (data on the) servers. If an employee leaves El Niño, the key of the relevant colleague is immediately removed from the server(s). From this moment on, the employee no longer has access to the server.
Only employees involved in the development of the application have access to the server(s) on which the application is hosted.
Test and production data
For most applications we use a DTAP strategy (Development, Test, Acceptance and Production environment). In no case is production data stored in the rest of the environments. All environments except the production environment contain only test/dummy data.
Password management
Most applications developed by El Niño have a strict password policy: at least 8 characters, at least 1 capital letter, at least 1 number and at least 1 punctuation mark. All users who want to use the platform must set a password that meets these requirements. Some applications also require you to change the password over time.
El Niño uses a password manager application in which all passwords of all applications are stored. The policy is that when setting a new password, a random password is used with a minimum length of 16 characters that contains at least one punctuation mark and one number.
All El Niño employees have access to all passwords stored in the password manager's shared vault. Employees also have their own private password vault, such that a minimum of passwords is being shared in the team. When a colleague leaves, her/his access to the passwords will be immediately revoked to minimize the risk of possible abuse.
Processor agreements
El Niño takes responsibility for entering into processor agreements with all customers. The processor agreement contains guidelines and measures that are taken to prevent data leaks.
The processor agreement describes, among other things, a protocol that must be followed in collaboration with the customer in the event of a data breach. In case of possible data leaks, El Niño will support the customer in the burden of proof, close the leak as quickly as possible, explain to the customer what information has actually been leaked and document what measures have been taken to prevent similar leaks in the future.
All email communication between El Niño and other parties takes place via a mail server maintained by El Niño. All emails are stored on the server and computers and mobile devices connect to the mail server using the IMAP protocol. This saves only recent email on the devices and the rest remains on the server.
All email is sent and received via a secure connection to prevent third parties from intercepting the email traffic.
Roles and responsibilities
All El Niño employees perform one or more roles related to customer service. Depending on which role(s) they take up, specific responsibilities will also be linked to it. The roles can be:
Developer
Project Manager
Designer
DevOps (system administrator)
Administrate employee
Responsibilities may include:
Security of server(s)
Security of application(s)
Monitoring of server(s)
Monitoring application(s)
Code review
Dealing with debtors and creditors
Development of (secure) applications
Testing applications
As someone fulfills more roles, his/her responsibilities will also (automatically) be expanded. Everything is done to ensure that the applications we develop are secure and the privacy of users is maintained.
Classification and processing of information
Data is collected, processed and distributed in all applications we develop. Depending on the application, different types of information can be collected about the users (and therefore individuals) who use the platform. Other types of information will also be collected that are not (directly) related to these users.
Every application tries to collect as little information as possible about the users who (actively) use the platform (data minimisation in GDPR terms).
Basic data
In general, the following data about a user will be requested and stored:
Name (first and last name)
Email address
Password
Preferred Language
Extensive personal information
Additional information may also be requested in some situations depending on the purpose of the platform. For example:
Address (street, house number, zip code and place of residence)
Country
Phone number
Mobile number
Date of birth
Work-related data
Job sites we have developed collect more information to help users with their job search. These fields are not mandatory and are filled in voluntarily by the users themselves:
Work experience
Competencies
In possession of certificates
Courses taken
Interesting features
Desired type of employment contract(s)
Current employer
Results of assessments
Results of tests
Ecommerce data
Online stores that we have developed collect more information to help users purchase products and/or services online. These fields are not mandatory and are voluntarily completed and/or indicated by the users themselves:
Ordered products
Delivery address
Order amount
Company details
Some applications may also store information related to companies. These can be entered by the users themselves (for example during the checkout process in a webshop) or can be (automatically) collected by the platform. This company data can be, for example:
VAT number
Chamber of Commerce number
Business address
Number of FTE employed
Website (URL)
Contact
Industry active
Technical data
To prevent abuse on a platform and to monitor user behavior, technical information about a user is regularly stored. This information can be used to prevent and log unauthorized access to information. Technical data may include:
IP address of last login
Time of last login
Type of device used by the user
User's browser data
Language of the user's browser
Privacy sensitive and financial information
No privacy-sensitive information is requested and/or stored in any application that we have developed. Think of passport numbers, citizen service numbers, copy of driver's license, etc. Also, no financial data such as credit card numbers are stored. Payments are made by external parties through a secure connection. Information shared between these third-party financial services and our applications relates to the online order and payment status.
Personal data is stored via a secure connection (TLS) and is generally entered by users themselves after they have agreed to the privacy statement that can be read on the website. It is the responsibility of the customer to ensure that the privacy statement is legal and, if necessary, updated in time.
Passwords are always stored hashed so that it is not possible to leak them.
Removing and consulting personal information
Each user has the option to delete his/her account via the platform. When deleting an account, all information associated with the account is automatically deleted. This can be information that the user has provided himself, or information that the system has automatically completed due to the user's activity on the platform (for example, login attempts, emails sent, etc.).
Users can request a printout of any information the system has stored relating to that user. With some applications, the user can do this themself by means of a button on the website. In the absence of such a button, users can send an email to the helpdesk, after which the request will be processed within three weeks.
Data is kept for a maximum of 1 year since the last time the user has been active on the platform.