We have answered the essential 11 questions regarding the security of our software set out by the Danish government’s Agency on Digitization’s
Where is the company’s data physically located? That is, at which location and in which country are the servers that contain your company data?
Microsoft Azure in Amsterdam, Holland.
We and Microsoft guarantee that the data will not be moved to servers located outside of EU.
How and where is backup made?
We continuously do automatic backups of our database. A full backup is done weekly, a difference backup is done twice daily, and we do a backup of the transaction log every 5 minutes.
An automatic security copy of all users’ data is done to guard against system errors. This copy is deleted together with the primary data if the customer relationship ends.
All backup data is encrypted with AES 256-bit encryption.
How is the process for updates and changes to IT systems and programs?
We update the system continuously as new features are added. We always try to update in a period of time when the user activity is at its lowest, so our customers experience the least possible downtime.
How do you control user access and privileges for the IT systems?
There is, as a main rule, no access to the production systems. However, for technical reasons or for troubleshooting, access may occur when the administrator gives access to the technical manager during the period where access is needed. All traffic and changes that may occur during the access period will be logged.
When an end user has purchased access to the system, the user gets a unique login that can only be used by that user. This data is saved so we are able to reset the user’s login ID and password. It is solely our IT support team, who has access to this data and will only be accessed at the request of the user.
How do you ensure the security of data networks? For example, by logging networks, networking or firewall segmentation and how do you document the company’s networks?
Our network is segmented and protected by a firewall. All machines in the same segment only have access to each other through defined ports.
Do you have an IT emergency plan? For example, it should be stated that the supplier notifies the company of security incidents.
In the event of a security breach and/or a third party’s unauthorized access to our data we have the following procedures in place:
1 – Data Breach Procedures
2 – Data Breach Notification Procedures
3 – Data Breach Log
All employees in the company have been thoroughly instructed and educated in these procedures. Firstly, all identified security breaches or unauthorized access to data are communicated to our data protection responsible. He will make an initial assessment based on the severity of the breach and the data involved, to define which measures that must be taken. He will make the assessment based on the likelihood of the breach resulting in a risk for the persons involved. Here are some examples:
– If you lose your work computer but it is password protected, it is probably unlikely to pose a big risk. However, this depends of what kind of data you have how much, where you lost it etc.
– If your organization is hacked and all your data is stolen, there is no doubt you must inform the competent supervisory authority as well as the people involved.
– If you have a break-in at the office and your hard-drives with sensitive data are stolen, there is no doubt you must inform the competent supervisory authority unless everything is thoroughly encrypted and doesn’t pose a risk for the involved.
All breaches will be logged, no matter the severity, but it is up to the data protection responsible to assess which measures that must be taken after a breach has been identified.
Do you regularly test the IT security within the company?
Our servers are protected by Microsoft Azure’s Integrated Security Solutions and other anti-fraud and -malware services.
To help ensure our solution detects the latest threats, we have enabled automatic updates.
How do you handle personal data?
How do you ensure the confidentiality of the personal data you process for us?
At Archii, we are dedicated to protecting all personal data – for our employees as well as our customers, business partners and everyone else that we are processing data about.
We have in place, policies and procedures on both internal processing of personal data for each specific area such as customer data, job applications, marketing tools etc. and an overall data protection policy that outlines how we are handling personal data in a secure and orderly manner. All employees have gone through a training module on GDPR with a test to ensure that everybody is aligned and understand the importance of secure handling of data.