Protect your data with confidence.
Data Processing Agreement
- a) A description of the nature of the breach, including category, approximate number of data subjects concerned and personal data records.
- b) Name and contact details of the Data Protection Officer.
- c) A description of the probable consequences of the breach.
- d) A description of the measures that have been taken or are guaranteed to be taken by the Data Processor or sub-processor in order to manage the breach, including measures for limiting its possible deleterious
Ms. Camilla Blendvig
C/O FastTrack Software Aps
- 1.2.1 Administrator session data: Computer name, duration, installed and uninstalled software, UAC elevated programs and reason for administrator need.
- 1.2.2 Inventory data (can be disabled): Basic hardware data, operating system, user and computer domain and OU, installed software, local administrator accounts, computer and user groups and current IP address.
- 1.3.1 Portal user (administrator) name, email address and phone number (phone number mandatory only with two-factor authentication) current IP address.
- 1.4.1 Administrator session data: User’s account name, full name, email address and phone number.
- 1.4.2 Inventory data: Current user’s email address, phone number, current account name.
- 1.1.1 Microsoft Azure is used to provision the infrastructure required to run the principal service. Microsoft Azure has several datacenters around the world, such as Central US, Canada, Europe and Asia. The Data Processor only uses datacenters located within the continent of where the processing takes place. In addition to the data processing agreement mentioned in section 7.7 the Data Processor have executed an Additional Safeguards Addendum to Standard Contractual Clauses with Microsoft Azure. Microsoft Support is not allowed to access data in the EU from outside the EU.
- 1.1.2 The Data Processor uses ZenDesk for customer support purposes. The only data transferred to ZenDesk is name, company name, phone number and email address. The data processing agreement executed between the Data Processor and ZenDesk includes Standard Contractual Clauses as a legal basis for the transfer of personal data.
- 1.1 Physical Access Control (No unauthorized access to Data Processing Facilities): Entry into facilities is granted only by documented and supervised handling of keys. On access to the building outside business hours, a password must be used. Furthermore, all office rooms require a key for physical access. The combination of locks on doors and passwords prevent unauthorized access by external or third party individuals.
- 1.2 Electronic Access Control (No unauthorized use of the Data Processing and Data Storage Systems): No part of the production environment is hosted on FastTrack Software facilities. The production environment is located in Microsoft Azure datacenters in Amsterdam and Dublin for European datacenter customers and Virginia and Washington in the United States for non-European datacenter customers. FastTrack Software Facilities contain employee computers and servers for testing purposes only. No production data exists in these facilities. Copying any data, even test data, from these facilities or the production environment is strictly forbidden.
- 1.3 Internal Access Control (permissions for user rights of access to and amendment of data; No unauthorized Reading, Copying, Changes or Deletions of Data within the system): All personnel access to equipment on the facilities is enforced by Active Directory accounts. Passwords are forcibly changed for all employees every 30 days. Accounts are controlled solely by the assigned asset owner and working using credentials of other persons is strictly forbidden. Accounts are granted strictly on a “need to know” basis. No employee has access to more data than the job description warrants.
- 1.4 Isolation Control (The isolated Processing of Data, which is collected for differing purposes): No data collected in the Microsoft Azure production environment exists outside the production environment, except for offsite backup.
- 1.5 Pseudonymization (Article 32 Paragraph 1 Point a GDPR; Article 25 Paragraph 1 GDPR): Pseudonymization is an opt-in option for customers to pseudonymize (“Obfuscate”) user accounts in such a way that no one can directly link an obfuscated name to an actual person. Neither the Data Processor or the Data Controller can identify the individual from an obfuscated name, if the Data Controller opts in on obfuscation.
- 2.1 Data Transfer Control (No unauthorized Reading, Copying, Changes or Deletions of Data with electronic transfer or transport): Personal data in the principal service is protected against unauthorized copying to data media. No data can be accessed outside of the principal service, except for personnel with credentials assigned to the employee by the assigned asset owner. Any access to data outside the Microsoft Azure environment is restricted by combination of IP address blocking and employee credentials. IP address access is controlled solely by the assigned asset owner and IP address only map to internet connections registered to FastTrack Software. Any access to data is solely for the purpose of customer support.
- 2.2 Data Entry Control (Verification, whether and by whom personal data is entered into a Data Processing System, is changed or deleted): The principal service stores, changes or deletes any data records only as long as the system allows it. It is possible to track which user made changes to the data.
- 3.1 Availability Control (Prevention of accidental or willful destruction or loss): All data is hosted entirely on Microsoft Azure. All Microsoft Azure servers have mirrored hard drives in RAID systems and are equipped with redundant components. The database is Microsoft SQL Server and the transaction model of Azure SQL Server allows a restore at any second in time for 7 days, in case of accidental or willful destruction or loss of data. All critical components are monitored by software monitoring special web pages designed to probe every component of the principal service. If critical parts of the principal service are not available, supervising administrators are notified immediately by email.
- 3.2 Rapid Recovery (Article 32 Paragraph 1 Point c GDPR): The database is Microsoft SQL Server and the transaction model of Azure SQL Server allows a restore at any second in time for 7 days. After 7 days, a daily backup can be restored, either by Microsoft or an off-site backup, which only the assigned asset owner has access to. In case of accidental or willful loss of data, FastTrack Software can restore a database from an earlier point and has the expertise in house to successfully merge lost data back into the production environment.
- 4.1 Data Protection Management (Incident Response Management; Data Protection by Design and Default (Article 25 Paragraph 2 GDPR); Order or Contract Control): FastTrack Software has appointed the Data Protection Officer stated in section 15 of the Agreement. Any employee of FastTrack Software with access to production data for support purposes will sign a non disclosure agreement with FastTrack Software. FastTrack Software uses Microsoft Azure, which means a standard agreement is place between FastTrack Software and Microsoft. The performance of and access to the production environment is evaluated on a scheduled monthly basis by an authorized administrator employed by FastTrack Software. The monitoring service used for Availability Control is equally tested and verified on a monthly basis by an authorized administrator.