Implemented security measures

Here you can see a range of the implemented vital security measures
 

Implemented security measures

As of the date of entry into force of the Data Processing Terms, Musskema will implement and maintain the specific security measures stated below. Musskema may update or modify the implemented security measures specified in this document from time to time, provided that such updates and changes do not result in any impairment of the overall implemented security of the Musskema Portal and any additional services provided to the Customer.

For the purpose of deciding the safety measures, Musskema has been in compliance with ISO 27001 and ISO 27002. Musskema may change the implemented safety measures over time, but changes in safety measures may never lead to a reduced level of safety.

General safety precautions

All employees in the Data Processor's support unit (and Sub Data Processors) have generated a long and not simple password for the system - at least 16 characters and two factor authentication.

Access to servers is handled by subcontractors. Access to servers is done using key files.

Subcontractors do not work with data unless data controllers have granted permissions.

Data centre and network security

Data is hosted in a German data centre, Hetzner, Online GmbH, which is certified according to ISO 27001. See here.

Data is not sent to users other than those logged in.

When trying to access our servers, access is blocked after three failed attempts.

Authorisation and Access Control

Musskema.dk is a platform where different users have access to different data - part of this access control is the responsibility of data controllers themselves. And in general, the granting of access is done only at the request of the data controlling customer.

Also, in cases where Data Controllers ask us to work with the data, the Data Processor may do so on behalf of the Data Controller.

Data Security

All input and output of data are done by a secure web connection (https) to our web servers. The servers that run the website itself are virtual servers. These servers do not store data. Access to these servers is controlled by a firewall that automatically grants access to authorised employees - others are not even allowed to try to log in.

Data is transferred from these servers to a set of virtual database servers. 2 servers at Hetzner in Germany to ensure high performance and 1 server at Hetzner in Finland as backup. Once a day, backups are made in Finland on a separate disk. Access to database servers is locked to select employees.

All employees in the Data Processor's support unit (and Sub Data Processors) have generated a long and not simple password for the system - at least 16 characters and two factor authentication.

Access to servers is handled by subcontractors. Access to servers is done using key files.

Subcontractors do not work with data unless data controllers have granted permissions.

Authorisation and Access Control

Musskema only accesses information in the Customer's system if the Customer requests Musskema to do so, for example for support purposes. Access is granted by the Customer by setting a specific check mark, which should be removed again after use. The action is logged.

When trying to access our servers, access is blocked after three failed attempts.

Logging data is done in a way so that the top of the document will state who has seen the document and when.

Deletion

When a customer deletes an employee who is no longer employed, the employee will be deleted after 14 days, while the data entered into the EDP module etc. will be stored in the manager's archive for five years with such data as scores and agreements.

When a company wants to stop at Musskema.dk, the company is deleted after 14 days - and it is completely dropped from all backups within 90 days.

Employee security

The supplier uses home-based workplaces. All data is stored online and will normally only affect employees' computers to the extent that the website is cached on the employee's PC. 

Data provided for processing on an employee's PC - after agreement with the Data Controller - is treated confidentially and deleted immediately after use.

Transmission of data between employees occurs in encrypted emails or encrypted attachments.

Entered data that contains personal information

Entered data is what the individual user enters into the system.

A support employee will only access it if the Data Controller requests us to do so. Access is granted by the Customer/User/Data Controller setting a specific check mark, which should be removed again after use. The action is logged.

Output data containing personal information

Not relevant here. Support can only access it if a Data Controller explicitly grants us access to do so in a specific situation.

Using sub-data processors

Prior to contracting with a sub data processor, Musskema will perform due diligence or inspection of the security measures and data protection principles implemented by the sub data processor to ensure that the sub data processor in question has a level of security appropriate to the processing activities to be performed on behalf of Musskema. If a sub data processor is considered suitable for handling the processing activities, Musskema will enter into a written agreement with the sub data processor in accordance with the Data Processing Terms.  

 

Version, December 2020

Let us have a talk about your options Let us call you. We will quickly find a solution that fits your organization!