Data protection

    Find relevant security information about Itadel's data processing and compliance with GDPR here.

     

    Your rights when we process your data

    It is of vital importance to us that your data is protected. All the personal data you give us is stored in a secure IT infrastructure, and we have strict procedures that protect against loss, abuse, unauthorized access, changes, publication or destruction of your personal data.

     

    Before you contact us with questions about personal data, you may want to read the material on this page. It gives you the answers to the most common questions.

    If you need to contact us about the processing of your personal data, please send us an e-mail to the e-mail address gdpr@itadel.dk.

    1. You have the right to erasure of your personal data

    In some cases – if, for instance, you have withdrawn your consent (if processing of your personal data is based on consent) – you have the right to request that your personal data be deleted.

    2. You have the right to rectification of your personal data

    If you have identified that personal data, which we process about you, is incorrect, you have the right to ask us to correct it.

    3. You have the right to get access to your personal data

    You have the right ask us to confirm whether or not we have personal data about you, and you have the right to get access to the personal data we process.

    4. You have the right to restrict processing of your personal data

    In some cases, you have the right to request that we restrict the processing of your personal data. For instance, if you question the accuracy of your personal data.

    5. You have the right to object to the processing of your personal data

    In some cases, you can object to the processing of your personal data, for instance for reasons that have to do with your special situation.

    6. You have the right to data portability

    If your personal data is processed automatically based on your consent or in connection with us performing our obligations under our contract, you have the right to request that we hand over your personal data in a machine-readable format that can be used by another data controller.

    7. You have the right to lodge a complaint with a supervisory authority

    You have the right to complain about our processing of your personal data to your supervisory authority, for instance in Denmark that would be the Danish Data Protection Agency.

    8. Contact us if you have questions about your personal data

    You can contact us using the e-mail address gdpr@itadel.dk if you have any questions or inquiries about the processing of your personal data.

     

    Find relevant documentation and security information

    Here, you can find both our data processor agreements, security measures and other relevant documentation about how we secure your data and process personal data in accordance with current legislation.

    Itadel_Icon_It-sikkerhed_RGB_Blue

    Security measures

    See the security measures we use when we process data, and read how we work with data and information security on the platforms and solutions we operate.

    Read security measures

    Itadel_Icon_KundenCentrum_RGB_Blue

    Data sub-processors

    In selected areas, Itadel cooperates with suppliers, in which case they get the status as data sub-processors. See the list of relevant partners here.

    Data sub-processors

    Itadel_Icon_Certificering_RGB_Blue

    Certifications

    We are certified by both independent IT auditors and ISO auditors, and we comply with the legal requirements.

    Certifications

    Data sub-processors

    In select areas Itadel collaborates with vendors who attain status of of data sub-processors. See the list of data sub-processors here.

    Itadel_Icon_KundenCentrum_RGB_Blue

    B4Restore A/S

    Itadel uses the following supplier to fulfill a sub-section of the service-area "Backup and Restore":

    B4Restore A/S
    Aahave Parkvej 31
    8260 Viby
    CVR: 27719945

    Itadel_Icon_KundenCentrum_RGB_Blue

    Humansoft Kft.

    Itadel uses the following supplier to fulfill a sub-section of the service-area "Deployment and Operations":

    Humansoft Kft.
    Montevideo u. 8.
    1037 Budapest
    Ungarn
    Public reg. no. HU000000071030
    Company registration no.: 01-09-062054

    Itadel_Icon_KundenCentrum_RGB_Blue

    Skandinavisk Computer Rekruttering A/S

    Itadel uses the following supplier to fulfill a sub-section of the service-area "Deployment and Operations":

    Skandinavisk Computer Rekruttering A/S
    Hasselager Centervej 5, 1
    8260 Viby J
    CVR: 29627452

    Itadel_Icon_Digitalisering_RGB_Blue_bg

    J2 Global Denmark A/S

    Itadel uses the following supplier to fulfill a sub-section of the service-area "E-mail scanning and spam filtering":

    J2 Global Denmark A/S
    Spotorno Allé 12
    2630 Høje Taastrup
    CVR: 28117833

    Itadel_Icon_Digitalisering_RGB_Blue_bg

    Microsoft

    Itadel uses the following supplier to fulfill a sub-section of the service-area "Public cloud services" (Office 356 & Azure):

    Microsoft Denmark ApS
    Kanalvej 7
    2800 Kgs. Lyngby
    CVR: 13612870

    ----------

    Microsoft Ireland Operations L
    Sandford Industrial Estate
    18 Dublin
    VAT: IE8256796U

    Itadel_Icon_Digitalisering_RGB_Blue_bg

    Itadel Czech Republic

    Itadel uses the following supplier to fulfill the service-area "Deployment and Operations":

    Itadel Czech Republic s.r.o.
    Bucharova 1281/2, Stodůlky
    158 00 Praha 5
    Tjekkiet
    Identifikationsnummer: 07628919

    Itadel_Icon_Digitalisering_RGB_Blue_bg

    ServiceNow

    ServiceNow Nederland B.V.
    Hoekenrode 3
    1102 BR Amsterdam
    Holland

    Itadel_Icon_Digitalisering_RGB_Blue_bg

    Cloud Teams

    Cloud Teams ApS
    Borupvang 5C
    2750 Ballerup
    CVR: 38895672

      Itadel Security Measures

      Below is a description of Itadels technical and organisational measures to safeguard Customer Data.

      This page is last updated on Friday the 25th of May, 2018.


      AREA
       
      PRACTICE
      1. Organization of Information Security
       
      • Organization of Information Security

      • Itadel assigned a dedicated function to respond to requests related to Personal Data.

      • Itadel has implemented a process for handling such requests taking into account the regulative requirements for a timely response.

      • Itadel has appointed an information security department to be responsible for internal control and compliance with rules and regulations.

      • Itadel also implemented a risk management program to ensure risk transparency and appropriate risk responses.

       

      2. Asset Management
       
      • Itadel maintains a register for all media holding customer data.

      • Customer data and systems for processing of customer data are classified to identify the appropriate protection levels.

      • Access to customer data is allowed only if there is a work related requirement. Such access will be logged, cf. 5 Communications and Operations Management

       

      3. Human Resources Security
       
      • Itadel has implemented a process for screening of personnel prior to employment.

      • All personnel are subject to confidentiality obligations.

      • Itadel personnel has been informed about their roles and information security responsibilities at employment and in connection with changes.

      • All personnel are made aware of possible disciplinary measures upon breaching the security rules and procedures.

       

      4. Physical and Environmental Security
       
      • Physical access to data processing facilities is limited to identified and authorized persons.

      • Physical user access privileges are revoked after having not been used for a period of six months.

      • Physical access is logged, and the log is retained for 12 months.

      • Employees and visitors are required to wear visible identification cards an any time in Itadel’s facilities.

      • The use of photography is prohibited in the support infrastructure facilities.

      • CCTV coverage is maintained at the support infrastructure facilities. CCTV activity is recorded.

      • To counter against eavesdropping, a clear screen and clear desk policy has been implemented.

      • Itadel handles disposal of physical data media following a formal process using industry best practices.

      • Itadel maintains records of incoming and outgoing media containing customer data.

      • Shredders are used for disposal of paper assets.

      • During system decommissioning, logical data deletion activities are recorded for later documentation.

      • Redundant communication lines are provided in order to minimize the impact of disruptions.

      • To protect against disruptions from power failures that could lead to loss of data, Itadel uses industry standard power emergency systems as well as lightning protection.

      • Backups are stored on a different physical site from where the primary customer data processing systems are located with a physical distance of at least 10 kilometres.

      5. Communications and Operations Management
       

      a. Operational procedures

      • Itadel maintains operational procedures to ensure a uniform security level.
      • Changes are done in a controlled manner following Itadel’s Change Management process. Prior to a change, a risk assessment is carried out and approved by a responsible appointed by management.

      b. Backup

      • To ensure backup consistency, backup records are monitored on a daily basis for failed backup attempts.
      • Data recovery ability is checked on a sample basis every month.
      • Data recovery activities are logged (cf. Logging).

      c. Logging

      • Itadel logs relevant system events and administrator activities, including data processing activities. Logs are retained for 6 months and deleted there after (unless a customer specific retention time is specified). Logs are stored in a dedicated and protected log management system.

      The following events are logged in Itadel’s systems:

      Hypervisor and operating systems:

      • Authorization accept or reject events
      • Access to, change of, and deletion of files, including data backup and restoration activities
      • Changes in access controls lists
      • All log entries contain at least user ID, time and date, as well as the activity. 

      Database:

      • SQL statements on specific tables after customer specifications.

      • Upon Customer request, system supported log analysis may be implemented to identify and follow up on irregularities. Such request is handled in accordance with Itadel’s change procedure.

      d. Encryption

      • Customer data in transit over public networks are encrypted.

      e. Protection against malicious software

      • On servers and clients, Itadel utilizes centrally managed anti-malware software from a widely recognized vendor.

      6. Access Control
       
      • Itadel implemented formalised processes for user registering and de-registering as well as assigning and revoking access rights.

      • Principles for segregation of duties and management approval are implemented in these processes.

      • Remote access to customer systems is encrypted and protected by a two-factor authentication mechanism.

      • Access to customer data is approved on the basis of a work related need.

      • Access rights granted to Itadel’s administrators are reviewed periodically.

      • User registers and user privileges are maintained.

      • Repeated unsuccessful logon attempts triggers an alarm and a temporary lock down of the particular account.

      • Itadel deactivates user credentials that have not been used for three months.

      • Deactivated personal user IDs are not granted to other individuals.

      Passwords

      • Unique and personal user IDs and passwords with complexity settings are enforced.

      • Password length for administrative accounts are at least 12 characters long.

      • Periodic password renewal is enforced.

      • The use of generic accounts is limited and documented.

      • When accessing customer systems using higher privileges, two-factor authentication is enforced.

      • Passwords are stored in an encrypted format.

      Erasure

      • Itadel handles deletion of customer data following a formal process using industry best practices.


       

      7. Information Security Incident Management
       
      • Itadel manages information security incidents according to a formalised management approved process.

      • When incidents are identified, a record is created with incident description, time and date, impact, and the incident is evaluated by a security responsible. Follow up activities are tracked as well.

      • In case of Customer data disclosure, the Customer will be notified without undue delay.

      • The notification includes a description of the incident, an estimate of the extent of the data breach and the likely consequences, together with contact details of the contact point at Itadel. Accordingly, without undue delay, Itadel will analyse and inform the Customer of the root cause of such incident and the measures taken to prevent re-occurrences.

       

      8. Business Continuity Management
       
      • Itadel’s contingency planning contains measures to prevent crisis situations and measures to minimise the impact in case of disaster situations.

      • Itadel’s disaster recovery plans are tested periodically.

      • In order to minimise data loss, Itadel utilizes storage technology with built in redundancy and performs data backup every 24 hours.

       

      9. Disclosure of personal data
       
      • Itadel has appointed a dedicated function with special training and focus to handle requests for Personal Data. The dedicated function and a formal process ensures that Itadel will not hand out any personal data unless required by law, cf. clause 10 (Data Processor Agreement).

       

      10. Privacy by design
       
      • Itadel is dedicated to protecting customer data. Therefore, Itadel takes information security requirements into consideration during the design phase of new IT services.

      • Customers hosted in Itadel’s IT environment are logically separated in virtual data centres. One virtual data centre for every customer. Every customer server is a logically separated virtual instance connected to a virtual and logical separated network.