GDPR legislation & data security
Feedback Company believes it is important to inform clients about the data security that is applied to comply with the GDPR legislation. Below you will find a brief overview of what Feedback Company does to process its data in a way that is compliant with the GDPR legislation. Here you will find documentation and answers to frequently asked questions about information security. For additional information please email: helpdesk@feedbackcompany.com.
Technical and Organizational Measures
- Up to date virus scanners on every laptop and PC
- Accurate security VOIP (Voice Over IP) system from employees
- Unique login codes and passwords for employees (with Password Expiration Policy)
- Role-Based Access Policy
- No unsecured backups
- Clean desk policy (office policy)
- Don’t leave your laptop, tablet or mobile phone unattended
- Destroy old documents correctly
- Access passes
- Safes for sensitive company documentations.
Incident Policy
All incidents are handled according to the established Critical Issue Handling Process, all incidents are reported internally and logged on the Root Cause Analysis page.
Data breach protocol
All reported notifications to our Data Protection Officer are handled according to the established Data breach protocol.
Is our data processed outside the EU?
No, all our data is held by parties that can guarantee that the data is never processed outside the EU.
Do we have a data security certification?
Yes, Feedback Company has a Certificate from NL Digital, called the Data Pro Code. The Data Pro Code is a security certificate that is officially recognized and approved by the Dutch Data Protection Authority. With this, we can guarantee clients that we comply with the information obligations laid down by the Dutch Data Protection Authority, and that we process our data with AVG Complaint.
Security backups
Feedback Company naturally makes regular backups of the data in the event of a calamity. All backups are made via an encrypted connection and stored in two different places.
Retention period
The GDPR legislation states that at the end of the relationship/contract term, the processor must destroy the customer’s data, within at least 3 months. Feedback Company acts in accordance with the AVG legislation and ensures that the client’s processed data at the end of the contract is deleted. In some cases, the clients want to receive their collected data so that it can be kept for archival purposes, an export of the processed data is allowed and is reinforced once at the end of the relationship with the client. The export is always provided anonymously and therefore does not contain any traceable personal data, this is so that Feedback Company can maintain its security standard at all times.
The right to forget
Every client and customer of the client of Feedback Company can invoke the right-to-be-forgotten at any time. A request can be made for this via the e-mail address helpdesk@feedbackcompany.com.
List of Sub-processors and the nature of processing
The following sub-processors are used for the Appreciation platform (review portal)
- 301 Media B.V., established in Eindhoven and registered in the trade register under number 66728347, who also trades under the name Scoupz. Nature of processing: comparison site.
- Atlassian B.V., established in Amsterdam and registered in the trade register under number 34311373, who also trades under the name Atlassian. Nature of processing: CMS.
- Copernica B.V., established in Amsterdam and registered in the trade register under number 34129493, who also trades under the name Copernica. Nature of processing: mail provider.
- Integrated Internet Services B.V., established in Haarlem and registered in the trade register under number 39093099, who also trades under the name RealHosting. Nature of processing: mail provider.
- Google Ireland Limited, established in Dublin, Ireland who also trades under the name Google. Nature of processing: webhost.
- Google Netherlands B.V., established in Amsterdam and registered in the trade register under number 34198589, who also trades under the name Google.
- Nature of processing: review marketing.
- Middelkoop.cc, established in Capelle aan den Ijssel and registered in the trade register under number 73667773. Nature of processing: WordPress webhost.
- Teamleader Nederland B.V., established in Amsterdam and registered in the trade register under number 63326426, who also trades under the name Teamleader. Nature of processing: CRM.
- Interactivated Ecommerce B.V., gevestigd te Groningen en ingeschreven in het handelsregister onder nr. 58348646. Aard van de verwerking: Hosting Lightspeed & Shopify
Three additional sub-processors are used for ‘Evaluation’ (research portal):
- Twilio Netherlands B.V., established in Amsterdam and registered in the trade register under number 73420514, who also trades under the name SendGrid. Nature of processing: mail provider.
- IBM Nederland B.V., established in Amsterdam and registered in the trade register under number 33054214, who also trades under the name IBM. Nature of processing: research reports via IBM SPSS Statistics Software.