The EU General Data Protection Regulation (GDPR) replaces the 1995 EU Data Protection Directive. The GDPR strengthens the rights that individuals have regarding personal data relating to them and seeks to harmonize data protection laws across Europe, regardless of where that data is processed.
Our policy is to respect all laws that apply to our business and this includes GDPR. We also acknowledge that our customers have requirements under GDPR that are directly impacted by their use of Oxynade's products and services. We are committed to helping our customers stay in compliance with GDPR and their local requirements.
If you have any questions or comments, don't hesitate to contact us
Oxynade is a data processor
In the GDPR regulation there has been made a distinction between a data processor and a data controller.
The data controller determines the purposes and means of processing personal data, while the data processor processes data on behalf of the data controller. Oxynade is a data processor and processes personal data on behalf of the data controller when they use the Oxynade tools.
Our customers can be data controllers for any personal data that has been shared by their ticket buyers. If they are data processors, they need to comply with the correlated rules.
If you want to know more about your rights and obligations as a data controller or processor, please check the EU website on GDPR.
Our commitments
Our policies
We've updated our general terms and conditions (LINK) to make your data privacy and security even more transparent.
Our experts
We will ensure that our employees, consultants, managers and suppliers authorized to process personal data have committed to confidentiality
Our tools
We are committed that our application has all of the necessary functionality for compliance with the GDPR. We will assist our customers with responding to individual rights requests that they receive. The method we use for deletion and retention of data is acceptable for use under the GDPR. This verifies to our customers they are using software that is going to keep them compliant.
Breach notification
We commit to follow appropriate security measures and precautions in accordance with GDPR. We promise to assist with notifying regulators of breaches and promptly communicating any breaches to our customers and users.
Use of subprocessors
We will hold any subprocessors that handle personal data, including our data center partners, to the same data management, security, and privacy practices and standards to which we hold ourselves.
We protect your data.
We've never sold your data and we will never do so.
SUPPLIER DATA AND SECURITY QUESTIONNAIRE
Version 2017-04-01
Data Protection Officer
Question
What is the name and contact details of your Data Protection Officer?
Supplier response
Systems and applications
Question
Where is your data centre location?
Will the space in your data centre be shared with any other clients?
What measures are in place to protect the physical security of data centres where our data will be stored?
Who has access to our data?
Is our data on your servers encrypted at rest?
Antwerp, Belgium
Business continuity
Question
Do you have a business continuity plan that is reviewed, tested and updated at least annually?
When was the business continuity plan last tested?
Supplier response
Yes
December 2017
Access to personal data
Question
Who within your organisation will have access to the personal data?
What user authentication do you use on networks/systems that store/process our data?
Are the members of these teams bound to confidentiality and schooled in GDPR?
Penetration / security testing
Question
Do you conduct penetration testing at least annually on all networks hosting our data
Physical security
Question
Please describe the physical security that protects our data, including building access and physical server access.
Anti-virus
Question
Do all devices hosting or connecting to our data have AV which is updated at least daily, runs a scheduled scan at least daily, and runs on execution?
Application development
Question
Describe the procedures in place to ensure that acceptance criteria for new information systems, upgrades and versions are established and tests are performed prior to roll out.
Do you apply privacy by design?
Describe the segregation of duties, including the separation of development, test and operational facilities?
Is production data used in test or development environments?
Logs
Question
Do you keep and regularly review access, event, error and transaction logs on all networks storing/processing our data?
Are all logs protected from deletion and/or amendment?
Is access to all logs recorded and monitored?
Breach notification
Question
Do you have a formal breach notification process?
Detail the timelines to notify us of any suspected breach.
Have you had a security breach within the last 12 months? If so, please describe the incident, effect and outcome.
Data retention / deletion
Question
For what period do you retain our data?
For what period is our data stored in back-ups?
Where are our backups kept
Data encryption
Question
Is Personal Data encrypted in transit? Explain how.
Is Personal Data encrypted at rest? Explain how.
Territories
Question
Is any our processed, stored or transferred outside of the EEA?
Sub-processors
Question
Is our data passed on to any third parties for processing?
Do you have a data processing agreement in place with these third parties?
Contractual Compliance
Question
Do you enter into a data processor agreement with us?
Do you have a data privacy policy?
Supplier response
Nicolas Van Geluwe, to be reached at
Supplier response
Antwerp, Belgium.
No, we have a dedicated virtual infrastructure.
Data centres are owned and managed by Nucleus.
Our Customer Services team and key members of Development team.
Passwords are encrypted, all HTTPs traffic is SSL encrypted.
Supplier response
Yes.
December 2017.
Supplier response
Our Customer Services team and key members of Development team.
Our Customer Services team can access your data via a super admin function.
The servers & database can only be accessed from known devices using asymmetrical cryptography.
Access to our serves is also tied down to fixed IP addresses.
Yes.
Supplier response
Yes, annually.
Supplier response
Physical security to our servers is managed by Nucleus.
Physical security to our offices is managed by us.
Supplier response
Yes, all our devices and servers run anti-virus software.
Supplier response
We have a secure development policy.
The development lifecycle is:
The standard Business Requirements Functional Specification Design Technical Specification Development Technical review QA UAT Live.
A CI server is in place to run the automated tests for every release.
Yes.
We have separate environments & teams for Development, System Testing, UAT and Live.
No.
Supplier response
Yes, Nucleus provides active threat detection and remediation for advanced persistence threats (APTs) and other cyber-attacks.
Yes.
Yes.
Supplier response
Yes.
We would notify you without delay and certainly within 72h.
No.
Supplier response
We delete personal data after 10 years.
We have a 14 day backup rotation period.
Antwerp, Belgium.
Supplier response
Yes, using https protocol.
No, only passwords are encrypted. The other data is necessary for reporting.
Supplier response
No.
Supplier response
Nucleus who owns and manages the data centre.
Occasionally we may contract a third party software developer or other contractors for specific tasks. Where these contractors generally have no access to Personal Data, this may be the case if needed in exceptional circumstances and under a strict data processing agreement.
We do not share Personal Data with third parties for commercial or marketing reasons.
Yes.
Supplier response
Yes.
Yes.