The EU General Data Protection Regulation (GDPR) replaces the 1995 EU Data Protection Directive. The GDPR strengthens the rights that individuals have regarding personal data relating to them and seeks to harmonize data protection laws across Europe, regardless of where that data is processed.
Our policy is to respect all laws that apply to our business and this includes GDPR. We also acknowledge that our customers have requirements under GDPR that are directly impacted by their use of Oxynade's products and services. We are committed to helping our customers stay in compliance with GDPR and their local requirements.
If you have any questions or comments, don't hesitate to contact us
Oxynade is a data processor
In the GDPR regulation there has been made a distinction between a data processor and a data controller.
The data controller determines the purposes and means of processing personal data, while the data processor processes data on behalf of the data controller. Oxynade is a data processor and processes personal data on behalf of the data controller when they use the Oxynade tools.
Our customers can be data controllers for any personal data that has been shared by their ticket buyers. If they are data processors, they need to comply with the correlated rules.
If you want to know more about your rights and obligations as a data controller or processor, please check the EU website on GDPR.
We've updated our general terms and conditions (LINK) to make your data privacy and security even more transparent.
We will ensure that our employees, consultants, managers and suppliers authorized to process personal data have committed to confidentiality
We are committed that our application has all of the necessary functionality for compliance with the GDPR. We will assist our customers with responding to individual rights requests that they receive. The method we use for deletion and retention of data is acceptable for use under the GDPR. This verifies to our customers they are using software that is going to keep them compliant.
We commit to follow appropriate security measures and precautions in accordance with GDPR. We promise to assist with notifying regulators of breaches and promptly communicating any breaches to our customers and users.
Use of subprocessors
We will hold any subprocessors that handle personal data, including our data center partners, to the same data management, security, and privacy practices and standards to which we hold ourselves.
We protect your data.
We've never sold your data and we will never do so.
SUPPLIER DATA AND SECURITY QUESTIONNAIRE
Data Protection Officer
What is the name and contact details of your Data Protection Officer?
Systems and applications
Where is your data centre location?
Will the space in your data centre be shared with any other clients?
What measures are in place to protect the physical security of data centres where our data will be stored?
Who has access to our data?
Is our data on your servers encrypted at rest?
Do you have a business continuity plan that is reviewed, tested and updated at least annually?
When was the business continuity plan last tested?
Access to personal data
Who within your organisation will have access to the personal data?
What user authentication do you use on networks/systems that store/process our data?
Are the members of these teams bound to confidentiality and schooled in GDPR?
Penetration / security testing
Do you conduct penetration testing at least annually on all networks hosting our data
Please describe the physical security that protects our data, including building access and physical server access.
Do all devices hosting or connecting to our data have AV which is updated at least daily, runs a scheduled scan at least daily, and runs on execution?
Describe the procedures in place to ensure that acceptance criteria for new information systems, upgrades and versions are established and tests are performed prior to roll out.
Do you apply privacy by design?
Describe the segregation of duties, including the separation of development, test and operational facilities?
Is production data used in test or development environments?
Do you keep and regularly review access, event, error and transaction logs on all networks storing/processing our data?
Are all logs protected from deletion and/or amendment?
Is access to all logs recorded and monitored?
Do you have a formal breach notification process?
Detail the timelines to notify us of any suspected breach.
Have you had a security breach within the last 12 months? If so, please describe the incident, effect and outcome.
Data retention / deletion
For what period do you retain our data?
For what period is our data stored in back-ups?
Where are our backups kept
Is Personal Data encrypted in transit? Explain how.
Is Personal Data encrypted at rest? Explain how.
Is any our processed, stored or transferred outside of the EEA?
Is our data passed on to any third parties for processing?
Do you have a data processing agreement in place with these third parties?
Do you enter into a data processor agreement with us?
No, we have a dedicated virtual infrastructure.
Data centres are owned and managed by Nucleus.
Our Customer Services team and key members of Development team.
Passwords are encrypted, all HTTPs traffic is SSL encrypted.
Our Customer Services team and key members of Development team.
Our Customer Services team can access your data via a super admin function.
The servers & database can only be accessed from known devices using asymmetrical cryptography.
Access to our serves is also tied down to fixed IP addresses.
Physical security to our servers is managed by Nucleus.
Physical security to our offices is managed by us.
Yes, all our devices and servers run anti-virus software.
We have a secure development policy.
The development lifecycle is:
The standard Business Requirements Functional Specification Design Technical Specification Development Technical review QA UAT Live.
A CI server is in place to run the automated tests for every release.
We have separate environments & teams for Development, System Testing, UAT and Live.
Yes, Nucleus provides active threat detection and remediation for advanced persistence threats (APTs) and other cyber-attacks.
We would notify you without delay and certainly within 72h.
We delete personal data after 10 years.
We have a 14 day backup rotation period.
Yes, using https protocol.
No, only passwords are encrypted. The other data is necessary for reporting.
Nucleus who owns and manages the data centre.
Occasionally we may contract a third party software developer or other contractors for specific tasks. Where these contractors generally have no access to Personal Data, this may be the case if needed in exceptional circumstances and under a strict data processing agreement.
We do not share Personal Data with third parties for commercial or marketing reasons.