Horizontal_all white_6x.png

WE COMPLY WITH THE

GENERAL DATA PROTECTION REGULATOR (GDPR)

The EU General Data Protection Regulation (GDPR) replaces the 1995 EU Data Protection Directive. The GDPR strengthens the rights that individuals have regarding personal data relating to them and seeks to harmonize data protection laws across Europe, regardless of where that data is processed.

 

Our policy is to respect all laws that apply to our business and this includes GDPR. We also acknowledge that our customers have requirements under GDPR that are directly impacted by their use of Oxynade's products and services. We are committed to helping our customers stay in compliance with GDPR and their local requirements.

 

If you have any questions or comments, don't hesitate to contact us

Oxynade is a data processor 

In the GDPR regulation there has been made a distinction between a data processor and a data controller.

The data controller determines the purposes and means of processing personal data, while the data processor processes data on behalf of the data controller. Oxynade is a data processor and processes personal data on behalf of the data controller when they use the Oxynade tools.

 

Our customers can be data controllers for any personal data that has been shared by their ticket buyers. If they are data processors, they need to comply with the correlated rules.

 

If you want to know more about your rights and obligations as a data controller or processor, please check the EU website on GDPR

Our commitments

Our policies

We've updated our general terms and conditions (LINK) to make your data privacy and security even more transparent.

 

Our experts

We will ensure that our employees, consultants, managers and suppliers authorized to process personal data have committed to confidentiality

 

Our tools

We are committed that our application has all of the necessary functionality for compliance with the GDPR. We will assist our customers with responding to individual rights requests that they receive. The method we use for deletion and retention of data is acceptable for use under the GDPR. This verifies to our customers they are using software that is going to keep them compliant.

Breach notification

We commit to follow appropriate security measures and precautions in accordance with GDPR. We promise to assist with notifying regulators of breaches and promptly communicating any breaches to our customers and users.

Use of subprocessors

We will hold any subprocessors that handle personal data, including our data center partners, to the same data management, security, and privacy practices and standards to which we hold ourselves. 

We protect your data.

 

We've never sold your data and we will never do so. 

SUPPLIER DATA AND SECURITY QUESTIONNAIRE

Version 2017-04-01

Data Protection Officer

Question

What is the name and contact details of your Data Protection Officer?

Supplier response

Systems and applications

Question

Where is your data centre location?

Will the space in your data centre be shared with any other clients?

What measures are in place to protect the physical security of data centres where our data will be stored?

Who has access to our data?

Is our data on your servers encrypted at rest?

Antwerp, Belgium

Business continuity

Question

Do you have a business continuity plan that is reviewed, tested and updated at least annually?

When was the business continuity plan last tested?

Supplier response

Yes

December 2017

Access to personal data

Question

Who within your organisation will have access to the personal data? ​

What user authentication do you use on networks/systems that store/process our data?

Are the members of these teams bound to confidentiality and schooled in GDPR?

Penetration / security testing

Question

Do you conduct penetration testing at least annually on all networks hosting our data

Physical security

Question

Please describe the physical security that protects our data, including building access and physical server access.

Anti-virus

Question

Do all devices hosting or connecting to our data have AV which is updated at least daily, runs a scheduled scan at least daily, and runs on execution?

Application development

Question

Describe the procedures in place to ensure that acceptance criteria for new information systems, upgrades and versions are established and tests are performed prior to roll out.

 

 

 

 

 

Do you apply privacy by design?

 

Describe the segregation of duties, including the separation of development, test and operational facilities?

 

Is production data used in test or development environments?

Logs

Question

Do you keep and regularly review access, event, error and transaction logs on all networks storing/processing our data?

Are all logs protected from deletion and/or amendment?

Is access to all logs recorded and monitored?

Breach notification

Question

Do you have a formal breach notification process?

Detail the timelines to notify us of any suspected breach.​

Have you had a security breach within the last 12 months? If so, please describe the incident, effect and outcome.

Data retention / deletion

Question

For what period do you retain our data?

For what period is our data stored in back-ups?

Where are our backups kept

Data encryption

Question

Is Personal Data encrypted in transit? Explain how.

Is Personal Data encrypted at rest? Explain how.

Territories

Question

Is any our processed, stored or transferred outside of the EEA?

Sub-processors

Question

Is our data passed on to any third parties for processing?

Do you have a data processing agreement in place with these third parties?

Contractual Compliance

Question

Do you enter into a data processor agreement with us? ​

Do you have a data privacy policy?

Supplier response

Nicolas Van Geluwe, to be reached at 

dataprotectionofficer@oxynade.com.

Supplier response

Antwerp, Belgium.

No, we have a dedicated virtual infrastructure.

Data centres are owned and managed by Nucleus.

Our Customer Services team and key members of Development team.

Passwords are encrypted, all HTTPs traffic is SSL encrypted.

Supplier response

Yes.

December 2017.

Supplier response

Our Customer Services team and key members of Development team.

 

Our Customer Services team can access your data via a super admin function.

The servers & database can only be accessed from known devices using asymmetrical cryptography.
Access to our serves is also tied down to fixed IP addresses.

Yes.

Supplier response

Yes, annually.

Supplier response

Physical security to our servers is managed by Nucleus.

Physical security to our offices is managed by us.

Supplier response

Yes, all our devices and servers run anti-virus software.

Supplier response

We have a secure development policy.

 

The development lifecycle is:

The standard Business Requirements  Functional Specification  Design  Technical Specification  Development  Technical review  QA  UAT  Live.

A CI server is in place to run the automated tests for every release.​

 

Yes.

We have separate environments & teams for Development, System Testing, UAT and Live.

 

 

No.

 

Supplier response

Yes, Nucleus provides active threat detection and remediation for advanced persistence threats (APTs) and other cyber-attacks.

 

Yes.

 

 

Yes.

Supplier response

Yes.

We would notify you without delay and certainly within 72h. ​​

No.

Supplier response

We delete personal data after 10 years.

We have a 14 day backup rotation period.
 

Antwerp, Belgium.

Supplier response

Yes, using https protocol.

No, only passwords are encrypted. The other data is necessary for reporting.

Supplier response

No.

Supplier response

Nucleus who owns and manages the data centre.
Occasionally we may contract a third party software developer or other contractors for specific tasks. Where these contractors generally have no access to Personal Data, this may be the case if needed in exceptional circumstances and under a strict data processing agreement.
We do not share Personal Data with third parties for commercial or marketing reasons.

Yes.

Supplier response

Yes.

Yes.

Product

Company

Resources

Sassevaartstraat 46/201

9000 Ghent, Belgium

  • Black LinkedIn Icon
  • Black Twitter Icon
  • Black Facebook Icon
  • Black Youtube Icoon