GDPR

Covernance, Risk and Compliance

49 views October 9, 2023 magnusb 0

eMarketeer Cloud Security Measures

eMarketeer AB hereafter called “eMarketeer” is a leading actor within the development of SaaS-service (software as a service) hereafter called “the Service” within e-marketing. eMarketeer provides tools to automate the distribution of information, response and follow-up processes to optimize customer communication and customer service.

 

eMarketeer is strongly committed to privacy, security and transparency. This section outlines our governance model and the policies and procedures for how we ensure that all employees work together to achieve these goals. To secure our customers’ data in the best possible way, eMarketeer works according to the legal requirements set by the European Union, as well as in line with local legislation.

Governance in eMarketeer

eMarketeer Quality Management System (EQS) is built on the structures of ISO standards, as well as on the GRC principle: Governance + Risk management + Compliance.

 

The processes established and executed by the eMarketeer Board of Directors are reflected in the organization’s structure and how it is managed and led toward achieving our goals.

 

EQS currently covers the Information Security Management System for all internal systems and the online cloud service offered to customers. Furthermore, EQS covers all processes related to privacy mandated by the General Data Protection Regulation (GDPR).

 

Risk Management

An overall risk assessment is implemented in relation to information objects and is updated once a year. Our approach to security is based on risk assessments according to Article 24 in the EU General Data Protection Regulation (EU-GDPR) and the ICT regulations §3.

 

Risk management is a set of processes through which eMarketeer management timely and appropriately identifies, analyzes and responds to risks that might adversely affect the realization of our organization’s business objectives. The response to risks typically depends on their perceived gravity and involves controlling, avoiding, accepting or transferring them to a third party.

 

We manage a wide range of risks: technological risks, information security risks, commercial/financial risks and, of course, external legal and regulatory compliance risk

Information Classification and Control

It is important that breaches of confidentiality and insufficient integrity of information do not occur. It is, therefore, important that we protect information based on its criticality. Therefore, all main information and assets are registered and assigned to a designated owner.

 

The information is also classified to enable application of necessary and appropriate security controls. The information owner is responsible for maintenance and continuous application of approved and appropriate checks and improvements.

 

Third-party access to data

Any information stored in eMarketeer is treated as confidential and not disclosed or sold to any third party. All information is stored securely and can only be accessed by the customer and the trusted eMarketeer personnel for site administration purposes.

 

Compliance

eMarketeer follows the legal requirements provided by the EU in the REGULATION 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of persons with regard to the processing of personal data and on the free movement of such data, and repealing DIRECTIVE 95/46/EC (General Data Protection Regulation – GDPR). The U.S.-based services either store all data in the EU or use Standard Contractual Clauses (SCC). All eMarketeer data is stored in Europe and is encrypted with our own keys.

 

Data Processing Agreements

Data Processing Agreements are signed between eMarketeer and the customer when signing the agreement. The purpose of the Data Processing Agreement is to regulate eMarketeer processing of personal data on behalf of the customer using eMarketeer. Sub-Data Processing Agreements are signed between eMarketeer and sub-processors.

 

Secure Storage 

Data stored in eMarketeer is protected by an ISO 27001 certified Information Security Management System. These ISO standards are international best practices for information security. 

 

Our external security consultants check the security policies and test defense and security controls on a regular basis. eMarketeer and our hosting partner are strongly committed to safeguarding all the information in eMarketeer

Audits and ISAE 3402

The customer is entitled to perform periodic security audits, controls and inspections. The audit may include walking through the main routines, random sampling, more comprehensive on-site checks and other suitable controls. The parties must cover their own costs associated with such audits, controls and inspections. The Customer must engage with an entitled and certified third-party party to perform such audits.

 

eMarketeer performs a third-party security audits on a yearly basis. The purpose of such audits is to demonstrate the adequacy of the technical and organizational security measures employed by eMarketeer. 

 

Secure Product Development

eMarketeer applies the Security by Design as well as the Privacy by Design principles in its software development methodology. All application codes are developed with end-to-end focus on security and privacy. New versions are tested by dedicated test personnel and are also subject to extensive external testing (beta/pilot-testing).

 

eMarketeer performs different tests, such as feature, integration, performance and load/stress tests. Both automated and manual testing are applied.

 

All the systems that are being developed for eMarketeer have clear security requirements, including the validation of data, security of code before production setting, and any use of cryptography. Structured methods like agile, scrum, etc. are used to control all parts of the development process.

 

All changes in the production environment follow current procedures. Dedicated test and development environments are used to test all changes, such as bug fixes and new releases before deployment to production. Independent test personnel regularly test new functionality.

 

Moreover, all software is tested and formally accepted by an internal owner and operator before it is transferred to the production environment.

 

Before putting any new changes into production, a threat and risk assessment, a security code review and penetration tests are systematically performed and documented. If no security issues are detected, the new functionality is implemented into the existing eMarketeer application.

 

Exit Plan

When the customer’s subscription to eMarketeer services is terminated or expired, the account will be deactivated and no longer be accessible. Customer data can be exported in a generic file format before it removed, after 30 days, all data belonging to the customer will be removed from eMarketeers servers and data center facilities. Backups will remain available according to backup procedures.

 

Contact Info

Please feel free to direct any questions and comments regarding teMarketeer Governance, Risk and Compliance to our Data Protection Officer on email privacy@emarketeer.com.

Was this helpful?

Related Articles