Data protection and privacy
In May 2018 the GDPR entered into force, thus forcing all EU companies to focus on ensuring safe and responsible handling of personal data. We at Triptale see this as a great change towards transparency and higher amounts of control for individuals in regards to their personal data.
The General Data Protection Regulation (GDPR) is the EU’s initiative to protect its citizens’ personal data. It entered into force on May 25 2018. At first glance, GDPR might seem to generate an excessive amount of extra work for companies in order for them to comply to all these new rules, but the purpose of the GDPR is to ensure that the organization gets a better overview of the personal data being processed by the companies, as well as the purposes and legal basis for this processing.
That being said, the GDPR is nothing less than a jungle of rules. It’s complex, huge and a hassle. Many companies have a hard time grasping the scope of the new GDPR. This inspired us to create a simple overview of how we comply with the applicable data protection regulation, specifically after the introduction of GDPR and the new Danish Data Protection Act. This should make it easier for you, as a customer of Triptale, to understand and be comfortable with our approach.
Below, you’ll find a walkthrough of the important areas of how we handle data processing at Triptale.
When entering into an agreement with Triptale, which entails processing of personal data, you must accept the terms of our Data Processing Agreement.
The document containing the entire GDPR in full length can be found here: https://gdpr-info.eu/ and the guidelines from the Danish Data Protection Agency (Datatilsynet) can be found here https://www.datatilsynet.dk/generelt-om-databeskyttelse/vejledninger-og-skabeloner/.
As a Triptale customer
Triptale will always aim to develop according to GDPR standards (i.e. to comply with the “privacy by design”-requirement) and best practices for our customers, and to do our best to inform and help all customers to make the right decisions for their projects.
Our way of working with data can be divided into three areas
- Personal data handled on behalf of customers (E.g. when we host an app, run an integration or similar)
- Personal data about potential and existing customers, handled by us.
- Situations where we are asked for advice from customers on how they may consider data, security, GDPR and similar topics when buying a project or service from Triptale.
In the paragraphs below, you can read more about how we deal with #1 and #2 from the above list.
When it comes to #3 (Projects, where we’re hired as a contractor) and we are asked to give advice on security, regulation, GDPR or similar, you can expect us to always do our utmost to fulfil the task. We are, however, not able to provide legal counsel or to be liable for any damages or repercussions that might follow from a project, we’re building for a customer in accordance with the customer’s specifications and instructions, and we always recommend seeking legal counsel if a customer has questions relating to implementation of the GDPR, but we will of course contribute with technical input.
The responsibility for complying with relevant legislation is always the customer’s.
Data storage, services, and products
Triptale uses a Danish hosting company, Curanet A/S, as a subcontractor for most hosting services. Curanet’s servers are located in Denmark, meaning that Triptale’s customer data is placed and processed within the EU and Triptale has entered into a data processing agreement (a DPA) with Curanet in order to ensure that they comply with the GDPR whenever processing personal data on our behalf.
Exchange of data services
Triptale uses various systems integrations to exchange data on behalf of our customers and also for supporting internal business processes. Triptale keeps an overview of the systems involved in these integrations and ensures that the data flow between them is handled via a secure connection. When it comes to online systems, Triptale, as a minimum, ensures that the integrated systems communicate via HTTPS, which is a transfer protocol encrypted by Secure Sockets Layer (SSL).
Triptale uses KOEBT, an integration platform used to exchange data between different systems, to handle most integrations. KOEBT is a software that has been designed by Twentyfour (the company that owns Triptale), with privacy in mind and it is ensured that the data processed by the platform is secure.
Overview of Triptale’s products and services
Below is an overview of the most common products and services offered by Triptale.
|Product / service||Description|
|Hosting||Triptale offers hosting of their customers’ apps. Triptale’s servers are managed by a subcontractor – Curanet.|
|KOEBT||Triptale uses an integration platform called “KOEBT” which handles the exchange of data between various systems.|
|Update agreement||Triptale offers fixed maintenance agreements in order to keep customers’ apps up to date and secure by minimizing potential security vulnerabilities.|
|Critical support agreement||Triptale offers critical support agreements to customers with business-critical solutions that require quick reaction times. Through such agreements, Triptale provides security and ensures business continuity for their customers.|
|AppStore and Google Play management||Triptale offers AppStore and Google Play management services for all apps created and/or managed by Triptale.|
|Administration of third-party software and services||Triptale offers administration of third-party software and services related to the customer’s app.|
|Security packages||Triptale offers security optimization packages aimed at protection of customer’s solutions and any data associated with that. This is a recurring service where Triptale regularly checks on the state of security of customer’s solutions.|
Triptale uses a number of systems to support internal business processes and value creation for our customers. Some of the systems are acquired from third-party providers. The systems that Triptale uses to store data include, but are not limited to:
|Google Suite||E-mail service & document cloud storage|
|Pipedrive||Customer relationship management|
|Basecamp||Communication & project management|
|1Password||Secure password storage|
|SendGrid||Email delivery service|
|Triptale||Project management & invoicing|
Read our Data Processing Agreement (DPA) for all details. Below, we’ve made a brief summary of how we handle data processing.
The data processing agreement is a part of our Terms and conditions.
Processing of personal data
When you start a project with Triptale, you agree to us processing your and your customers’ data when necessary. Triptale will only process the personal data you are responsible for in accordance with your instructions.
At Triptale, the tasks are delegated to employees who are responsible for personal data while working on a project.
Storage and deletion of personal data
At Triptale, we ensure that personal data is processed on behalf of the customer and is stored in a physically and digitally safe environment.
We ensure that any medium where personal data is kept is encrypted, password protected, protected from physical harm and theft by storing such mediums (e.g. servers) securely in locked rooms .
At Triptale, we further ensure that storage of personal data only takes place for as long as the personal data is relevant and necessary in accordance with the Data Processing Agreement in order to perform the actions requested by our customer.
Furthermore, all personal data processed by Triptale is secured by our backup-solution.
Access to personal data
Only employees whose tasks include processing of personal data have access to personal data.
We ensure that personal data is not disclosed or transferred to any third parties outside of Triptale. The employees at Triptale are obliged to comply with rules on non-disclosure in relation to third parties as well as other Triptale employees who have no work-related reason to know of the personal data.
All customers have the right to transfer all their data in a machine readable format (e.g. excel, .txt etc.) to another system if they so wish. Upon request, we will transfer all relevant data (that is not owned by Triptale) from our platforms to the customer.
Right to be forgotten
At Triptale it is always possible to use your right to be forgotten. Simply contact us on email@example.com if you are interested in having all data deleted.
The programs used at Triptale for deletion of personal data are carried out safely that ensure sufficient overwriting of the deleted data.
Privacy by design
The systems used at Triptale handle personal data securely. This means that all exchanges of data are encrypted.
For instance, we develop data integration solutions through KOEBT (the integration platform we use) and to ensure security for our customers, data routed between the systems via KOEBT are encrypted.
Triptale will help you as much as possible in ensuring that the data is handled correctly and securely in all systems, but the customer is ultimately responsible for the design of and access to the system, as Triptale complies with the customer’s specifications.
In the majority of the cases, Triptale acts merely as the data processor for our customers in accordance with the Data Processing Agreement. Therefore, it is Triptale’s customers’ responsibility, as data controller, to carry out a risk assessment when the data processing is likely to result in a high risk to the rights and freedoms of natural persons. In some instances, a customer may be obligated to performing an impact assessment cf. art 35 of the GDPR, if the customer processes special categories of personal data (sensitive personal data) on a large scale.
If a customer is uncertain whether an impact assessment is necessary, we strongly advise that a legal expert is consulted.
In situations, where Triptale is the data controller, Triptale carries out a risk assessment in order to identify possible risks and establish necessary precautions aimed at personal data protection.
In case of a data breach, it is mandatory to inform the national personal data authority (Datatilsynet in Denmark) within 72 hours of becoming aware of the breach if the data breach entails a risk for the data subjects (e.g. your customers, employees, others) affected by the data breach. Further, the data subjects must also be informed directly without undue delay if at all possible, if a data breach results in risks that are not insubstantial for the data subject.
If Triptale discovers a data breach, Triptale will notify the relevant customers as fast as possible with as much relevant information as possible in order for you to assess the impact of the data breach for the data subjects.
SSL security and encryption
All systems used by Triptale run SSL to ensure secured and encrypted communication.
Secure communication from a web browser to a system is something you need to be aware of in your role as data controller. SSL (Secure Socket Layer) is shown as a little padlock in the browser when you visit websites secured with SSL. Without SSL, the padlock will be shown with a red line over, and the user will be shown a warning. You should also ensure that all your other systems also use SSL as the weakest link in the chain to decide the level of security in your set-up.
You are always welcome to contact us if you have any questions, concerns, or thoughts in regards to data protection, regulation, GDPR, or similar topics. We are here to help.
Feel free to contact us on firstname.lastname@example.org.