Data protection and IT security for the iFlow application
Data and information protection is an essential part of the services offered by the iFlow application. We have implemented and continue to develop technical and organizational measures to ensure the secure processing of information.
We undertake to comply with the regulations in force regarding the processing of personal data and, in particular, Regulation no. 2016/679 (General Regulation regarding the protection of personal data - GDPR).
General information on data protection
Please send an e-mail to [email protected] We suggest that the e-mail includes the following information (if applicable):
iFlow has a data protection officer. When a problem arises, the person in charge takes over the notification, investigates, and offers an answer. For questions regarding data protection at iFlow, you can contact us at [email protected]
All iFlow employees are required to maintain the confidentiality of data, and data protection in general, and are aware of the consequences of any breach. They signed a confidentiality agreement, which states what personal data is and what the consequences are.
In the unlikely event of a data security breach at iFlow, if a customer's personal data is affected and the infrigement is such as to pose a risk to the customer's rights and freedoms, iFlow will immediately notify the customer concerned, to enable them to fulfill their legal obligation to inform the regulatory authority and the persons concerned.
Yes, data protection is an integral part of our strategy regarding products. Therefore, even in the development stage of our features, we carefully follow principles such as data economy and use state-of-the-art measures to ensure an adequate level of protection.
We have revised the default settings of the entire application and adapted them to provide the highest possible level of data protection, while ensuring ease of use, all based on GDPR.
In addition, the settings are generally all adaptable to the individual needs of the customer. To ensure this on an ongoing basis, we have also defined a process of permanently enforcing legal requirements in the product development and application review process accordingly.
We are in conformity with the essential requirements of the EU GDPR at present. These include, in addition to the provisions of art. 25 of the EU GDPR on data protection by design and implicitly, supporting the client in respecting the rights of the persons concerned, such as the right to obtain the deletion of personal data, and the rights of access and portability of data (Chapter 3 of the EU GDPR) .
This allows the customer to delete the applicants' data either automatically or manually, as well as to block or completely and securely delete the employees' data.
Encryption & Anonymization
Yes, any personal data that the iFlow application transmits to a client or other platforms must be encrypted using Transport Layer Security (TLS), especially HTTPS. This requires establishing a secure connection between the two communication partners (client and server) before any data can be transmitted.
To encrypt the database we use the AES algorithm with a 256-bit key generated from a password with the SHA-256 algorithm implemented in "7zip".
Confidentiality & Integration
iFlow uses the services of an international company located in Germany to host its software.
The data centers used are ISO / IEC 27001 certified and thus meet our high requirements for the physical security of our customers' data.
As a general rule, neither the data center staff nor the employees of the server company have access to your data.
Regarding iFlow, only our DevOps team (responsible of servers) and our technical team, as well as the customer support team (responsible for customer systems) will access the data when needed to help create an initial account, as well as for the processing of service requests. Access rights are granted on the basis of the need to know and are documented. In addition, access to customer systems is recorded.
Access is granted only through personalized user accounts, each of which is clearly assigned to a person. In addition, there is the possibility to activate the 2 Factor Authentication function as an additional measure of account protection.
The registration has a username and password, the latter must contain different characters: letters, numbers and special characters. In addition, we recommend that our customers use two-factor authentication to achieve a higher level of protection.
Access rights are generally designed to meet the requirements of art. 24 of the EU GDPR on data protection by default. This means that all employees with newly created user accounts do not have default rights beyond editing their own profile. As a client, you can manage the granting of access rights according to your protocol.
Disponibility and capacity
To increase the security of the server, we chose not to communicate directly with all computers on the Internet, but to communicate using the proxy service "CloudFlare". This service provides protection against known attacks, including the "Denial-of-service" attacks and most importantly: hides the location and real IP of the server.
iFlow will back up daily. The daily backup is started by the "cron job" program in the evening when the application has a small number of active users.
Back-up database systems are stored exclusively in encrypted form. This means that it is not necessary for the beneficiary (client) to make their own backups. Periodic restoration tests are performed to ensure that the information has been stored correctly and can be restored if necessary.
The customer is and remains the owner and operator of the data within the meaning of art. 24 of the EU GDPR. In particular, this means that the client is responsible for respecting the rights of persons concerned (Chapter 3 of the EU GDPR). iFlow is the order processor and, in this capacity, processes your data exclusively according to your instructions and for the purposes set out in the data processing agreement.
Upon termination of the business relationship, the persons duly authorized by the customer may request the delivery of the data in a digital format.
30 days after the termination of the agreement, the data is then deleted irretrievably, or can be deleted on request within 2 working days. In the unlikely event that iFlow stops its services, this procedure will, in principle, remain unchanged, as the customer is the owner of the data and iFlow is only a command processor and will not dispose of such personal data in any other way.