The measures outlined below are technical and organisational measures implemented by PromoRepublic Oy to ensure an appropriate level of security, taking into account the nature, scope, context and purpose of the processing, and the risks for the rights and freedoms of natural persons.
We encrypt the personal data in transit and at rest.
Connections to the Site are encrypted using 256-bit SSL with integrity assured by the SHA2 ECDSA algorithm. We use servers that comply with strict international data security standards, including ISO 27001.
We have appropriate security and privacy policies. All our employees and contractors are obliged to follow and maintain appropriate technical and organisational measures.
Confidentiality: We ensure that persons entitled to use a data processing system gain access only to such personal data in accordance with their access rights. The personnel working on our processing systems are authorised, and personal data cannot be read, copied, modified or deleted without authorization
Integrity: We control that data is consistent, trustworthy and accurate. We have monitoring procedures to deal with uncommitted and inactive user accounts. We allow users to update their data in the account settings or write to us if changes are necessary.
Availability: We ensure that data is protected against accidental destruction or loss. Our recovery plans are in place.
Resilience: By constantly checking systems for vulnerabilities we ensure that our systems can continue operating under adverse conditions, such as those that may result from a physical or technical incident; and we will be able to restore them to an effective state.
We ensure that personal data are protected against accidental destruction or loss (physical/technical) by implementing relevant measures, which include: backup procedures, remote storage and antivirus/firewall systems.
We develop and regularly review appropriate business continuity and security recovery plans.
We have documented incident or breach response management plans and procedures in place to ensure a quick, effective and orderly response to security incidents.
We conduct regular web and application vulnerability scans for issues such as unauthorised port services, patching, etc. and remediate high severity issues in a timely basis.
We regularly apply patch updates to servers, databases and networks.
User accounts shall be monitored. Monitoring procedures, such as active accounts of dismissed users, or same time access attempts from different locations, shall be in place.
We prevent systems from being used by unauthorised persons by implementing following measures: user identification and authentication procedures; password procedures (special characters, minimum length, change of password), automatic blocking (e.g. password or timeout).
We regularly monitor user behaviour and block the uncommitted or inactive user accounts.
All external data transmission happens through encrypted connections.
We implement data storage security policies to keep data secure. We encrypt data, monitor data access control, protect data against viruses, ensure infrastructure security, and backup regularly.
We use the web hosting provider Hetzner Online to store data in encrypted form in the cloud on the servers. Hetzner Online is certified in accordance with DIN ISO/IEC 2700, an internationally recognized standard for information security. We rely on Hetzner Online for the protection of the environment by implementing appropriate physical security controls.
We configure and perform the collection and analysis of security events.
All critical event logs shall be stored in a secured place in accordance with the retention policy.
We employ hardened configuration baseline principles with our compute and database services.
We have IT Security Policy for C-Level employees and Team Leads based on ISO framework. This policy consists of IT Assets Policy, Access Control Policy, Password Control Policy, Email Policy, Internet Policy, Clear Desktop and Antivirus Policy, Information Classification Policy, Remote Access Policy, Outsourcing Policy, Security breaches and Recovery Plan, and general overview with responsibilities of employees.
ISO 27701 certification is in our security roadmap.
We collect personal data must be adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed.
We ensure that data is complete, unique, valid, timely, and consistent through regular updates and data verification.
We collect personal data for specified, explicit and legitimate purposes, and we do not further process data in a manner that is incompatible with those purposes.
Personal data are kept for no longer than is necessary for the purposes for which the personal data are processed.
We are responsible for and are able to demonstrate compliance with the data processing principles.
We maintain records of our processing activities and carry data protection impact assessments where applicable.
If we act as a data processor, we ensure that personal data is processed solely in accordance with the instructions of the data controller.
Portability: Customer and data subjects have the right to receive, upon request, a copy of the data they provided to us in a structured format.
Erasure: Upon appropriate request, we will erasure the personal data excluding the data we are legally required to retain. Erasure of Customer data includes fully formatting of disks on dedicated servers. Assets storing confidential information are properly sanitized prior to the disposal of the equipment to guarantee that no confidential material remains.
Enterprise: for multi-location and direct selling brands. Manage thousands of social media pages of your local distributors, partners, or franchisees.
Agency: for marketing agencies. Manage all your clients’ social media pages on one platform.