Data security: Frequently Asked Questions

As a software-as-a-service provider we collect data and store this "in the cloud". We take data security and privacy extremely serious.
We are ISO27001 certified for development and hosting of online training and testing software-as-a-service, providing technical support, and offering functional support through client success services (certificate available on request).
Below you find answers to some of the frequently asked questions with regards to data security.

What data do you collect and how is this populated?

Data we collect upfront (* is mandatory):

a) name
b) e-mail address*
c) personal password* (randomly generated, one-way encryption)
d) name of employer or training agency (deducted from the account the user is registered at)

Data generated during usage:
e) name of training(s) he/she is enrolled in (and group and coach he or she will receive feedback from)
f) audio or video recordings that user decides to save and share (generated while following the courses)
g) information about participation rate, progress, scores such as (i) answers given (ii) time spent (iii) feedback from and to other participants (iv) feedback and assessment scores from or to coaching

Who owns the data?

The Client is owner of the data and ultimately responsible. TrainTool is only processor of the data and will act accordingly.

Where is the data stored?

All data is stored in the Netherlands, in datacenters located in Amsterdam and Schiphol (TelecityGroup). Backups are stored in the Equinix dataecenter.

What is the backup cycle (retention, maximum loss of data)?

TrainTool has daily backups and keeps daily backups for 30 days.
Maximum loss of data: 24 hours.
Maximum retention of (deleted) data: 30 days.

What procedures exist for deletion of data?

Automated 'hiding' after license expires
When a user's license expires, his answers and recordings are automatically hidden for himself, peers and coaches.
This can manually be opened up again by an administrator account.

Automated deletion of video recordings after license expires
45 days after user’s license expires, her video recordings are automatically deleted (as this is seen as sensitive data). The user is notified of this 14 days in advance and may choose to prevent this.

Manual deletion of user account
TrainTool (Data Processor) deletes data on explicit request of the client (Responsible Party), after which the data is kept in backups for a maximum of 30 days. Also, the user has the right to be forgotten.

End of agreement
45 days after the end of the agreement between client and TrainTool, all client's data and user accounts are destroyed. After this, it takes 30 days before all data is deleted from the backups as well.

What subcontractors do you work with?

Infrastructure, hosting and management of hosting is done by Sentia B.V. They are ISO27001 and ISAE 3402 type II certified.

What security measures are in place?

A firewall cluster with a default-deny policy. Firewall logs are checked on a daily basis and updates to the firewall are done through a versioning system with peer0-review. All systems are checked with a network scan at least every two weeks, checking for issues such as open ports. Results are logged in a wiki. Other measures include: OS hardening, NaWas anti-DDos, vulnerability scanning (at least quarterly), regular patches (quarterly), emergency patches (daily), ISO27001 and all principles accordingly, standard offsite backups and DR snapshots.

All connections from and to the TrainTool application is encrypted through the SSL/TLS protocol. Settings for this connection are checked automatically.

Physical security measures for the datacenter include: access limited to whitelist, manned reception with identity control, hardware stored in locked cabinets, visitors always guided by Sentia employees, authorisation required for changes in hardware, periodic reporting about access.

How is the application secured and is inspection or changes by unauthorized persons prevented?

Authorization levels
Users have on or more of the following roles: Participant, Coach, Content Developer and/or Administrator. The first Administrator of an account registers the other users and thereby controls the authorization levels of the users. This Administrator is either an employee of the client or an employee of TrainTool, acting on the explicit orders of the client.

Logs
Every moment in which user data is inspected by someone, is logged. Privacy logs available on request.

Control of authorization level
Every request that involves the inspection of user data, is checked on 4 levels:

1. Is this the correct account? Each request checks if the (a) the user is logged in, (b) the logged in user belongs to the current account and (c) if the data displayed on the page belongs to the current account. All passwords are one-way encrypted and communication is forced to follow the SSL/TLS protocol.
2. Does the user have the proper authorization level to view this page?
3. Does the user have inspection rights on each of the data objects on this page? Example: "does user have access to inspect feedback from person X on the video of person Y?" or "does user have access to download a report with the progress-data of person X?"
4. (In case of video or audio messages): is the user allowed to view this specific recording? If yes, the recording is decrypted.

Superuser
TrainTool employees with a technical or support role, are 'Superusers' and able to access and login to user accounts if necessary. The respective employees have signed a confidentiality agreement for this and are informed on the responsibilities for this. These actions are always logged and the list of Superusers is checked at least every quarter.

How is incident management organized?

  • Incidents are reported in the Sentia Information System (by Sentia or TrainTool)
  • Sentia Security Officer is automatically notified and will determine the priority of the incident. Crucial factor is the BIV classification of the data (availability, integrity, confidentiality)
  • Action plan is created for involved parties. Customer is frequently updated on the status. Response and diagnose times depend on priority.
  • After conducting the action plan the call is closed, in agreement with TrainTool. Action is done by Sentia Security Officer.
  • Aftercare: Security Officer will determine if additional measures are needed (to prevent future incidents).
  • Reporting: customer is periodically informed through SLA report about the incident and how it was handled (Root Cause Analysis).