Sub-verwerkers

Privacy Verified logo zwart

De privacy van jou en je klanten gewaarborgd

MailBlue behaalt jaarlijks het Privacy Verified certificaat om aan te tonen dat wij aan de laatste
AVG / GDPR wet- en regelgeving voldoen.

Update: 12 juli 2023

Op dit moment is MailBlue bezig met het verwerken van de uitkomst van het EU-US Data Privacy Framework, dat recentelijk door de Europese Commissie is aangenomen. Dit framework zorgt ervoor dat persoonsgegevens vanuit de Europese Unie naar Amerikaanse bedrijven kunnen worden gestuurd, op voorwaarde dat deze bedrijven deelnemen aan het EU-US Data Privacy Framework. Dit besluit heeft geleid tot het vereenvoudigen van gegevensoverdracht naar de Verenigde Staten. Het is echter belangrijk op te merken dat de geldigheid van deze constructie in de toekomst nog steeds afhankelijk is van mogelijke beslissingen van het Hof van Justitie van de Europese Unie.

Sub-verwerkers waar jouw gegevens en die van jouw contacten kunnen worden verwerkt

Doel:
E-mailmarketing-, crm- software.

Toelichting:
ActiveCampaign is ook de leverancier van de E-mailmarketing software die je bij MailBlue afneemt. Enkel in het systeem van ActiveCampaign worden de gegevens van jouw klanten, leads, etc. opgeslagen. De gegevens die jij in je E-mailmarketing account  invoert worden alleen bij ActiveCampaign (en haar sub-verwerkers) opgeslagen. Naast het gebruik van ActiveCampaign voor marketing gebruiken wij ActiveCampaigns’ Postmark voor het versturen van transactionele e-mails, zoals wachtwoord vergeten, herinneringen verlengen account, en meer.

Land van opslag:
USA en EU

Toelichting augustus 2023ActiveCampaign draait samen met MailBlue op dit moment een pilotprogramma voor geselecteerde klanten waarmee dataopslag van accounts binnen de EEG plaatsvindt. Wil je deelnemen aan het pilotprogramma, neem dan contact met ons op.

Aanvullende maatregelen SCC:
(a)the pseudonymization and encryption of Personal Data (including during transmission);
(b)the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
(c)the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident;
(d)a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the Processing; and
(e)the ability to allow data portability and ensure erasure of Personal Data (including by Subprocessors)

Data Privacy Framework:
ActiveCamapaign heeft op dit moment een actieve certificering voor het Data Privacy Framework. Voor details bezoek de website van het Data Privacy Framework.
https://www.dataprivacyframework.gov/s/participant-search/participant-detail?id=a2zt0000000GnH6AAK

Doel:
Zusterorganisatie; uitbesteding dienstverlening

Toelichting:
Neem je aanvullende dienstverlening bij ons af, zoals bijvoorbeeld onboarding, dan kan het zijn dat je gegevens worden verwerkt door onze zusterorganisatie Blue Agency.

Regio van opslag:
EU

Sub-verwerkers waar jouw gegevens kunnen worden verwerkt

Doel:
E-mailmarketing-, crm- software.

Toelichting
ActiveCampaign is ook de leverancier van de E-mailmarketing software die je bij MailBlue afneemt. Enkel in het systeem van ActiveCampaign worden de gegevens van jouw klanten, leads, etc. opgeslagen. De gegevens die jij in je E-mailmarketing account  invoert worden alleen bij ActiveCampaign (en haar sub-verwerkers) opgeslagen.

Land van opslag:
USA en EU

Toelichting augustus 2023ActiveCampaign draait samen met MailBlue op dit moment een pilotprogramma voor geselecteerde klanten waarmee dataopslag van accounts binnen de EEG plaatsvindt. Wil je deelnemen aan het pilotprogramma, neem dan contact met ons op.

Aanvullende maatregelen SCC:
(a)the pseudonymization and encryption of Personal Data (including during transmission);
(b)the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
(c)the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident;
(d)a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the Processing; and
(e)the ability to allow data portability and ensure erasure of Personal Data (including by Subprocessors)
 
Data Privacy Framework
ActiveCamapaign heeft op dit moment een actieve certificering voor het Data Privacy Framework. Voor details bezoek de website van het Data Privacy Framework.
https://www.dataprivacyframework.gov/s/participant-search/participant-detail?id=a2zt0000000GnH6AAK

Doel:
Projectmanagement. Neem je aanvullende diensten af bij MailBlue dan beheren wij jou als klant binnen ons projectmanagementsysteem Asana. Hierin staan geen gegevens van jouw contacten die je in je e-mailmarketing platform hebt staan.

Regio van opslag:
USA

Data Privacy Framework
Asana heeft op dit moment een actieve certificering voor het Data Privacy Framework. Voor details bezoek de website van het Data Privacy Framework.
https://www.dataprivacyframework.gov/s/participant-search/participant-detail?id=a2zt0000000TNLRAA4
Aanvullende maatregelen SCC:

 
Measure
Description
Measures of pseudonymisation and encryption of personal data
Customer Data is encrypted in transit and encrypted at rest (and remains encrypted at rest). The connection to app.asana.com is encrypted with 128-bit encryption and supports TLS 1.2 and above. Logins and sensitive data transfer are performed over encrypted protocols such as TLS or ssh.
Measures for ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and services
Asana maintains an information security program, which includes: (a) having a formal risk management program; (b) conducting periodic risk assessments of all systems and networks that process Customer Data on at least an annual basis; (c) monitoring for security incidents and maintaining a tiered remediation plan to ensure timely fixes to any discovered vulnerabilities; (d) a written information security policy and incident response plan that explicitly addresses and provides guidance to its personnel in furtherance of the security, confidentiality, integrity, and availability of Customer Data; (e) penetration testing performed by a qualified third party on an annual basis; and (f) having resources responsible for information security efforts.
Measures for ensuring the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident
Asana takes daily snapshots of its databases and securely copies them to a separate data center for restoration purposes in the event of a regional AWS failure. Backups are encrypted and have the same protection in place as production. Additionally, Customer Data is stored cross-regionally with AWS.
Processes for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures in order to ensure the security of the processing
On an annual basis, Asana performs on its own and engages third-parties to perform a variety of testing to protect against unauthorized access to Customer Data and to assess the security, reliability, and integrity of the Service. To the extent Asana determines, in its sole discretion, that any remediation is required based on the results of such testing, it will perform such remediation within a reasonable period of time taking into account the nature and severity of the identified issue
As of the Effective Date, Asana undergoes a SOC 2 Type II audit on an annual basis with respect to the suitability of its controls to meet the criteria related to security, availability, and confidentiality set forth in the 2016 edition of TSP section 100A, Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy (AICPA, Trust Services Principles and Criteria). Asana maintains an ISO/IEC 27001:2013 certification to demonstrate our conformity with the defined requirements in the ISO/IEC 27001:2013 standard.
Measures for user identification and authorisation
Access to manage Asana’s AWS environment requires multi-factor authentication, ssh access to the Service is logged, and access to Customer Data is restricted to a limited set of approved Asana employees. AWS networking features such as security groups are leveraged to restrict access to AWS instances and resources and are configured to restrict access using the principle of least privilege. Employees are trained on documented information security and privacy procedures. Every Asana employee signs a data access policy that binds them to the terms of Asana’s data confidentiality policies and access to Asana systems is promptly revoked upon termination of employment.
Measures for the protection of data during transmission
Customer Data is encrypted in transit and encrypted at rest (and remains encrypted at rest). The connection to app.asana.com is encrypted with 128-bit encryption and supports TLS 1.2 and above. Logins and sensitive data transfer are performed over encrypted protocols such as TLS or ssh.
Measures for the protection of data during storage
Customer Data is stored cross-regionally with AWS. Data backups are encrypted. Customer data is encrypted at rest with AES 256 bit secret keys.
Measures for ensuring physical security of locations at which personal data are processed
Asana uses Amazon Web Services (AWS) to provide management and hosting of production servers and databases in both the United States and the European Union. AWS employs a robust physical security program with multiple certifications, including SSAE 16 and ISO 27001 certification.
Measures for ensuring events logging
All access to information security management systems at Asana are restricted, monitored, and logged. At a minimum, log entries include date, timestamp, action performed, and the user ID or device ID of the action performed. The level of additional detail to be recorded by each audit log will be proportional to the amount and sensitivity of the information stored and/or processed on that system. All logs are protected from change.
Measures for ensuring system configuration, including default configuration
To prevent and minimize the potential for threats to Asana’s systems, baseline configurations are required prior to deployment of any user, network, or production equipment. Baseline configurations are in place for wireless security settings in order to ensure strong encryption and replace vendor default settings as part of deployment of network devices. Systems are centrally managed and configured to detect and alert on suspicious activity.
Measures for internal IT and IT security governance and management
IT Security Governance and Management structures and processes are designed to ensure compliance with data protection principles at their effective implementation. Asana maintains a formal information security program with dedicated security personnel reporting to the Head of Security. The Security Team is responsible for implementing security controls and monitoring Asana for suspicious activity. Policies and Procedures, including the Asana Information Security Policy, are updated on an annual basis and reviewed and approved by Management. On a quarterly basis, senior management meets with the board of directors to review business objectives, projects, resource needs, and risk mitigation activities, including results from internal and external assessments.
Measures for certification/assurance of processes and products
As of the Effective Date, Asana undergoes a SOC 2 Type II audit on an annual basis with respect to the suitability of its controls to meet the criteria related to security, availability, and confidentiality set forth in the 2016 edition of TSP section 100A, Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy (AICPA, Trust Services Principles and Criteria). Asana maintains an ISO/IEC 27001:2013 certification to demonstrate our conformity with the defined requirements in the ISO/IEC 27001:2013 standard.
Measures for ensuring data minimisation
Asana only collects information that is necessary in order to provide the Services outlined in our Terms of Service. Our employees are directed to access only the minimum amount of information necessary to perform the task at hand.
Measures for ensuring data quality
Asana maintains web Server and application log details that include any changes to sensitive configuration settings and files. At minimum, log entries include date, timestamp, action performed, and the user ID or the device ID of the action performed. Logs are protected from change. Users who would like to exercise their rights under applicable law to update information which is out of date or incorrect may do so at any time using this form. More information on data subject rights can be found at https://asana.com/terms#privacy-policy.
Measures for ensuring limited data retention
Asana will retain information for the period necessary to fulfill the purposes outlined in our Privacy Policy, unless a longer retention period is required or permitted by law, or where the Customer Agreement requires or permits specific retention or deletion periods. Customer may request deletion of data at any time and Customer Personal Data is deleted or anonymized upon termination of the Agreement.
Measures for ensuring accountability
Asana has established a comprehensive GDPR compliance program and is committed to partnering with its customers and vendors on GDPR compliance efforts. Some significant steps Asana has taken to align its practices with the GDPR include:

Revisions to our policies and contracts with our partners, vendors, and users

Enhancements to our security practices and procedures

Closely reviewing and mapping the data we collect, use, and share

Creating more robust internal privacy and security documentation

Training employees on GDPR requirements and privacy and security best practices generally

Carefully evaluating and building a data subject rights’ policy and response process. Below, we provide additional details about the core areas of Asana’s GDPR compliance program and how customers can use Asana to support their own GDPR compliance initiatives.

Appointed a Data Protection Officer (“DPO”), who can be reached at dpo@asana.com.

Asana offers its customers who are controllers of EU personal data the option to enter into a robust data processing addendum (“DPA”) under which Asana commits to process and safeguard personal data in accordance with GDPR requirements. This includes current Standard Contractual Clauses and Asana’s commitment to process personal data consistent with the instructions of the data controller.
Measures for allowing data portability and ensuring erasure
Asana provides a mechanism for individuals to exercise their privacy rights in accordance with applicable law. Individuals may contact Asana at any time using this form. More information can be found at https://asana.com/terms#privacy-policy.

Doel:
Zusterorganisatie; uitbesteding dienstverlening

Regio van opslag:
EU

Doel:
Afspraken automatisering

Regio van opslag:
USA

Aanvullende maatregelen SCC:
Zie https://calendly.com/security

Doel:
Hosting login.mailblue.nl

Regio van opslag:
EU

Aanvullende maatregelen SCC:

Technical and Organizational Security MeasureEvidence of Technical and Organizational Security Measure

Measures of pseudonymisation and encryption of personal data

DigitalOcean’s databases that store Customer Personal Data are encrypted using the Advanced Encryption Standard (AES). Customer data is encrypted in transit between the Customer’s software application and DigitalOcean using TLS v1.2.

Measures for ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and services

Measures for ensuring the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident

DigitalOcean uses a variety of tools and mechanisms to achieve high availability and resiliency. DigitalOcean’s infrastructure spans multiple fault-independent availability zones in geographic regions physically separated from one another. DigitalOcean’s infrastructure is able to detect and route around issues experienced by hosts or even whole data centers in real time and employ orchestration tooling that has the ability to regenerate hosts, building them from the latest backup. DigitalOcean also leverages specialized tools that monitor server performance, data, and traffic load capacity within each availability zone and colocation data center. If suboptimal server performance or overloaded capacity is detected on a server within an availability zone or colocation data center, these tools increase the capacity or shift traffic to relieve any suboptimal server performance or capacity overload. DigitalOcean is also immediately notified in the event of any suboptimal server performance or overloaded capacity.

Processes for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures in order to ensure the security of the processing

DigitalOcean has developed and implemented a security control environment designed to protect the confidentiality, integrity, and availability of customers’ systems. The Customer Data Use Policy governs the requirements for use of customer data in accordance with several industry standards. 

DigitalOcean conducts a variety of regular internal and external audits that are inclusive of security operations. For more information please visit: https://www.digitalocean.com/trust/certification-reports/

Measures for user identification and authorization

Access control policies require that access to DigitalOcean assets be granted based on business justification, with the asset owner’s authorization and limits based on “need to-know” and “least-privilege” principles. In addition, the policy also addresses requirements for access management lifecycle including access provisioning, authentication, access authorization, removal of access rights and periodic access reviews.Documentation of these requirements is recorded and provided to external auditors for security certification testing.

Measures for the protection of data during transmission

Measures for the protection of data during storage

DigitalOcean’s databases that store Customer Personal Data are encrypted using the Advanced Encryption Standard (AES). Customer data stored by DigitalOcean is encrypted in transit between the Customer’s software application and DigitalOcean using TLS v1.2.

Measures for ensuring physical security of locations at which personal data are processed

DigitalOcean data centers are located in nondescript buildings that are physically constructed, managed, and monitored 24 hours a day to protect data and services from unauthorized access as well as environmental threats. All data centers are surrounded by a fence with access restricted through badge controlled gates. 

CCTV is used to monitor physical access to data centers and the information systems. Cameras are positioned to monitor perimeter doors, facility entrances and exits, interior aisles, caged areas, high-security areas, shipping and receiving, facility external areas such as parking lots and other areas of the facilities.

Measures for ensuring events logging

Logging of service, user and security events (web server logs, FTP server logs, etc.) is enabled and retained centrally. DigitalOcean restricts access to audit logs to authorized personnel based on job responsibilities.

Audit logging procedures are reviewed as part of external audits for security standards.

Measures for internal IT and IT security governance and management

Measures for certification/assurance of processes and products

DigitalOcean has developed and implemented a security control environment designed to protect the confidentiality, integrity, and availability of customers’ systems. DigitalOcean performs an annual internal review of all security management policies and procedures. External auditors perform an annual review of these policies and procedures. 

DigitalOcean conducts a variety of regular internal and external audits that are inclusive of security operations. For more information please visit: https://www.digitalocean.com/trust/certification-reports/.

Measures for ensuring data minimisation

Measures for ensuring data quality

Measures for ensuring limited data retention

Measures for ensuring accountability

Measures for allowing data portability and ensuring erasure

More information about how DigitalOcean processes personal data is set forth in the Privacy Policy available at: https://www.digitalocean.com/legal/privacy-policy/.

Technical and organizational measures to be taken by the [sub]-processor to provide assistance to the controller and, for transfers from a processor to a [sub]-processor, to the Customer.

When DigitalOcean engages a Subprocessor, DigitalOcean and the Subprocessor enter into an agreement with data protection obligations substantially similar to those contained in this Schedule. Each Subprocessor agreement must ensure that DigitalOcean is able to meet its obligations to Customer. In addition to implementing technical and organizational measures to protect personal data, sub-processors must (a) notify DigitalOcean in the event of a Security Incident so DigitalOcean may notify Customer; (b) delete personal data when instructed by DigitalOcean in accordance with Customer’s instructions to DigitalOcean; (c) not engage additional sub-processors without DigitalOcean’s authorization; (d) not change the location where personal data is processed; or (e) process personal data in a manner which conflicts with Customer’s instructions to DigitalOcean.

Doel:
E-mail & documentenbeheer

Regio van opslag:
USA

Aanvullende maatregelen SCC:
Zie: https://workspace.google.com/terms/dpa_terms.html, Appendix 2

Doel:
Boekhoudsysteem

Regio van opslag:
EU

Aanvullende maatregelen SCC:
Zie: https://www.moneybird.nl/kennisbank/hoe-veilig-is-mijn-data-in-de-cloud/

Doel:
Digitale contractondertekening

Regio van opslag:
EU

Aanvullende maatregelen SCC:
The Technical and Organizational Measures include measures to encrypt Customer Personal Data; to help ensure ongoing confidentiality, integrity, availability and resilience ofSignRequest’s systems and services; to help restore timely access to Customer Personal Data following an incident; and for regular testing of effectiveness.

Doel:
Interne communicatie

Regio van opslag:
USA

Aanvullende maatregelen SCC:
Data importer will maintain administrative, physical, and technical safeguards for protection of the security, confidentiality and integrity of Personal Data uploaded to the Services, as described in the Security Practices Datasheet applicable to the specific Services purchased by data exporter, and currently accessible at https://slack.com/security-practices or otherwise made reasonably available by data importer. Data importer will not materially decrease the overall security of the Services during a subscription term. Data Subject Requests shall be handled in accordance with section 3 of the DPA.

Doel:
Webhosting provider

Regio van opslag:
NL

Doel:
Automatisering

Regio van opslag:
USA

Aanvullende maatregelen SCC:
Zie https://cdn.zappy.app/c1db119cbedbfde756984162b0013841.pdf, Appendix 2

Doel:
Ticketing systeem

Regio van opslag:
USA

Aanvullende maatregelen SCC:
The full text of Zendesk’s technical and organisational measures to protect Service Data for Enterprise Services is available at https://www.zendesk.com/company/agreements-and-terms/protect-service-data-innovation-services/. The Zendesk information security program includes documented policies or standards governing the handling of Service Data in compliance with applicable law, and administrative, technical and physical safeguards designed to protect the confidentiality and integrity of Service Data. Zendesk reserves the right to update its security program from time to time; provided, however, any update will not materially reduce the overall protections set forth in this document.

  1. Physical Access Controls: Zendesk takes reasonable measures to prevent physical access to prevent unauthorised persons from gaining access to Service Data.
  2. System Access Controls: Zendesk takes reasonable measures to prevent Service Data from being used without authorisation.
  3. Data Access Controls: Zendesk takes reasonable measures to provide that Service Data is accessible and manageable only by properly authorised staff.
  4. Transmission Controls: Zendesk takes reasonable measures to ensure the ability to check and establish to which entities the transfer of Service Data by means of data transmission facilities is envisaged so Service Data cannot be read, copied, modified or removed without authorisation during electronic transmission or transport.
  5. Input Controls: Zendesk takes reasonable measures to provide that it is possible to check and establish whether and by whom Service Data has been entered into data processing systems, modified or removed; and, any transfer of Service Data to a third-party service provider is made via a secure transmission.
  6. Logical Separation: Data from different Zendesk’s subscriber environments is logically segregated on systems managed by Zendesk to ensure that Service Data that is collected by different data controllers is segregated from one another.
  7. Security Policies and Personnel. Zendesk has and will maintain a managed security program to identify risks and implement preventative technology, as well as technology and processes for common attack mitigation. We have, and will maintain, a full-time information security team responsible for safeguarding our networks, systems and services, and developing and delivering training to our employees in compliance with our security policies.

Doel:
Klantbetrokkenheidstool
(bijv. pop-ups, berichten, etc.)

Regio van opslag:
USA

Deelnemer Data Privacy Framework program:
Ja

 

Wil jij op de hoogte gehouden worden van AVG wijzigingen zoals aanpassingen in sub-verwerkers of wijzigingen in de verwerkersovereenkomst? Abonneer je dan op onze update.