This Data Security Standard policy (Policy) sets forth Doohlabs Ltd, co. reg. no. FI23539391, including all its Affiliates, with address Metsäneidonkuja 6, 02130 Espoo, Finland (Doohlabs) technical and organizational security measures for the processing of Service data and Personal Data to ensure a level of security appropriate to risks (Security Standards).
These Security Standards apply to all Personal data that Doohlabs receives and process while using Doohlabs operated service and Cloud based services and products via hosted online web services (Services) and Doohlabs’s player apps.
This Policy also creates the legal framework for Doohlabs’s processing of personal data in a manner compliant with EU General Data Protection Regulation 2016/679 (GDPR), and describes how Doohlabs collects, uses, shares, and secures the personal information that You provide. It also describes Your choices regarding use, access, and correction of Your personal information.
If You have questions or complaints regarding this Policy or about Doohlabs’s privacy practices, please write to us at data-protection@Doohlabs.com.
Personal Data handled by Doohlabs shall be encrypted and pseudonymized. When laptops are used for Personal Data processing, encryption should always take place on fixed and removable storage media.
Doohlabs shall have a technical system for access control to give the right Customer the right access. Any such included restriction should be done in such a way that only those who need the tasks to be able to do their work should have access to them. Doohlabs shall have procedures for how permissions are granted and removed. All access rights must be checked at intervals. Doohlabs shall have strong authentication checks and routines. All usernames should be unique and personal. Password management rules should ensure a high password quality. All authentication information must be stored securely.
Doohlabs shall take reasonable measures to; (a) prevent physical access, such as security personnel and secured buildings, and (b) prevent unauthorized persons from gaining access to Personal Data or ensure third parties operating data centres on its behalf are adhering to such controls.
Doohlabs shall take reasonable measures to prevent Personal Data from being used without authorization. These measures shall vary based on the nature of the Processing undertaken and may include, among other; (a) controls, (b) authentication via passwords and/or two-factor authentication, (c) documented authorization processes, (d) documented change management processes, and/or, (e) log of access on several levels.
Doohlabs shall take reasonable measures to provide that; (a) Personal Data is accessible and manageable only by properly authorized staff, (b) direct database query access is restricted, and application access rights are established and enforced to ensure that persons entitled to use a data processing system only have access to the Personal Data to which they have privilege of access, and (c) Personal Data cannot be read, copied, modified or removed without authorization while Processing.
Doohlabs shall take reasonable measures to ensure that it is possible to check and establish to which entities the transfer of Personal Data by means of data transmission facilities is envisaged so Service Data cannot be read, copied, modified or removed without authorization during electronic transmission or transport.
Doohlabs shall take use commercial best efforts to provide that it is possible to check and establish whether and by whom Service Data has been entered into data processing systems, modified, or removed. Doohlabs shall take reasonable measures to ensure that; (a) the Personal Data source is under the control of the Data Controller; and (b) Personal Data integrated into the Service is managed by secured transmission from Doohlabs for interactions with Doohlabs’s User Interface (UI) or Application Programming Interface (API).
Doohlabs shall have active and updated antivirus solutions on the devices used in personal data processing. Doohlabs shall ensure continuous monitoring of protection against malicious software.
Back-ups of the databases in the Service are taken on a regular basis, are secured, and encrypted to ensure that Personal Data is protected against accidental destruction or loss. Doohlabs shall have documented procedures for recovery. Testing of restoration of personal data shall be carried out at intervals and the results documented. Doohlabs shall have documented procedures for thinning the Personal Data.
Doohlabs shall ensure that logging of events takes place during all processing activities of the Personal Data. All logs should be checked at intervals. Doohlabs shall have documented procedures for handling security logs and a system for protecting logs.
Personal (Service) Data from different Customers and their respective Customer is logically segregated on systems managed by Doohlabs to ensure that Personal Data that is collected by different Customers is segregated from one another.
Equipment, portable data media and the like that are not under the supervision of the personal data tree shall be locked to be protected against unauthorized use, influence and theft.
Doohlabs shall ensure that there are both technical and practical prerequisites for investigating suspicions of unauthorized access and other forms of unauthorized use of the Personal Data.
In the event of repair and service of computer equipment used for processing the Personal Data and performed by someone other than Doohlabs, Doohlabs shall enter into a special confidentiality agreement with the service provider. At the service provider's visit, service must be done under the supervision of Doohlabs.
End of document
