Our software solution is developed in the GDPR area, hence the principles of "Privacy by design and default" is an integral part of our software solution. In developing the solution, we have focused on data subjects and their rights, and we have designed the platform to support the catering of these rights as best as possible.
In addition, we are constantly trying to further develop the platform with solutions and features that help our customers to comply with their obligations, e.g. features supporting deletion policy compliance, the right to be forgotten, general data minimization features, and much more making GDPR compliant use of the platform easy.
In order for our customers, as data controllers, to control Capturi’s processing of data on behalf of the customer in compliance with GDPR, we let ourselves be audited by an independent audit for the purpose of providing our customers with an ISAE3000 report on GDPR compliance.
Download our ISAE3000 statement here
In all our customer relationships, Capturi processes personal data on behalf of our customers as the data controllers. Consequently, we as parties are obliged to enter into a data processing agreement.
Capturi uses the Danish Data Protection Agency’s standard contractual clauses as the basis for our standard data processing agreement. This has the advantage that we can fulfil our joint obligation to enter into a GDPR compliant data processing agreement.You can download our data processor agreement here.
One of the most important things for our customers is transparency in the sub-processors we use to provide our services, hence a complete list of these, including copies of our data processing agreements with them.
You can download it here.
Trust and confidence in our ability to safely process our customers data is of upmost importance to Capturi given the close ties this has to any customers wanting to do business with us. We therefore take security very seriously and have a continuous focus on it.
Some of our security measures include:
Use of suppliers being sufficiently certified based on recognized standards such as ISO 27001:2013, 27017:2015, 27018:2014 and ISO 9001:2015, and use of suppliers being able to guarantee processing within EU/EEA data regions.
Background checks for all employees.
Full redundancy setup with main hosting and operations provider to ensure access and continuous operation of the platform.
Full TLS and HTTPS encryption of data in transit and in rest.
Daily backup and updated anti-malware and anti-virus on all systems and devices.
Hardware reuse is done by restoring factory settings only, and hardware destruction is done according to market standards for this, so data recovery is not possible.
Logging of access and actions in the platform and systems.
Procedures for access to production environment and access to customer data.
Physical security of sites with individual access keys and codes as well as monitoring of facilities.
Segmented and encrypted network and connection to Security Operation Center (SOC) via hosting provider.
Use of Multi Factor Authentication login for the platform and production environment.
Ongoing check of platform and systems against OWASP top 10 vulnerabilities, as well as periodic testing of systems by a "ethical hacker".