• Security and policies

GDPR compliance

This document contains some information surrounding the most-asked questions from our customers regarding GDPR compliance.

Index

  1. Requesting user data
  2. Access to data
  3. Right to erasure
  4. Automatic removal of data
  5. Physical data storage
  6. Data storage security
  7. Security breaches
  8. Meta data
  9. Data processor
  10. Tracking
  11. Contact information and links

Requesting user data

Under GDPR, subjects have the ability to submit a Subject Access Requests (SAR).

These subjects may be:

  • An end-user of an Includable customer application
  • An Includable customer
  • A current or former Includable employee

Includable will, upon receiving a request from an end-user of an application that runs on Includable but is managed by a customer, first ask the user if they meant to direct their request towards that customer. Before doing so, we will notify the user of the request we received, regardless of the response of the end-user.

In case the end-user still wishes to direct their SAR at Includable, or if Includable receives a SAR from another type of subject listed above, we will respond to any standard SAR request within the lawful period of 30 days.

We will first check the identity of the subject "using reasonable means", as is GDPR policy. In most cases, this will involve asking the subject to verify they own the email address of the user account for which they are requesting information.

The exact data we provide is dependend on the data requested and the data that is available to us. We will always, unless specifically requested, deliver that data electronically, using standardized file formats like CSV and JSON.

Access to data

Access to the data of our customers and end-users is only ever granted to employees with (electronically) written permission of the customer and/or end-user. This data access can only be granted by T.S. Schoffelen (CTO), and will only be granted for any of the following reasons:

  • Maintenance or security work
  • Specific requests for assistance by customer or end user
  • To prevent unauthorized access or check for suspicious activity
  • To remove unlawful or illegal content

In all of the above cases, access may only be granted on a temporary basis, and any access grants will be logged. Includable customers are able to request these logs via a Subject Access Requests or in certain cases through the Includable help desk (support@includable.com).

Includable and its employees and partners will not view, modify, or destroy any data on the platform, unless it has been specifically granted the permission to do so on any of the above grounds.

Contractors or freelancers working for Includable will never get access to customer data without express written consent of that customer.

Right to erasure

The GDPR introduces a right for individuals to have personal data erased, also known as 'the right to be forgotten'.

Subjects (either customers of Includable or end-users of products hosted on the Includable platform) can make a request for erasure either verbally or in writing, which will be honoured within 30 days.

Whenever we receive a request for erasure of personal profile data from an end-user, we will (1) log this request and (2) pass this request on to our customer. In this case we will assist the customer in their fullfillment of the request in any way we are legally allowed to.

In the case of a request directly from a customer, we require the user IDs or UUIDs of the users to be removed. We will then remove:

  • the original user accounts and profiles
  • any back-ups of these accounts
  • remove any records and content directly created by these accounts, unless ownership of that data has been transferred to another party (i.e. the customer) before the request was received.

We are aware that the right to erasure is not absolute and only applies in certain circumstances, and will therefore first evaluate the request, with the possibility to refuse a request where this is legally allowed.

Automatic removal of data

We automatically remove any obsolete, unused or stale personal data 2 years after its creation where this is required by law.

Note that this only applies to records created by the Includable Platform itself. Any records, files and other types of data created by customers of Includable will not be automatically removed. Customers are responsible for removing data that is no longer relevant or has become stale or obsolete.

Physical data storage

Data stored on the Includable Platform is stored exclusively within the European Economic Area (EEA), more specifically in:

  • Ireland
  • The United Kingdom
  • The Netherlands

There are exceptions to the above:

  • Temporary storage of public files in different regions as part of a Content Delivery Network (CDN), ensuring fast availability of these files when downloaded from areas of the world other than the above. These temporary copies are automatically removed and managed by Amazon Web Services, Inc. (specifically through their service 'CloudFront') and CloudFlare, Inc.

Data storage security

Includable implements industry standards for data storage and transfer protection, including only allowing encrypted data transfer using SSL (HTTPS TLS). View our security overview for more information about what we do to protect data uploaded by users.

Moreover, Includable has ISO 29147 & 30111 compliant vulnerability disclosure workflows in place, as well as a bug bounty program. More about this can be read here.

Our cloud vendors comply with ISO 27018, a code of practice that focuses on protection of personal data in the cloud. It is based on ISO information security standard 27002 and provides implementation guidance about ISO 27002 controls that is applicable to personally identifiable information (PII) processed by public cloud service providers.

Whenever our platform undergoes major infrastructure updates, we are committed to bring in internal and external security experts to test the security of our systems, and report any breaches of trust or data to our customers.

Security breaches

GDPR requires that users are notified within 72 hours when personal data has been compromised.

Includable takes all measures reasonably necessary to protect Personal Information from unauthorized access, alteration, or destruction, maintain data accuracy, and help ensure the appropriate use of Personal Information. We follow generally accepted industry standards to protect the personal information submitted to us, both during transmission and once we receive it. We are committed to announcing any security breaches within 72 hours after we notice this kind of issue, and we have set up a process for doing so quickly and effectively.

We advise customers to set up a process for monitoring the safety of peronsal data they store and notifying users in case of a security breach. Includable is not responsible for security breaches in the software built by our customers on the Includable Platform, but will assist customers in dealing with security breaches when customers inform us of the situation.

Meta data

To enable our customers to be fully transparent with regards to the information saved on the Includable Platform, this section lists the meta data that is automatically stored by the Includable Platform for certain types of entities.

Note that not all of the data below might be available for each and every entity.

In the meaning of Data Controller as defined by article 4 of GDPR, Includable stores the following private data:

Account meta data

  • Email address
  • First and last name
  • Date of account creation
  • Date of first login
  • ID and/or name of person that created the account
  • Date and IP address of each login, logout and password change action
  • Push token, name, type, version and operating system information and registration date for each device of the user that has push notifications enabled through Includable
  • Any social media linked accounts that the user might have used to sign in to his/her account, including the User ID and/or Access Token of such social media accounts, as well as the type of social media account and the date on which it was linked to the Includable user account
  • Any notifications and emails sent by the customer application to the user's devices or email addresses

File meta data

  • Filename
  • Date of upload
  • File size
  • File type
  • A cryptographic hash identifying the file's content

Why we collect this

  • We need account meta data to create your account, and to provide the services you request.
  • We show certain account meta data on profile pages. These profiles are only accessible by users who have been given explicit access to the same community.
  • We use account meta data, specifically your email address, to identify users in different parts of the Includable Platform.
  • We will use your email address to communicate with you (newsletters, notifications). You can change your email and unsubscribe from those messages any time.

Data processor

All private data stored in Includable's Git repositories, communities, modules and sandboxes are defined by our users. What data is stored, how it is processed and how it is used is defined by our users. In this case, Includable operates as a Data Processor. The customer, as the controller of the information must ensure that the collection of personal data is GDPR compliant as well as other processors in his pipeline.

Tracking

If you do not want online services to collect and share certain kinds of information about your online activity from third-party tracking services, you can set the Do Not Track privacy preference in your browser.

We do not track your online browsing activity on other online services over time and we do not permit third-party services to track your activity on our site with the exception of basic Google Analytics tracking. The tracking data is collected exclusively to improve the UX and performance of the Service and website. Includable does not record any personal data with Google Analytics as all text entered to the Service during tracking is suppressed before the data is sent back to Google Analytics servers.

Because we do not share this kind of data with third-party services or permit this kind of third party data collection on Includable for any of our users, and we do not track our users on third-party websites ourselves, we do not need to respond differently to an individual browser’s Do Not Track setting.

Our emails might contain a pixel tag, which is a small, clear image that can tell us whether or not you have opened an email and what your IP address is. We use this pixel tag to make our email more effective for you and to make sure we’re not sending you unwanted email. If you prefer not to receive pixel tags, please opt out of marketing emails.

Contact information and links

Any security and compliance related queries can be directed at:

Email address

security@includable.com

Post address

Includable
Scholica BV
Tempsplein 31
6441 ET Heerlen
Limburg, The Netherlands