Privacy Policy
Date: 2018.05.15
Contact Person: Akos Madarasz, am@humanrisks.com
Classification: Public
Last Review: 2024.04.29
Approved By: Mads Pærregaard, mp@humanrisks.com
Welcome to Human Risks’ Privacy Policy
This is the privacy policy of Human Risks ApS, C. A. Olesens Gade 4, DK-9000 Aalborg, Denmark, CVR: 36955910 (“Human Risks”). This policy sets out how we collect, process and protect your personal information and describes your rights as a user of our platform / visitor on our web site / subscriber to our newsletter / employee.
When the policy refers to a “we” or “us” it is the company Human Risks that is mentioned and when we refer to a “policy” it is this privacy policy we are talking about.
If you have any questions or requests please do not hesitate to contact us or our IT-Governance Owner. Contact information can be found at the bottom of this policy.
What type of personal information we collect
As a user of our platform, we collect your user-name, email, IP-no. and telephone number.
As a potential customer, we collect only what is already disclosed in public (i.e. what can be found on the internet), which can be your name, title, email and telephone number.
If you sign up for our newsletter or a free trial we collect your name and email.
As an employee of Human Risks, we collect your name, address, criminal record and social security number (CPR-NR).
How we collect personal information
We collect your personal information when you are added as a user of our platform and while you are using it.
We collect your personal information when you provide it to us by signing up for our newsletters or free trial via our website.
We collect your personal information when you provide it to us in connection with a recruitment, onboarding and/or approval process.
Why we collect personal information
As a user of our platform we use your personal information in order to fulfil a contract and deliver the services your organization is entitled to receive and to be able to document the existence of a legal contract between the customer’s organization and Human Risks.
As a potential customer, we collect and use your already publicly shared personal information for marketing purposes i.e. to avoid making illegal inquiries.
As a newsletter subscriber or if you have signed up for a free trial of our platform we collect your personal information in order to be able to deliver the services you have requested.
As an employee, we collect your personal information in order to be able to transfer your salaries and fulfil our legal obligations stipulated in your employment contract or similar legally binding contract or for being able to live up to compliance-related requirements from customers and / or partners of Human Risks.
Where we transfer and/or store your personal information
All personal data collected from the Human Risks Saas-platform is stored on Microsoft’s Azure hosting environment on servers located in The Netherlands with an off-site replica in Ireland. All personal data collected from Human Risks on-premise installations are stored on servers as specified in the on-premise contracts.
All our subcontractors and service providers maintain a similar high level of data security compliance as Human Risks and we have individual data processing agreements/addendums with each of them.
Subcontractors
We use selected subcontractors to process certain personal information in connection with the services we provide to you.
As a user of the platform your personal information is shared with hosting provider (Microsoft Azure / on-premise solution provider), customer support system provider (Intercom), and our internal email- and file storage system (Microsoft). If your personal information is typed into an input field and translated via our on-site translation feature the information is shared with Google.
As a potential and existing customer, your personal information is shared with our CRM System (Hubspot). It is however only the personal information of the key decision makers within the customer or potential customer organizations.
As a subscriber to our newsletter or a free trial of our platform your personal information is shared with our marketing automation provider (MailChimp), website CMS (one.com) and internal email system (Microsoft) and CRM-system (Hubspot).
As an employee your personal information is shared with our payroll system provider, select approved customers per contractual requirements, third party service providers that cover business tools and needs, a project management system, and internal email- and file storage system(s). The specific locations and organizations that employee information is shared with are specified in the internal employee handbook documentation.
How long we keep your personal information and how it is erased
As a user of the platform we retain your personal information for as long as is necessary to provide the services to you and other, and to comply with our legal obligations.
If you as a customer organisation terminate our mutual agreement we will comply with the agreement’s Schedule 3 “Transition and Termination Services” wherein erasure of personal information is described. On a yearly basis we review each customer contract in our CRM system (Hubspot and Podio) and assess the need for keeping your personal information stored. If there is no legal basis for it your personal information is immediately erased by the System’s Manager and documented to our contact person at your company by email.
If you as an individual user no longer want us to use your personal information or to provide you with the Human Risks services, you can request that we erase your personal information and close your Human Risks account via your employer. Your personal information is erased by the IT-Governance Owner and documented to you via email.
As a potential customer, we keep your personal information for as long as is necessary for our legitimate business interests. If you request we erase your personal information it will be done by our CRM system owner and documented to you via email. Please note that we only store personal information about potential customers that have already been diclosed in public i.e. on LinkedIn or other websites. We review the need for storing your personal information on a yearly basis in our CRM system (Hubspot). If there is no legal basis for it your personal information is immediately erased by the Account Manager.
As a subscriber to our newsletters or if you have signed up for a free trial we retain your personal information for as long as is necessary to provide the services to you, and to comply with our legal obligations. If you no longer want us to use your personal information or to provide you with the Human Risks services, you can request that we erase your personal information and terminate the services we have provided you, which will be done by our marketing automation system owner and documented to you via email. We review the need for storing your personal information on a yearly basis in our marketing automation system (MailChimp). If there is no legal basis for it your personal information is immediately erased by the system owner and documented to you via email.
As an employee, we retain your personal information for as long as is necessary to provide the services to you as part of your employment (e.g. salary) and to comply with our legal obligations. If you no longer want us to use your personal information you can request that we erase your personal information, which will include in a termination of your employment. Erasing personal information is also part of our off-boarding checklist if you leave the company. Your personal information will be erased by relevant system owners and documented to you via email. We review the need for storing your personal information on a yearly basis in our file storage system (Microsoft), payroll system (Danloen) and all systems you have access to by your manager. If there is no legal basis for it your personal information is immediately erased by your manager and documented to you via email.
Please see Appendix A for an overview of all reviews that are conducted in Human Risks to secure your personal information.
Personal information we keep
Please note that if you request the erasure of your personal information we will retain information from deleted accounts as necessary for our legitimate business interests, to comply with the law, prevent fraud, collect fees, resolve disputes, assist with investigations, enforce the terms of services and take other actions permitted by the law. The information we retain will be handled in accordance with this Privacy Policy. We will only retain personal information for as long as there is a legal basis for it.
Internal procedures for handling your personal information
All personal information that we handle is classified as “Confidential” c.f. our Information Security Policy. That means that only employees with a legitimate business need can access them and the access is managed by the information owner, which in this case is our IT-Governance Owner.
The guidelines of this policy and our Information Security Policy are mandatory curriculum on our onboarding process checklist of new employees who sign to confirm that they have read, understood and intent to follow our guidelines. It is mandatory for existing employees to review and sign the mentioned policies each year, which is automatically managed in our internal risk management system (Human Risks).
Our internal documents (Information Security Policy, Privacy Policy, Data Breach Incident Management Plan and Risk Assessment) are reviewed and changed if legal requirements change or if our internal privacy practices should change and senior management (Board of Directors) will review the documents on a yearly basis as a minimum, which again is automatically managed in our internal risk management system.
Please see Appendix A for an overview of all reviews that are conducted in Human Risks to secure your personal information.
How we keep your personal information secure
Human Risks have engaged with several legal consultants to ensure that we take the necessary and correct steps in securing your personal information and are in compliance with the EU General Data Protection Regulation.
Our mitigating measures can be divided into three categories:
1. Procedural mitigations
2. Physical mitigations
3. Organisational mitigations
Procedural mitigations
As a basis for all activities, we have developed a risk assessment addressing all relevant risks and necessary mitigating measures. All measures are evaluated by their effectiveness to reduce the level of threat and responsible individuals in our company are automatically notified of any recurring tasks associated with the measures. Our own risk management platform provides us with a total overview of all potential risks, mitigating measures and tasks that must be performed.
Our internal procedures are described in detail and are part of all new employees’ onboarding programme’s curriculum as all existing employees must review them on a yearly basis. All this is managed via our risk management system and onboarding checklist.
Our Privacy Policy and Information Security Policy and associated appendixes are reviewed and updated to ensure they are up to date with the latest legal requirements and any changes to our privacy practice. The documents are as a minimum reviewed on a yearly basis, which we manage automatically in our own risk management system. We are constantly trying to limit the extent of personal information we collect, which is also an important and efficient mitigating measure to reduce the risk of a potential data breach.
Physical mitigations
Human Risks resides in a location with an alarm system and limited access. Sensitive installations are physically secured behind locked doors with increased restricted access. No personal information is stored in hard copy.
Technical mitigations
Our Security White Paper describes the technical security measures in detail. Here is a short summary.
All our data of the Saas-platform is hosted on one of the world’s most secure hosting solution providers Microsoft Azure, which leads the industry with one of the most comprehensive compliance coverage including ISO 27001:2013, 27017:2014, 27018:2014, 20000-1:2011, 22301:2012 and 9001:2015. Microsoft Azure also maintains the highest possible CSA STAR certification.
All connections to the Human Risks Saas-platform and our API are encrypted using AES 256, and we use real-time encryption and decryption on all our databases, back-ups and transaction logs. All cryptographic keys are stored in the Azure Key Vault. Access to production databases is limited to our other Azure services and a specific IP-address, where access must be actively granted on a case-by-case situation.
All our databases are protected by back-ups. Full backups are taken every week, differential backups every day, and log backups every 5 minutes. Our databases are situated in the Netherlands with an off-site replica in Ireland. If necessary we can perform a point-in-time restore, which allows us to restore the database to any given point in time, up to the millisecond, within our retention period (14 days). As a last resort, we can utilize our off-site backups to recover our database in case of a regional outage. We have enabled auditing on all our databases with unlimited retention.Our Security White Paper describes the technical security measures in detail. Here is a short summary.
All our data of the Saas-platform is hosted on one of the world’s most secure hosting solution providers Microsoft Azure, which leads the industry with one of the most comprehensive compliance coverage including SOC1-3, ISO 27001:2022, 27017:2015, 27018:2019, 20000-1:2018, 22301:2019 and 9001:2015. Microsoft Azure also maintains the highest possible CSA STAR certification.
All connections to the Human Risks Saas-platform and our API are encrypted using AES 256, and we use real-time encryption and decryption on all our databases, back-ups and transaction logs. All cryptographic keys are stored in the Azure Key Vault. Access to production databases is limited to our other Azure services and a specific IP-address, where access must be actively granted on a case-by-case situation.
Organisational measures
Our organisation is designed to comply with the EU General Data Protection Regulation with the appointment of an IT-Governance Owner (former title: Data Responsible) that is overseen by representatives from Sr. Management and by an external IT Consultancy.
Human Risks’ incident management plan is constructed in a way that it does not rely on any individual but exploits decentralised role-based tasking.
How we detect and respond to a potential data breach
A data breach is an incident leading to accidental or illegal destruction, loss, change, unauthorised disclosure of or access to personal information. A data breach is therefore also an accidental loss of a computer, smartphone or briefcase containing physical documents with personal information.
Human Risks is doing everything necessary within our powers to protect the personal information we collect and process including limiting the amount and categories of personal data we collect.
We have a well-documented and internally known incident management plan in place should we experience a data breach. All steps are carefully described in compliance with the EU General Data Protection Regulation (GDPR).
If anyone suspects that there has been a data breach our contact information is stated in the bottom of this Policy, which is available to all visitors of our website, customer organisations and end-users of our platform and all our employees are familiar with our Information Security Policy, Privacy Policy and Incident Management Plan as part of their onboarding process and yearly review process.
Your rights
As a user, you can access your personal information by logging into your account under “profile”. You also have the right to make a request to access the personal information we hold about you, to ask us to port your personal information (i.e. to transfer in a structured, commonly used and machine-readable format, to you) and to request corrections of any errors in that data. To make a request please contact our IT-Governance Owner – contact information is at the bottom of the policy.
You also have the right to complain about our processing of your personal data to the national supervisory authority “Datatilsynet”. Please find contact information at the bottom of the policy.
As a newsletter subscriber or if you have requested a free trial of our platform you have the right to make a request to access the personal information we hold about you, to ask us to port your personal information (i.e. to transfer in a structured, commonly used and machine-readable format, to you) and to request corrections of any errors in that data. To make a request please contact our IT-Governance Owner – contact information is at the bottom of the policy.
You also have the right to complain about our processing of your personal data to the national supervisory authority “Datatilsynet”. Please find contact information at the bottom of the policy.
Request for correction or illegal processing
If you as a customer (user) identify that the personal information we hold about you is incorrect you can update your profile on the Human Risks platform by logging in and go to “Organization / Users”. If our processing of your personal information should prove to be illegal we will immediately change our internal procedures and inform all relevant Human Risks employees. You will be notified about the process by our IT-Governance Owner.
If you as a potential customer identify that the personal information we hold about you is incorrect and request us to update it we will do so immediately and inform you as soon as it is done. If our processing of your personal information should prove to be illegal we will immediately change our internal procedures and inform all relevant Human Risks employees. You will be notified about the process by our IT-Governance Owner.
If you as a subscriber to our newsletter or if you have signed up for a free trial of our platform and identify that the personal information we hold about you is incorrect and request us to update it we will do so immediately and inform you as soon as it is done. If our processing of your personal information should prove to be illegal we will immediately change our internal procedures and inform all relevant Human Risks employees. You will be notified about the process by our IT-Governance Owner.
If you as an employee of Human Risks identify that the personal information we hold about you is incorrect and request us to update it we will do so immediately and inform you as soon as it is done. If our processing of your personal information should prove to be illegal we will immediately change our internal procedures and inform all relevant Human Risks employees. You will be notified about the process by our IT-Governance Owner.
Human Risks contact information
You can contact Human Risks via info@humanrisks.com or via our IT-Governance Owner; itgo@humanrisks.com
National Supervisory Authority “Datatilsynet”
Datatilsynet, Borgergade 28,5., 1300 Copenhagen, telephone: +45 33 19 32 00, email: dt@datatilsynet.dk.
Appendix A – Reviews
Task
|
Description
|
System to manage it
|
---|---|---|
Review by all new employees of Privacy Policy, Data Breach Incident Management Plan & Information Security Policy.
|
All new employees have to read the mentioned documents and confirm it with a signature.
|
Onboarding checklist and template for signatures.
|
Yearly review by all employees of Privacy Policy, Data Breach Incident Management Plan & Information Security Policy.
|
It is mandatory for all employees to read these documents and confirm it with a signature.
|
Human Risks Platform (audit)
|
Yearly review by Sr. Management of Privacy Policy, Data Breach Incident Management Plan & Information Security Policy.
|
It is mandatory for the Board of Directors to review these documents to ensure it is updated and reflects current legislation and our privacy practices.
|
Human Risks Platform (audit)
|
Yearly review by Sr. Management of Risk Assessment.
|
It is mandatory for the Board of Directors to review the risk assessment to ensure it is updated and reflects current threat landscape and our privacy practices.
|
Human Risks Platform – risk assessment’s review date.
|
Yearly review of customers’ personal information by Account Manager
|
Is the stored personal information on customers necessary and legitimate? If not erase immediately and notify affected via email.
|
Human Risks Platform (audit)
|
Yearly review of potential customers’ personal information by Account Manager
|
Is the stored personal information on potential customers necessary and legitimate? If not erase immediately and notify affected via email.
|
Human Risks Platform (audit)
|
Yearly review of newsletter subscribers’ personal information by system owner.
|
Is the stored personal information on newsletter subscribers necessary and legitimate? If not erase immediately and notify affected via email.
|
Human Risks Platform (audit)
|
Yearly review of employees’ personal information by manager.
|
Is the stored personal information on employees necessary and legitimate? If not erase immediately and notify affected via email.
|
Human Risks Platform (audit)
|
Appendix B - Cookie Policy
Our Cookies Policy explains what cookies are, how we use cookies, how thirdparties we may partner with may use cookies on the Service, your choices regarding cookies and further information about cookies.
What are cookies
Cookies are small pieces of text sent by your web browser by a website you visit. A cookie file is stored in your web browser and allows the Service or a thirdparty to recognize you and make your next visit easier and the Service more useful to you.
Cookies can be “persistent” or “session” cookies.
How Human Risks ApS uses cookies
When you use and access the Service, we may place a number of cookie files in your web browser.
We use cookies for the following purposes:
- to provide the users with a great experience of the Service
- to enable certain functions of the Service
- to provide analytics
- to store your preferences and,
- to keep you logged in to the Service.
Third-party cookies
In addition to our own cookies, we may also use third-party cookies to report usage statistics of the Service – we do not use cookies for advertisement purposes.
The only third-party cookies we currently use are from Intercom (https://intercom.com) and we use these to identify you when using our support features.
What are your choices regarding cookies
If you’d like to delete cookies or instruct your web browser to delete or refuse cookies, please visit the help pages of your web browser.
Please note, however, that if you delete cookies or refuse to accept them, you might not be able to use all of the features we offer, you may not be able to store your preferences, and some of our pages might not display properly.