General information

Staff

10

Data Protection Officer

Claude Englebert

Contact Data

[email protected]

Position in the company

Legal Advisory (via law firm Infuero Luxembourg)

Internal data protection audits are performed regularly, at least yearly; all technical and organizational measures are updated and checked for validity and effectiveness at regular intervals. Audit summaries can be made available to customers upon request under a Non-Disclosure Agreement (NDA)

All staff members are trained on the requirements of data protection law during the onboarding process, including to sign a confidentiality agreement. Employees also receive regular updates and training on information security best practices to ensure ongoing awareness.


Confidentiality

A. Access Control

i. Data center in the EU, EEC and/or a third country with adequate levels of data protection

1. General
  • ISO/IEC 27001 or comparable internal processes.
  • The office building and the building entrance are always closed (locking system with mechanical keys).
  • Only authorized employees are granted access to datacenters.
  • The number of authorized employees who have access to special security areas is limited.
  • There are visitor rules for the office rooms.
  • Every visitor is only allowed to move around the office if accompanied by an authorized employee.
  • Visitors have no access to the server rooms or computing centers at any time.
2. Security Measure inside the building / server rooms
  • Biometric solutions in combination with passwords will be used in addition to mechanical keys and chip cards.
  • To reach the datacenters, the individual must go through several security zones which are monitored by camera. All visits to the datacenters are logged.
  • All employees with access rights to highly sensitive areas know each other, so that unauthorized individuals will be immediately recognized.
  • 24/7 surveillance by electronic burglar control systems.

Access Control to CheckHub Offices in Brussels

  • Office Building is secured by an alarm system.
  • The building entrance is locked. It’s opened by personal badge (for authorized people) or by visual check (reception desk).
  • Every visitor has to register on the electronic desk outside the entrance before granting access and sign out when leaving the building.
  • Access to CheckHub IT department is secured by a personal badge.
  • All computers used by CheckHub staff is secured by a strong password or biometric identification.
  • All the employees with access rights know each other, therefore unauthorized persons will be immediately recognized.

B. Access Control (Systems) – Server Administrators

i. Server Administrators

  • All access rights to CheckHub hosting and server infrastructure are assigned solely according to the “Need-to-Know” principle, which means they are allocated according to the field of activity of the individual employee (job description as described in the work contract) and they must also have certain level of seniority within the company.
  • All individual servers (instances) have isolated security rules (private key, firewall parameters, granted IP, etc.) based on specific requirements of the instance.
  • Authorized administrators within CheckHub staff will grant a unique access key to access an instance.
  • Access is always password protected. All staff must follow the password guidelines for creation of passwords. These guidelines contain various rules, e.g. about the required complexity of the passwords or how often passwords have to be changed. CheckHub staff receive regular training on the correct handling of passwords.

C. Access Control (Back-Office)

CheckHub is using a Back-Office application for internal support and maintenance of the customer’s activity. All employees are required to sign a confidentiality agreement as part of their onboarding process.

i. Access Back-Office by CheckHub Staff

  • Only a limited set of authorized CheckHub staff have access to an instance’s backoffice.
  • Back-office access is only possible from a white-listed limited set of IP addresses.
  • All authorized persons must authenticate themselves by entering a user ID and a password.
  • Passwords must be chosen according to the currently valid rules, considering both design (number of characters and special characters).
  • Passwords must be chosen according to the currently valid rules, considering both design (number of characters and special characters) and expiry rules.
  • Rules for structure of passwords:
    • No empty passwords.
    • Password must be at least eight characters.
    • Complexity required.
    • Trivial passwords are excluded.
    • Each user ID must have a password.
    • Only the user can change his password.
    • Only the user is allowed to know the password.
    • Default passwords are deactivated.
  • The initial password is only used for the initial registration – the users must change their password after the first initial registration. Passwords are encrypted. Admins can reset the user’s password; at the first login the user is forced to change his password.

ii. Access Customer Account by CheckHub operator

  • For support only, CheckHub operator can:
    • Adapt company settings to match customer requirements.
    • Reset a user password and force change. Using this, user will be forced to change his password on its first login.
    • Log into company account using an existing user (using a “Log As” feature, see below for details).
  • Using a “Log As” feature, an operator:
    • Does not request the user’s password. A personal token will be used for identification.
    • Will have a time limited session. For security reason, this session expires faster than as using a regular “User ID/Password” identification.
    • Is granted with the same rights as the original user.

D. Access Control and Rights (SAAS Plateform)

i. Access Control

  • When a new company account is configured, CheckHub create one user with administrator rights using a strong password (provided to the customer). This password must be changed at first login matching the password format requirements.
  • Additional users can be created and configured by the administrator.
  • All users must authenticate themselves by entering a user ID and a password.
  • Passwords must be chosen according to the currently valid rules, considering both design (number of characters and special characters).
  • Passwords must be chosen according to the currently valid rules, considering both design (number of characters and special characters) and expiry rules.
  • Rules for structure of passwords:
    • No empty passwords.
    • Password must be at least eight characters.
    • Complexity required. o Trivial passwords are excluded.
    • Each user ID must have a password.
    • Only the user can change his password.
    • Only the user is allowed to know the password.
  • Default passwords are deactivated.
  • Logged session have a limited validity and will be blocked after a long period of inactivity.

ii. Roles and Rights

  • On setup, one role (called “group”) is created in the company account, with “super admin” rights (no restriction).
  • More groups can be created to have limited set of rights matching customer’s requirements.
  • A user can belong to one or more groups. A group can contain one or more users.
  • When a user belongs to a group, he inherits the group rights. When a user belongs to multiple groups, he inherits the sum of all rights granted by all groups.
  • Users with the right “User Settings” can manage users and reset password.
  • Users with the right “Group Settings” can manage groups and group members.

E. Access Control (API)

  • Data access and flow operations can be triggered via CheckHub API.
  • Access and authentication are secured by private API tokens.
  • An API token can be created or revoke at any time using the SAAS interface (with the associated right).
  • Multiple API tokens can be created to provide access to multiple tiers.
  • Access to API takes place via encrypted connections.

F. Isolation Control

i. General

  • Customer data exchanged with 3rd parties is limited to the strict minimum required by the process (ex: email gateway, OCR extraction, …).
  • No customer data is processed for purposes other than those specified in the Agreement.

ii. Shared Instance

  • Separation by customer is done on a logical level – the data is stored in a common database accessible with separate access authorizations.
  • Access to instance application have no IP or Domain restriction.

iii. Dedicated Instance

  • Separation by customer is done on a physical level (dedicated instance and dedicated database).
  • Separation by internal account can still be done on a logical level – multiple companies in clusters with shared resources (ex: sharing policies or document types.
  • Access to dedicated instance could have IP or Domain restriction.

G. Data Retention

  • No customer data is kept in database when deleted from the interface or via API integration.
  • All local files associated to a resource are deleted on CheckHub instance when the logical resource is deleted from database. Any files externalized to a private cloud storage will remain.
  • Auto-delete feature allows customers to purge old resources and limit data to the minimum needed for its business.
  • Database logs are kept for a period of 30 days.
  • Database backup rotation covers 30 days. This means a deleted candidate can persist in database backup for a maximum of 30 days (until the full cycle of database backup).
  • 3rd parties’ logs are kept for a period up to 30 days. When possible, we limit to the strict minimum necessary to support customer use.
  • Upon contract termination, customer data (contacts) can be exported in XLS format.

Integrity

H. Transfert Control

  • Customer-specific data from CheckHub is transmitted encrypted (HTTPS) from the Instance to the data center. Access requires authentication by username, password, and another authentication factor (ex: RSA token or SMS).
  • Customer-specific data from CheckHub is transmitted encrypted (HTTPS) from the Instance to the Customer Cloud storage. Access requires authentication by username, password, and another authentication factor (ex: RSA token or SMS).
  • All SSL configurations are periodically tested and achieve an A rating on the SSLTEST by SSLABS.
  • Transmission of the data is logged.
  • Regular analysis of the logs is done by the IT department.

I. External Cloud Support

  • We support multiple external storage options: AWS S3, API Rest POST and Zapier Integration (more options to come).
  • All external storage options requires a secured connection (password or token protected).

Availability and resilience

J. Availability Control

  • CheckHub is using market leaders as providers for their external servers and infrastructures (AWS, CloudFlare, …). Those providers guarantee state-of-the-art in terms of service redundancy and availability SLAs. Data center infrastructure includes redundant cooling systems, uninterruptible power supplies (UPS), and backup generators. The full provider list is available on request.
  • An up-to-date virus protection system is used for all systems.
  • Servers and storage components are available redundantly.
  • Data backup is done daily; and is transmitted daily to geographically separated locations to ensure data redundancy. The backup rotation is 30 days.
  • The backup procedure is documented in written form.
  • An emergency concept and a security concept support the availability of individual components in case of system problems.
  • CheckHub provides a public Status Page accessible at https://status.checkhub.io, where customers can view real-time availability, historical performance data, and subscribe to updates about future events such as service outages or planned maintenance.

K. Rapid Recovery

Rapid recovery is secured by redundant infrastructure, regular (daily) backups with off-site storage and regular check of backups on availability, completeness, and integrity.


Procedures for regular testing, assessment and evaluation

L. Data Protection Management

Internal audits & Penetration tests are performed regularly (at least annually). Penetration tests are conducted by certified external firms to ensure compliance with industry standard. All technical and organizational measures are checked for validity and effectiveness and if necessary improved. The data protection audit is performed by our above mentioned DPO.

M. Incident Response Management

An internal Incident Management Process ensures documentation of events; before and immediately following the discovery of an incident, clear and immediate communication, identification of the cause of the breach and implementation of steps required to fix the problem.

N. Data Protection by Design and Default

Data Protection by Design and Default is part of CheckHub’s development policy. Products are developed to ensure privacy according to the requirements. Staff members are regularly made aware of the requirements and consider them during all steps of product development.