Security Assessment

Organisation of information security

Only management has access to the full database in the IT systems. Management consists of two people. In addition, the development team has access to the IT systems to the extent necessary for further development and maintenance. Only management has the authority to grant login rights and can revoke these access rights at any time.

Protection of systems and data

Access to the IT systems is screened. Individuals are only granted access to the information necessary for them to perform their work. An annual review and risk assessment is conducted at the board's general meeting. A risk-based assessment is made regarding data protection, including an evaluation of whether system monitoring remains adequate.

Mobile equipment and remote workplaces

HereTask has documented policies for the use of mobile equipment and remote workplaces. Employees and suppliers are only granted remote access to the IT systems, which is logged; local storage of personal data from the IT systems is not permitted.

Personnel security

Criminal record checks are obtained when hiring employees. The criminal record check is subsequently obtained annually. After hiring, employees undergo training in IT security, and annual follow-ups are conducted where employees are trained and consulted on security instructions. HereTask only hires and grants employees access to sensitive personal data after a probationary period of 3 months.

Employee training in information security

Only management hires personnel. Employees are informed and consulted annually about information security requirements.

Confidentiality

Written rules for confidentiality have been established, both during and after employment.

Information security breaches

Management must be informed if an employee discovers or suspects a security breach. Employees are informed that security breaches may have consequences for their employment and are informed that legal violations are reported to the police. Employees are bound by confidentiality during and after employment.

Guidelines for handling confidential and sensitive personal information

All communication in the IT systems regarding sensitive personal information is conducted using SSL 256-bit security encryption. Login requires a unique username and password. The IT systems automatically log out after 5 minutes of inactivity. All PCs have screen lock after 5 minutes, and employees also lock their screens when leaving their PCs. Sensitive personal information is only sent within the IT systems via SSL 256-bit security encryption. Printed paper materials are shredded immediately after use, so there is no storage of paper materials.

Access control

Access to the IT systems is granted to administrators at the data controller, who also define user access and rights.

Self-audit of access

Self-audits of access are conducted continuously and collectively annually, where the ownership reviews employees' access and rights to ensure they are correct.

Access to customer data

HereTask has access to the entered data in the IT systems via database access. Data transfer between the customer and the IT systems is encrypted. The supplier's data access to the IT systems is limited to what is necessary in a given situation.

Login security

The customer is assigned a unique username and password at startup. The password can be changed by the individual employee, and the username can be changed by the customer's administrator. The supplier ensures that a minimum 8-character password is entered, consisting of uppercase and lowercase letters as well as numbers. However, it is up to the data controller to define guidelines for their employees.

Access to source code

Employees have full access to the source code.

Customer access to data

Unique username and password. The IT systems are accessed via web browser.

Physical security

Physical security is managed by the subcontractor A/S ScanNet in accordance with their standard security standards.

Physical access control

A/S ScanNet has physical access control in the form of personal key cards. HereTask has no physical access to A/S ScanNet's servers.

Risk assessment of physical security at the supplier

Managed by the subcontractor A/S ScanNet.

Equipment

Equipment is distributed across remote workplaces. All HereTask employees are informed about security requirements, specifically that equipment must be locked when leaving home. Sensitive personal data on A/S ScanNet's servers is secured via login with unique username and password.

Operational security and backup

Backup is performed by the subcontractor A/S ScanNet. Backup is stored in a data centre in Denmark. HereTask tests backup every month.

Logging and monitoring

All search variables are logged.

Access log

All login sessions are logged. The solution at A/S ScanNet is configured so that all access in the cloud solution is logged.

Access to log data

HereTask can provide CSV files with log data.

Communication security

Linux platform with SSH communication.

Notifying data controllers in case of security breach

Management will immediately inform all our customers within 24 hours if a security breach occurs where there is a security risk to customer data.

Emergency preparedness

Procedures for unintended incidents have been agreed upon and are revised annually.

Testing of emergency preparedness and contingency plans

Revised annually.

Review of information security

An annual self-audit is conducted.

Documentation of self-audit of procedures

Minutes at the annual general meeting.

Subcontractors and data controller security requirements

HereTask conducts an ongoing assessment of all our subcontractors and security requirements. Subcontractors are subject to their own security requirements, which may differ from those described in this document.