Risk & Security Assessment
Security assessment of the HereTask software platform (hereafter referred to as "the platform").
Organising information securely
Only a small team of technical administration staff have access to the production database in the platform. In addition, the development team has access to the platform to the extent necessary for further development and maintenance. Only management has access to assign login permissions and can revoke these permissions at any time.
Protection of systems and data
Employee access to the platform is only granted for the information necessary to carry out their work. An audit and risk assessment is conducted and presented at the annual board meeting. The risk-based assessment concerns data protection, including whether system monitoring is still sufficient.
Mobile equipment and home workstations
HereTask has policies for the use of mobile equipment and remote workplaces. Employees and suppliers are only granted limited access to the platform, all access is logged, and platform data is not stored locally.
A background check is obtained when hiring employees, and employees are only granted access to sensitive information after a trial period of 3 months.
Education of employees in information security
Only the management hires staff. After employment, employees undergo training concerning data security, which is carried out in a yearly follow-up, where employees are taught and consulted on safety instructions.
There are written rules for confidentiality, both during and after employment.
Breach of information security
The management must be informed if an employee discovers or suspects a security breach. The employees are informed that breaches of security may have consequences for the employment relationship and are informed that offenses are reported to the police. The employees are subject to a duty of confidentiality under and after employment.
Guidelines for handling confidential and personally sensitive information
All communication in the platform regarding sensitive personal information takes place with SSL 256-bit security encryption. Users access the platform via a unique username and password. The platform automatically logs the user out after a period of inactivity, and employees lock their screens when they leave their devices. Printed paper material is shredded immediately after use, and there is no storage of paper material.
Access to the platform is granted to administrators via the data controller, who also defines user access and permissions.
An audit of access permissions is carried out on an ongoing basis and once annually, where the management group reviews employees' accesses and permissions to ensure that these are correct.
Access to customer data
HereTask has access to the data stored in the platform via database access. The data access between the customer and the platform is always encrypted. The data access of the supplier to the platform is limited to that necessary in a given situation.
Log in security
The customer is assigned a unique username and password at startup. The individual staff can change the password, and the customer's administrator can change the username. The data control ensures that it is entered minimum 8-digit password, consisting of upper and lower case letters and numbers. However, it is up to data controllers to define employee guidelines.
Access to source code
Employees have full access to the source code.
Customer access to data
Unique username and password. The platform is accessed via a web browser or mobile device.
Physical security is handled by the subcontractor ScanNet A/S according to its usual safety standards.
Physical access control
ScanNet A/S has physical access control with a personal key card. HereTask has no physical access to the ScanNet A/S server.
Risk assessment of the physical security of the supplier
Handled by the subcontractor ScanNet A/S.
Equipment is distributed among home workplaces. All HereTask employees are informed about security in relation to that equipment must be locked when leaving home. Personal data on the ScanNet A/S server is secured via login with a uniqueEquipment is distributed among home workplaces. All HereTask employees are informed about security in relation to that equipment, and it must be locked when leaving home. Personal data on the ScanNet A/S server is secured via login with a unique username and password.
Operational security and backup
Backup is carried out by the subcontractor ScanNet A/S. The backup is placed in a data centre in Denmark. HereTask tests backup every month.
Logging and monitoring
All search variables are logged.
All login sessions are logged. The solution at ScanNet A/S is set up for all access in the cloud solution access logs.
Access to log data
HereTask has the option of delivering CSV files with log data.
Linux platform with SSH communication.
Notify data controllers in the event of a security breach
The management will immediately inform all our customers within 24 hours if HereTask has experienced a security breach and there is a security risk to the customer's data.
There are agreed working procedures for accidental incidents, which are reviewed annually.
Tests of preparedness and contingency plans
Information security review
An own annual audit is carried out.
Documents self-checking of procedures
Report at the annual general meeting.
Security requirements of subcontractors and data controllers
HereTask completes an ongoing assessment of all our subcontractors and the security requirements. Subcontractors are subject to their own security requirements, which may differ from what is described in this document.