Risk & Security Assessment

Organising information securely

Only a small team of technical administration staff have access to the production database in the platform. In addition, the development team has access to the platform to the extent necessary for further development and maintenance. Only management has access to assign login permissions and can revoke these permissions at any time.

Protection of systems and data

Employee access to the platform is only granted for the information necessary to carry out their work. An audit and risk assessment is conducted and presented at the annual board meeting. The risk-based assessment concerns data protection, including whether system monitoring is still sufficient.

Mobile equipment and home workstations

HereTask has policies for the use of mobile equipment and remote workplaces. Employees and suppliers are only granted limited access to the platform, all access is logged, and platform data is not stored locally.

Personnel security

A background check is obtained when hiring employees, and employees are only granted access to sensitive information after a trial period of 3 months.

Education of employees in information security

Only the management hires staff. After employment, employees undergo training concerning data security, which is carried out in a yearly follow-up, where employees are taught and consulted on safety instructions.

Confidentiality

There are written rules for confidentiality, both during and after employment.

Breach of information security

The management must be informed if an employee discovers or suspects a security breach. The employees are informed that breaches of security may have consequences for the employment relationship and are informed that offenses are reported to the police. The employees are subject to a duty of confidentiality under and after employment.

Guidelines for handling confidential and personally sensitive information

All communication in the platform regarding sensitive personal information takes place with SSL 256-bit security encryption. Users access the platform via a unique username and password. The platform automatically logs the user out after a period of inactivity, and employees lock their screens when they leave their devices. Printed paper material is shredded immediately after use, and there is no storage of paper material.

Access control

Access to the platform is granted to administrators via the data controller, who also defines user access and permissions.

An audit of access permissions is carried out on an ongoing basis and once annually, where the management group reviews employees' accesses and permissions to ensure that these are correct.

Access to customer data

HereTask has access to the data stored in the platform via database access. The data access between the customer and the platform is always encrypted. The data access of the supplier to the platform is limited to that necessary in a given situation.

Log in security

The customer is assigned a unique username and password at startup. The individual staff can change the password, and the customer's administrator can change the username. The data control ensures that it is entered minimum 8-digit password, consisting of upper and lower case letters and numbers. However, it is up to data controllers to define employee guidelines.

Access to source code

Employees have full access to the source code.

Customer access to data

Unique username and password. The platform is accessed via a web browser or mobile device.

Physical security

Physical security is handled by the subcontractor ScanNet A/S according to its usual safety standards.

Physical access control

ScanNet A/S has physical access control with a personal key card. HereTask has no physical access to the ScanNet A/S server.

Risk assessment of the physical security of the supplier

Handled by the subcontractor ScanNet A/S.

Equipment

Equipment is distributed among home workplaces. All HereTask employees are informed about security in relation to that equipment must be locked when leaving home. Personal data on the ScanNet A/S server is secured via login with a uniqueEquipment is distributed among home workplaces. All HereTask employees are informed about security in relation to that equipment, and it must be locked when leaving home. Personal data on the ScanNet A/S server is secured via login with a unique username and password.

Operational security and backup

Backup is carried out by the subcontractor ScanNet A/S. The backup is placed in a data centre in Denmark. HereTask tests backup every month.

Logging and monitoring

All search variables are logged.

Access logging

All login sessions are logged. The solution at ScanNet A/S is set up for all access in the cloud solution access logs.

Access to log data

HereTask has the option of delivering CSV files with log data.

Communication security

Linux platform with SSH communication.

Notify data controllers in the event of a security breach

The management will immediately inform all our customers within 24 hours if HereTask has experienced a security breach and there is a security risk to the customer's data.

Preparation

There are agreed working procedures for accidental incidents, which are reviewed annually.

Tests of preparedness and contingency plans

Revised annually.

Information security review

An own annual audit is carried out.

Documents self-checking of procedures

Report at the annual general meeting.

Security requirements of subcontractors and data controllers

HereTask completes an ongoing assessment of all our subcontractors and the security requirements. Subcontractors are subject to their own security requirements, which may differ from what is described in this document.