GDPR

This is how our commitment to the GDPR is structured

GDPR: our commitment

The GDPR guarantees new rights to users. Thanks to the compliance of the platforms, we are able to answer questions from users who wish to exercise data rights.

  • Right of rectification: each User can modify their data at any time.
  • Right to be forgotten: if a User wishes to exercise his right to be forgotten, he can do so directly by accessing his Reserved Area.
  • Right to portability: any User can export their information contained in the platforms in .xml files.
  • Right to access: by accessing the Reserved Area you can view all the information we have in our possession.

Data access, management and security

Each User has the possibility of accessing with the email address used to register and for each access a disposable access token is generated and sent by email to the User. All the data that the User uploads to the platform is saved in our systems, allowing the User to have full control in management, research and access methods.

The architecture used is, like the most modern applications, of the “software as a service” type. However, since the privacy and security of our users has always been our priority, we wanted to keep all databases encrypted.

This solution allows us to have various advantages including a very high level of flexibility in terms of data recovery.

Application and communications security

Some basic rules have been defined in our platforms which are considered adequate measures in the field of security and data processing:

  • Encrypted transmission using SSL, both when accessing and using the platform
  • Access token saved in encrypted and non-reversible format (hash). None of our staff can know it
  • The log-in pages adopt controls to prevent unauthorized access and “brute force” attacks
  • Access via two-factor authentication system
  • We make the detailed access log available to Users

Security is not limited to the use of platforms, but is also a requirement of the communications sent. We use the DKIM (DomainKeys Identified Mail) standard to send messages. This is an authentication system that allows you to “certify” that the content of the message arriving at the recipient is the one originally sent by the sender.

In this way the entire email is encrypted, via the TLS protocol, making it impossible to alter and read unauthorizedly during transport until it reaches its destination.

Furthermore, all links contained in emails, including any redirections, are automatically checked by our systems to prevent spam, malicious use of the platform and theft of data (including personal data).

Security in data processing

The data uploaded to the platform is maintained and saved via backup, to be automatically deleted within 20 days of the cancellation request by the User.

We have a dedicated privacy and compliance team, which oversees the organization’s security and compliance with current laws. All the people who work for us, and in particular those who may have access to User data, have received adequate training in terms of security and privacy and have clear provisions to follow to safeguard confidentiality, integrity and the availability of the data.

All access is limited by a system of permissions by role and purpose of use, which allows us to guarantee that only authorized people can have access to the data or servers. In addition, even authorized personnel cannot see the personal data of Users without additional authorization, always linked to a specific and traceable request by the User or prior authorization from the compliance team to verify non-compliant behavior. Roles and access are checked regularly.

Consent

The Regulation provides that the data controller (we) must be able to demonstrate that the interested party has given his consent to the processing of his personal data. This has always been a priority for us and for this reason our Users can find all the necessary tools, always updated, to best manage consent:

  • Registration confirmation system (double opt-in) implemented as standard on our forms
  • The User’s “Account History” page is clear and includes all the elements necessary to demonstrate the consent of the interested party

Temporal validity of consent

The GDPR provides that it is the responsibility of the data controller (we) and its managers to establish the data retention times and to ensure that this period is limited to the minimum necessary.

The Personal Data processed will be stored by us until the User revokes consent; However, the User is automatically asked periodically:

  • To renew the consent
  • To update your data

If the User withdraws consent, we will no longer use the User’s Personal Data.

Tools for exercising the rights of interested parties

In order to allow the subjects involved in the processing to exercise the rights provided for (access, cancellation, limitation of processing, portability) we have inserted the functions in a clear and intuitive way within the “Customer Area”. Each User/recipient can directly exercise not only the right to cancellation (opt-out) but also to access:

  • Know what data is processed via the platform
  • Limit its treatment
  • Request not to be tracked
  • Personalize the contents of communications
  • Portability: export of personal information

In order to allow the subjects involved in the processing to exercise the right to delete their personal data, our platform offers the “Unsubscribe to exercise the right to be forgotten” function: through this function the interested party will be unsubscribed and all the data additional data will be deleted with the exception of the email address, the registration date, the registration IP address and the device used for registration, as they may be used to demonstrate consent in the future.