As we observe Data Privacy Day, we’re reminded of the importance of keeping our personal and professional information safe. With over 25 years of experience in employee survey solutions, Effectory has developed measures specific to its line of business at a SaaS level.
7 essential security measures at Effectory: Behind the scenes with our Chief Information Security Officer
To give you a behind-the-scenes look at how we protect sensitive information, we sat down with Wouter Buzing, our Chief Information Security Officer, for an insightful conversation. Join us as Wouter unveils the layers of protection that keep your and your employees’ data under lock and key.
- #1: Fully ISO certified & GDPR compliant
- #2: Role-based access in My Effectory platform
- #3: Secure authentication measures
- #4: Data stored safely in Europe
- #5: Employee training and awareness
- #6: Dedicated team for information security & data privacy tasks
- #7: Embracing emerging technologies in line with GDPR
#1: Fully ISO certified & GDPR compliant
ISO, for those unfamiliar, is a global body that develops and publishes a wide range of non-proprietary standards. It’s a benchmark for quality and trust across various fields, including information security. In April 2023, Effectory became one of the first organizations in Europe to update to the ISO 27001:2022 standard. This is a significant step forward in information security standards set by ISO.
“What sets Effectory apart,” says Wouter, “is that in addition to the ISO 27001 standard, which is only about security, is that we also chose to do the ISO 27701 certification, which is an add-on specifically for data privacy.” And next to that, we also have the SOC 2 Type II badge. These achievements are specific to Effectory’s line of business at a SaaS level.
Effectory also takes measures to ensure GDPR compliance. According to Wouter, “our ISO 27701 add-on is proof of GDPR compliance in our role as Processor toward our customers.” To further ensure that all processes are in line with the latest regulations, we’ve got a dedicated team within Effectory that focuses on meeting these standards.
#2: Role-based access in My Effectory platform
My Effectory is our customer platform, the place where customers can set up and manage surveys, analyze results, and more. The platform employs role-based access controls. Wouter highlights the importance of this feature, explaining that specific roles within the platform, such as the central coordinator and project coordinator, are assigned out-of-the-box permissions. This ensures that each role accesses only the necessary data so that each person can do their job appropriately and in line with data privacy.
Effectory supports customers in the platform with the data privacy of their employees. Over 20 years of experience with privacy and confidentiality have resulted in a comprehensive set of business rules specific to employee feedback solutions, so that customers don’t have to worry about this aspect.
Wouter also points out that My Effectory prevents uploading sensitive personal data. This means that if a user attempts to upload information about religious beliefs or ethnicity, which are considered more sensitive than basic data like email addresses, the platform promptly issues a warning. This way, customers are guided to only process appropriate data in employee surveys.
#3: Secure authentication measures
There are more security measures in place for the customer platform, as explained by Wouter.
Effectory has built its own identity and access management with multi-factor authentication (MFA) for the roles that have the access to the most confidential data. This means for roles like central and employee coordinators, MFA is always on, making their accounts extra secure. For other roles, like project or local coordinators, there’s the option to turn on MFA if needed, giving users more control.
Effectory also offers an alternative to its native identity management system: the option of Single Sign-On (SSO). This means authentication is handled by the customers themselves before they even get into the ‘My Effectory’ platform. It’s a popular choice, because it’s both secure and convenient, putting the control in the hands of our customers.
#4: Data stored safely in Europe
Wouter brings attention to an essential point about data storage at Effectory. All the data that we process is exclusively stored in European data centers. This is a critical aspect for our customers.
By storing data within Europe, we ensure compliance with European standards and regulations, directly aligning with the expectations and legal requirements of our European customers.
#5: Employee training and awareness
At Effectory, understanding and respecting data privacy is fundamental. Right from the start, every new employee dives into data security as part of their onboarding. Within their first six months (and each year after that) they must pass an information security awareness assessment.
To prepare for this, each new colleague goes through an information security onboarding process with Wouter:
Within Effectory, all new employees are onboarded with monthly sessions with me. This is the place to get interactive, ask many questions, raise awareness, and create an open culture: what am I doing here, which data am I processing, is this an incident, and so on.
These training sessions are more than just a rundown of rules. They’re engaging and designed to make everyone aware of the finer points of data privacy – like the simple but crucial act of not leaving your laptop open when you step away from your desk. It’s about embedding a mindset of caution and responsibility in every team member, especially those who work directly with customer data.
#6: Dedicated team for information security & data privacy tasks
At Effectory, we have a specialized team focused solely on tasks related to information security and data privacy. This group includes employees from different departments within Effectory. Together, they are our dedicated Security and Privacy Team. Their role is to ensure that every aspect of our data handling meets the highest standards of privacy and security.
#7: Embracing emerging technologies in line with GDPR
A subtle, yet important and often overlooked aspect of information security is keeping up with current security technologies, as Wouter points out.
Effectory is constantly on the lookout for new and emerging technologies in the security field. The GDPR mandates that organizations must employ technical and organizational measures that reflect the latest advancements in security.
We pride ourselves on being early adopters of new, emerging security technologies. This is crucial for staying in line with the state-of-the-art security requirements set by GDPR and for ensuring our systems are strong against modern threats.
This forward-thinking strategy means we don’t just meet the standards set today but are prepared for tomorrow’s challenges such as the ones brought by Artificial Intelligence (AI). Our commitment to embracing the latest in security technology keeps us, and the data we protect, ahead of the curve.
Learn more about information security at Effectory
For an even more in-depth look at all the security measures employed by Effectory, we invite you to visit our security center.