GDPR
Wididi Customer Responsibilities
Wididi expects each of its customers to act as a data controller for any personal data that is entered into a Wididi configured platform. The data controller determines the purposes and means of processing personal data, while the data processor processes data on behalf of the data controller. Wididi is a data processor and processes personal data on behalf of the data controller when the controller is using the Wididi Platform.
Data controllers are responsible for implementing appropriate technical and organisational measures to ensure and demonstrate that any data processing is performed in compliance with the GDPR. Controllers’ obligations relate to principles such as lawfulness, fairness and transparency, purpose limitation, data minimisation, and accuracy, as well as fulfilling data subjects’ rights with respect to their data.
Wididi Platform and GDPR
Wididi has implemented appropriate technical and organisational measures in such a manner that processing will meet the requirements of the GDPR.
Knowledge
Wididi employees keep up to date on security and privacy technology and legislation.
Continuous enhancements are made to the Wididi platform to keep security up to date, perform regular security review processes, update and monitor the security infrastructure and regular verification of policies.
Data handling
Our contracts clearly and simply outline privacy and data ownership commitments to customers. If needed, we will work with our customers to define specific processing terms and conditions. All data that a user enters into a Wididi platform will only be processed in accordance with the agreed terms and conditions. All Wididi employees have signed a confidentiality agreement.
Use of sub-processors
Wididi does not use data sub-processors unless explicitly requested for or mutually agreed with the customer.
Services security
Wididi hosts all solutions in secure and ISO 27001 compliant data European (most Dutch) centres. Access to the servers is restricted to authorised personnel only. Per configuration a different and extensive set of user profiles and access roles is configured to control access and use of data per user.
Availability, Integrity, and Resilience
Wididi hosts all solutions based on highly redundant hardware,providing our customers with maximum protection against system unavailability and loss of data.
Escrow agreements can be contracted to ensure software and data availability in the event of Wididi not being able to deliver its services.
Testing
Wididi conducts disaster recovery on a regular basis.
Encryption
The Wididi platform uses various levels of encryption to protect data from being viewed by unauthorised users.
Data in transit is always SSL encrypted, mostly through HTTPS connections. Encryption schemes are frequently reviewed to stay up to date with the latest security standards and quality. Outdated encryption schemes are deprecated as needed.
Access
Wididi employees have access rights based on their job function and role. Access is granted on a need-to-know basis and regularly reviewed and adjusted.
Vulnerability Management
Wididi constantly scans for platform vulnerabilities using a wide variety of tools and mis-use detection systems including regular penetration testing, brute force sign on attempts, DDOS attacks and other techniques that potentially put customer data at risk.
Platform Security
The Wididi platform contains a series of features and functions to protect personal data against unauthorised or unlawful processing. Examples are 2-factor authentication, password strength checking, IP address checking, auto-disabling of profiles after a series of invalid login attempts and monitoring of suspicious logins using a frequently updated set of rules.
Data Return & Removal
Administrators can export and delete data via the Wididi platform at any time during the term of the agreement. All data is linked to user profiles. Depending on the agreed policy data can be auto-deleted after a period of time. All data that is related to a user can be deleted by deleting the user profile.