Information security

Here is a 5-minute read, to give you a first impression of our information security arrangements. If you need more information, please get in touch with your (sales) consultant, who is able to provide you detailed documents with more specifics. Alternatively, call us, or drop us a line at our contact page.

Where is my data stored?

Effectory uses data centers in Ireland, The Netherlands, Germany, France and Belgium. We need these data centers to host our applications, handle emails, and online support. And we need multiple locations for redundancy, load balancing, business continuity, and backups. All within the European Economic Area, that is, a little bit of data is also stored in our office location in Amsterdam.

How do I know my data is secure?

Effectory has achieved ISO 27001 certification, the leading international standard for an Information Security Management System. BSI, one of the most professional, accredited auditing organizations in the world, independently inspects and certifies Effectory on the ISO 27001 standard. All of the 114 controls are audited for the scope of: conducting employee surveys, including the collecting, processing, reporting and consulting on personally identifiable data and survey results. This shows that we protect data according to the highest industry standards.

What about technical security testing?

Of course, during software development lots of security testing is being done, automatic and recurring. On top of that, we also use automated vulnerability scanning, done monthly or even more than this, by a 3rd party. And manual penetration testing at least annually by another 3rd party, but typically more often at big releases. These pen tests are white box based, this means we give insights to the hired ethical hacking company, so that they can more efficiently search for vulnerabilities. And then, there is also the Responsible Disclosure Policy.

How about people (as we all know are the weakest link in information security)?

Each new employee gets the same basic instruction, and also a meeting in person with the chief information security officer, held every month. All employees must pass a mandatory annual assessment on information security and privacy awareness. We help colleagues get up to speed again on the topics that are lagging. Specific roles, e.g. software developers and project managers, get special instructions to do their job properly. Additionally, all employees are required to handover a Dutch VOG (code of conduct), to check for criminal records. These are just some of measures we took for people’s awareness of their role in keeping your data secure.

How is information security organized?

Using a multi-disciplinary approach, the ISMS core team members are: cloud engineer, cyber security specialist, system administrator, network administrator, legal counsel, privacy officer, and to top it off, a chief information security officer. As you can see, together, we take serious care of your data and information.

Who are your sub processors?

Effectory uses:

  • Microsoft Azure, for hosting our own developed Effectory applications.
  • MailJet, for handling bulk email e.g. invitations to the questionnaire.
  • ZenDesk, for, to give a great and swift follow-up when needed.

Click on the links to find out more about the information security and privacy of these sub processors. Rest assured though, we’ve already done it for you, each year as part of our ISMS recurring tasks.

P.S. Effectory uses other 3rd party tools as well, but not to process personal data, and therefore these do not qualify as sub processors.

Anything else I should know at this moment?

Well, we are especially proud on this compliment from one of the external auditors recently: “The ISMS is not only effective, but also very mature”. How awesome to hear after all our hard work keeping your data and information secure 🙂