Privacy Policy

Pluform Privacy Policy

PLUFORM PRIVACY POLICY

1.1 Introduction

This document describes the measures taken by Pluform to ensure proper levels of service, privacy and security. This Privacy Policy is based on the ICT safety guidelines for web application of the Dutch National Cyber Security Center (NCSC). Additionally, this Privacy Policy is created in accordance with the General Data Protection Regulations and other regulations related to data privacy from the Dutch Privacy Authority (Autoriteit Persoonsgegevens (AP).

Pluform has the right to change this Privacy Policy. Changes will be published on this website.

1.2 Who can see my data?

Accessibility of data for the different roles of users. Pluform users only have access to their own data and to data that has been specifically shared within the coach-client relationship. Thereby Pluform takes the possible professional secrecy of a coach into accountThere are three different roles within Pluform with different access levels. The roles within the application are organization manager, coach and client.

  • ▪  Organization managers manage the organization account in Pluform. They manage the profile information (such as name and email address) of coaches and coachees. They do not have access to data and information that has been shared within the dialogue between coach and coachee.
  • ▪  Coaches only have access to their own personal data and to the personal data of their coaches that has been shared by the coachee.
  • ▪  Coachees only have access to their own personal data and to the (personal) data that has been shared by the coach.

We only keep your data as long as necessary. Coachee data is kept until two years after the end

of the coaching trajectory. Coach data will be kept until two years after the end of the agreement. If requested, Pluform can delete all data from an account earlier. Also, coachees can easily delete their own account within Pluform. By doing that, they delete all known personal data from Pluform as well. Employees of Pluform make sure that other privacy right requests are handled correctly and timely. For more information on privacy rights, please see the Privacy Regulations.

The privacy rights are:

  1. Right of inspection
  2. Right to rectification
  3. Right to oblivion
  4. Right to limitation of processing
  5. Right to transferability of data
  6. Right to submit a complaint

Notification e-mails in Pluform. Email is an unsafe medium. Therefore, all emails that are sent from Pluform never contain confidential information. The emails you receive from Pluform are used as notification. Only after logging in your Pluform environment, you will be able to see the actual message.

Sharing data with third parties. Data is not sold to third parties. Data is only transferred to third

parties if this is necessary for execution of our agreement between Pluform and customer or if we are forced to do so by Dutch law. All parties Pluform collaborates with, keep at least the same security levels as we do. No data is transferred to “patriot act” liable parties.

User statistics. Within the safe application of Pluform (secure.pluform.com) we do not use Google Analytics and trackers. This means that we do not analyze your behavior within the actual Pluform environment (something other parties do to offer you personalized advertisements based on your personal information). Within our marketing website (www.pluform.com), we do use Google Analytics and trackers to be able to share advertisements and information with people who may be interested in Pluform. Please see our Privacy and cookie policy for more information about this.

1.3 Our login Protocol

Passwords. Users add their own password. Passwords are at least 8 signs long, including one number and one capital letter. This makes the password difficult to guess for others. When you

forgot your password, we will send a unique link to your email address with which you can set a new password. No passwords are sent through email. Passwords are encrypted in the database.

Two-step verification through SMS. Additional to logging in with the username and password, Pluform offers the option to add two-step verification. If two-step verification is enabled, you add an extra code after entering your user name and password. You have received this code on your mobile phone. Your account is extra safe with two-step verification.

1.4 Technical control and hosting

Pluform has its IT-hosting infrastructure hosted by True Managed Hosting from True. True takes care of and manages the technical aspects of Pluform, such as infrastructure and datacenters. True delivers dedicated servers to us and continuously optimalizes the server environment.

Certificates. We chose True because of its safety. True is ISO27001:2013 (information security), ISO9001 (risk and quality management) and NEN7510:2011 (information security in health care) certified and uses certified datacenters that are located in the Netherlands. With these certifications, True adheres to the highest standards of information security.

Datacenter location security. All datacenters that are used by True have the standards of the

highest level to prevent unauthorized physical access to the servers, including biometric access controls, cameras, digital code locks and safety personnel. Only authorized employees have access to the server location.

Control. True is certified for all aspects of the daily managed hosting service. The safety and performance of the Pluform servers and applications is guarded 24/7.

1.5 How do we keep Pluform safe?

Drupal. The Pluform application is built using Drupal technology. Drupal is a framework for building safe websites and web applications. Drupal has been used for over 10 years and has an

excellent safety track record.

Protection of data traffic. User information is only transported if it is locked and kept safe through SSL (Secure Sockets Layer) encryption. This means that data is not readable when someone intercepts it. Accordingly, technical updates, improvement- and maintenance data are only transported if coded (through protected SSH connections). SSH is a cryptographic network protocol for protecting data communication.

Audits. IT systems and procedures of our partners are subjected to audits. In addition, Pluform is subjected to audits and has a Third Party Memorandum (a declaration from an independent audit party about the quality of the ICT service, quality and control of an organization).

Firewalls. To safeguard Pluform from cyber attacks, all Pluform servers have a Linux Iptables based Firewall. This means that Pluform checks all incoming network traffic and blocks it. The traffic can only pass if it has been classified as a reliable source for incoming HHTP- and HTTPs- traffic. The firewall is instructed to block cyber hat have as goal the unavailability of the application (Denial-of-service) or intentional delay of the application (throttle traffic).

Back-ups. Daily back-ups are made of the data that is put in the application. Each night, a back up is transferred to an offsite back-up server. This means that the data that has been shared in Pluform does not get lost when a problem occurs.

1.6 Development and maintenance

Pluform is continuously being monitored and developed. When we develop the application or do a security update, we do this safely. Our maintenance and development takes place through staged development. This means that all updates and new functions are put on a test server first, where they are tested and checked extensively by authorized people. Only when they approve, the update or new function goes to an acceptation – and production server. In this way, we can recognize safety or critical issues timely. The actual change to the application is only made when we are confident that it will not lead to problems in security or availability of the application.

1.7 What can I do?

At Pluform, we do everything we can to keep data as safe as possible. You, as user of Pluform, can do some things as well to work as safely as possible. We have some tips for you right here:

▪ Passwords. Naturally, you want to prevent that someone else has access to your account. Therefore, keep your password safe and never share it with other people. Make sure that the password is not easy to guess. Also, we recommend you not to log in automatically (that is, let your browser remember your password) because, if you lose your computer, smartphone or laptop, someone else may log in automatically to your profile and have access to all your information! Also, we recommend to use two-way verification in your profile (see 1.3).

▪ Know your rights. Are you a coach? Inform your coachees about their privacy rights. Pluform does this already when the coachee logs in to Pluform for the first time. If you do this as well, you can be confident that your coachee knows his or her rights. Are you a coachee? Consider whether you have been informed well. If not, please contact your coach and ask questions.

▪ Do not collect unnecessary data. As a coach, you must always wonder if you do not collect more data than you need for this trajectory. Minimalize the amount of data that you collect, to minimalize the change of privacy issues.

Version 9, July 5 2018