2. WHO CAN SEE MY DATA?
Accessibility of data for the different roles of users. Pluform users only have access to their own data and to data that has been specifically shared within the coach-client relationship. Thereby Pluform takes the possible professional secrecy of a coach into account. There are three different roles within Pluform with different access levels. The roles within the application are organization manager, coach and client.
- Organization managers: manage the organization account in Pluform. They manage the profile information (such as name and email address) of coaches and coachees. They do not have access to data and information that has been shared within the dialogue between coach and coachee.
- Coaches only have access to their own personal data and to the personal data of their coaches that has been shared by the coachee.
- Coachees only have access to their own personal data and to the (personal) data that has been shared by the coach.
We only keep your data as long as necessary. Coachee data is kept until two years after the end of the coaching trajectory. Coach data will be kept until two years after the end of the agreement. If requested, Pluform can delete all data from an account earlier. Also, coachees can easily delete their own account within Pluform. By doing that, they delete all known personal data from Pluform as well.
Employees of Pluform make sure that other privacy right requests are handled correctly and timely.
For more information on privacy rights, please see the Privacy Regulations.
The privacy rights are:
- Right of inspection
- Right to rectification
- Right to oblivion
- Right to limitation of processing
- Right to transferability of data
- Right to submit a complaint
Notification e-mails in Pluform: Email is an unsafe medium. Therefore, all emails that are sent from Pluform never contain confidential information. The emails you receive from Pluform are used as notification. Only after logging in your Pluform environment, you will be able to see the actual message.
Sharing data with third parties: Data is not sold to third parties. Data is only transferred to third parties if this is necessary for execution of our agreement between Pluform and customer or if we are forced to do so by Dutch law. All parties Pluform collaborates with, keep at least the same security levels as we do. No data is transferred to “patriot act” liable parties.
3. OUR LOGIN PROTOCOL
Passwords: Users add their own password. Passwords are at least 8 signs long, including one number and one capital letter. This makes the password difficult to guess for others. When you forgot your password, we will send a unique link to your email address with which you can set a new password. No passwords are sent through email. Passwords are encrypted in the database.
Two-factor authentication (2FA) through SMS-codes or Authenticator: Additional to logging in with the username and password, Pluform offers the option to add two-step verification. If two-step verification is enabled, you add an extra code after entering your user name and password. You have received this code on your mobile phone. Your account is extra safe with two-step verification.
4. TECHNICAL CONTROL AND HOSTING
Hosting provider: Pluform has its IT-hosting infrastructure hosted by True Managed Hosting from True. True takes care of and manages the technical aspects of Pluform, such as infrastructure and datacenters. True delivers dedicated servers to us and continuously optimalizes the server environment.
Certificates: We chose True because of its safety. True is ISO 27001:2013 (information security), ISO 9001 (risk and quality management) and NEN 7510:2011 (information security in health care) certified and uses certified datacenters that are located in the Netherlands. With these certifications, True adheres to the highest standards of information security.
Datacenter location security: All datacenters that are used by True have the standards of the highest level to prevent unauthorized physical access to the servers, including biometric access controls, cameras, digital code locks and safety personnel. Only authorized employees have access to the server location.
Control: True is certified for all aspects of the daily managed hosting service. The safety and performance of the Pluform servers and applications is guarded 24/7.
5. HOW DO WE KEEP PLUFORM SAFE?
Ruby on Rails. The Pluform application is built using Ruby on Rails. Rails is a web application development framework written in the Ruby programming language. Rails has been used for over 15 years and has an excellent safety track record.
Protection of data traffic: User information is only transported if it is locked and kept safe through SSL (Secure Sockets Layer) encryption. This means that data is not readable when someone intercepts it. Accordingly, technical updates, improvement- and maintenance data are only transported if coded (through protected SSH connections). SSH is a cryptographic network protocol for protecting data communication.
Audits: IT systems and procedures of our partners are subjected to audits. In addition, Pluform is subjected to audits and has as part of eCoachPro an ISO 27001 certification.
Firewalls: To safeguard Pluform from cyber attacks, all Pluform servers have a Linux Iptables based Firewall. This means that Pluform checks all incoming network traffic and blocks it. The traffic can only pass if it has been classified as a reliable source for incoming HHTP- and HTTPs- traffic. The firewall is instructed to block cyber hat have as goal the unavailability of the application (Denial-of-service) or intentional delay of the application (throttle traffic).
Back-ups: Daily back-ups are made of the data that is put in the application. Each night, a back up is transferred to an offsite back-up server. This means that the data that has been shared in Pluform does not get lost when a problem occurs.
6. DEVELOPMENT AND MAINTENANCE
Pluform is continuously being monitored and developed. When we develop the application or do a security update, we do this safely. Our maintenance and development takes place through a DTAP-street (Development, Testing, Acceptance and Production). This means that all updates and new functions are put on a test server first, where they are tested and checked extensively by authorized people. Only when they approve, the update or new function goes to an acceptation – and production server. In this way, we can recognize safety or critical issues timely. The actual change to the application is only made when we are confident that it will not lead to problems in security or availability of the application.
7. WHAT CAN I DO?
At Pluform, we do everything we can to keep data as safe as possible. You, as user of Pluform, can do some things as well to work as safely as possible. We have some tips for you right here:
- Passwords: Naturally, you want to prevent that someone else has access to your account. Therefore, keep your password safe and never share it with other people. Make sure that the password is not easy to guess. Also, we recommend you not to log in automatically (that is, let your browser remember your password) because, if you lose your computer, smartphone or laptop, someone else may log in automatically to your profile and have access to all your information!
- Two-factor authentication (2FA): We recommend to use two-factor authentication in your profile (see section 3).
- Know your rights.
- Are you a coach? Inform your coachees about their privacy rights. Pluform does this already when the coachee logs in to Pluform for the first time. If you do this as well, you can be confident that your coachee knows his or her rights.
- Are you a coachee? Consider whether you have been informed well. If not, please contact your coach and ask questions.
- Do not collect unnecessary data. As a coach, you must always wonder if you do not collect more data than you need for this trajectory. Minimalize the amount of data that you collect, to minimalize the change of privacy issues.
Version 10 - 1 February 2021