Security

This highlight and sets out the minimum-security requirements that AskCody and its sub-processors will adhere to in relation to the processing of personal data.

Minimum security requirements

AskCody, as the Data Processor shall ensure by itself, and on behalf of all its Sub-processors, that AskCody, as the the Data Processor always complies with the following minimum-security requirements:

Availability

AskCody leverages the Microsoft Azure platform, and all implemented security features available on Microsoft Azure.

As such AskCody has security features in place including but not limited to firewall, DDOS protection, Antimalware protection, anomaly detection on server behavior and anti-virus.

Further, AskCody has access restrictions implemented throughout the platform in terms of authenticating both users and applications access to services which interact with data.

AskCody monitors every service and has alarm systems in place if anything out of the ordinary occurs, and continuously evaluates the measures in place based on the implemented Information Security Policy.

Integrity

Every application in AskCody's services has logging services implemented, which record all operations on the data.

Services have both audit logs and application logs, logging historical events.

Further access to manipulating data is restricted to specific user roles and hence governed by managed access in the form of both implemented systems and organizational structures, preventing unintended and/or malicious or accidental access to data.

Being a multi-tenant environment and SaaS application AskCody's data architecture ensure the integrity and isolation of Customer's data by separating data logically based on UUIDs so customer data are separated logically and secured from other customers. Each customer therefore shares the cloud platform and application, but each tenant’s data is isolated and remains invisible to other tenants.

Confidentiality

AskCody leverages different technologies in terms of securing data, depending on the nature of the data. All databases are encrypted. Data stored in the database is further encrypted using industry-standard encryption algorithms.

Extremely sensitive data such as Exchange Credentials for Basic Auth are secured by an encryption service, using Microsoft Key Vault and Hardware Secured Modules. 

AskCody has confidentiality agreements with all employees and all AskCody employees are required to use two-factor authentication and strong passwords that are unique from other services.

Furthermore, AskCody maintains automatic access and security logs in multiple locations.

Customer data access is governed by our documented security policies and limited to a small set of employees as required for support and maintenance. Access is further limited to a small whitelist of IP addresses via VPN and requires public key authentication.

Individual employee access follows a principle of least access, and access rights are reviewed quarterly.

Encryption

At rest:

All data at rest are encrypted using best practice encryption algorithms or AES 256.

Public Key: AES-256

Private Key: RSA2048

All backup data is encrypted using TLS+1.2.

In motion:

All data in motion is encrypted using TLS 1.2+ and encrypted at rest using best practice encryption algorithms (AES-256)

Transparency

AskCody has a DPA in place for all Sub-processors. This DPA requires all the Sub-processors to comply with the EU Model Clauses and GDPR. An updated list of all third party and providers is available at www.askcody.com. Customers may request that AskCody audit third-party providers / sub-processors, or provide confirmation that such an audit has occurred, or, where available, obtain or assist the customers in obtaining a third-party audit report concerning the sub-processors operations, to ensure compliance with applicable data protection laws. Customers will also be entitled, upon written request, to receive copies of the relevant terms of AskCody's agreement with Sub-processors that may process personal data

Isolation (purpose limitation)

AskCody has implemented user roles granting access to individual parts of the system. This includes employees managing the product, and employees at AskCody maintaining the product. Authorization to any given data is granted only if the user has access to said data, as such personal data can only be accessed by either a person with adequate roles (Customer Owner, Administrator etc.) or AskCody employees with special work tasks. This includes employees in Support, in order to give meaningful support and some developers for advanced support or development.

To administrate this privileged access, organizational structures are in place to govern who is granted access to what in accordance with our Information Security Policy.

Intervenability

All Personal Data in the AskCody platform is based on the integration with either Microsoft Exchange or Active Directory. Both systems are systems and platforms, that Customers fully manages themselves, therefore having the full ability to access, rectify, delete, block and manage the processing of personal data.  Full access to all data types and data subjects is therefore controlled by the Customer.

Portability

AskCody supports export of data in CSV.

Accountability

AskCody has audit logs on all applications as well as application logs detailing what the application has done. Further, access to any services, such as specific Microsoft Azure Services or AskCody administration features, has been granted based on organizational investigations. As such only the relevant and required amount of people have access to any given service.

Data retention and deletion

AskCody stores all data with redundancy on Microsoft Azure. Our databases support point-in-time backups to the minute, with 31-day retention. All data is stored digitally and as such can easily be deleted or moved.

It is AskCody’s responsibility to permanently destroy the Customer Data upon Customer’s request, with special emphasis on destroying all data in scope in all locations and provide a written certification of the destruction. AskCody shall at its own discretion determine data destruction schedules but shall wherever possible perform such destruction in accordance with Customers' requested timetable. Supplier shall have the obligation to wipe persistent media used for storing Customers Data or secure deletion of Customers Data with related techniques before it is released into re-use.

Due to AskCody being built as a generic SaaS solution on Azure, AskCody doesn’t have physical access to wipe and destroy media used for Customer data on Azure.

For customer-specific data, we will manually remove all identifying calendar data associated with your account from our database. Derivate anonymized data (i.e. "Total events booked on a platform this month") will not be removed, as it cannot be linked back to source data. User accounts associated with your organization may also be removed on request.

When subscriptions end, Customer Data will be available on the backup to the maximum of 1 month (30 days) after which time the data will be completely unobtainable. All backup data is encrypted using TLS+1.2.

Resilience of systems

All AskCody services operate on a redundant server setup on Microsoft Azure. For European customers and users, the primary server cluster is Europe NORTH and our secondary backup is Europe WEST. For customers in North and South America, the primary server cluster is East US and our secondary backup is West US.

The availability of this system is guaranteed through the Microsoft Azure Cloud.