This document outlines the technical and organizational measures that Reveall, an Amsterdam-based tech company providing a product discovery platform for product teams, has implemented to comply with the General Data Protection Regulation (GDPR). This document is intended as an annex and complement to the Data Processing Agreement between Reveall and its customers.
Protecting personal data is of utmost importance for Reveall, and we have implemented various technical and organizational measures to ensure that personal data is secure:
- Access Controls
Access to personal data is restricted to authorized personnel only (least privilege principle). We use a range of authentication methods, including passwords, two-factor authentication, and biometric authentication, to ensure that only authorized personnel can access personal data. Access to personal data is logged and monitored in real-time, and we conduct regular audits to identify and address any potential vulnerabilities. We also perform regular checks on access rights, reviewing access rights and adjusting in line with the least privilege principle.
Personal data is encrypted both in transit and at rest. We use industry-standard encryption technologies, such as Advanced Encryption Standard (AES) and Transport Layer Security (TLS), to ensure that personal data is protected from unauthorized access. Encryption keys are stored separately from the data, and strict access controls are in place to limit access to encryption keys.
Reveall's servers are hosted by Amazon Web Services (AWS) in Frankfurt, Germany. AWS is ISO 27001 certified and provides strong encryption capabilities, including server-side encryption and client-side encryption. Server-side encryption encrypts data at rest on the servers using AES-256 encryption. Client-side encryption encrypts data before it is sent to the server, ensuring that personal data is protected while in transit.
- Network Security
Reveall has implemented firewalls, intrusion detection and prevention systems, and other network security measures to prevent unauthorized access to personal data. We use state-of-the-art security technologies and continuously monitor our systems to detect and respond to security incidents.
Personal data is regularly backed up to ensure that it can be recovered in the event of a system failure or other disaster. Backups are stored in a separate location from live data, and access controls are in place to ensure that only authorized personnel can access backup data.
- Physical Security
Reveall's data centers are physically secured, and access to the data centers is restricted to authorized personnel only. We work with reputable third-party data centers that have strong physical security measures in place, including 24/7 security personnel and video surveillance.
- Business continuity
Reveall uses multiple availability zones to make sure that all underlying infrastructure of the application is redundantly set up in relation to hardware, power and network.
Reveall logs all API/HTTP(S) requests to the Reveall application for 90 days.
- DDOS Protection
Our infrastructure mitigates and absorbs all Layer 4 and below (D)DOS attacks, provided via Cloudflare.
- Secure coding
Our employees are required to take measures to prevent the OWASP top 10 vulnerabilities and to also otherwise implement secure development practices. The production and staging environment of Reveall are separated to make sure that customer data is not used for testing.
- Information security policies
Reveall has implemented information security policies that cover topics such as reporting of security incidents, password strength, confidentiality requirements of employees, encryption of employee devices and more. All employee devices are encrypted and protected from malware through Bitdefender, in line with corporate policy.
Reveall processes personal data on behalf of its customers and has implemented the following technical and organizational measures to ensure that personal data is processed in compliance with GDPR:
- Data Minimization
Reveall only processes personal data that is necessary for the provision of its product discovery platform. Personal data is not processed for any other purpose. We regularly review the personal data we process to ensure that we are only processing what is necessary.
- Data Retention
The Reveall application gives customers full control over the retention of personal data through the application itself. This allows customers to retain the data that is necessary for the purposes that they are processing the personal data for and to delete other personal data that they are required to delete under the GDPR. Upon request, custom automation processes for deletion can be set up, free of charge.
- Data Subject Rights
Reveall has implemented processes to enable data subjects to exercise their rights under GDPR, including the right to access, rectify, and delete their personal data. Our customers can easily manage data subject requests through our platform.
Reveall has entered into agreements with its subprocessors that require them to comply with GDPR and to implement appropriate technical and organizational measures to protect personal data. We only work with subprocessors that meet our high standards for data protection.
- Data Protection Impact Assessment
Reveall has conducted a Data Protection Impact Assessment (DPIA) to identify and mitigate risks associated with processing personal data. We regularly review and update our DPIA to ensure that it remains relevant and up to date.
- Staff Training
All Reveall employees who handle personal data receive training on GDPR and data protection best practices. Our employees are trained to handle personal data securely and to recognize and respond to potential security incidents.
- Incident response
Reveall has implemented an incident response plan that includes requirements for employees to report incidents, the designation of a response team and a requirement to inform customers about information security incidents in accordance with our DPA’s.
Reveall takes the security of personal data seriously and has implemented a range of technical and organizational measures to ensure that personal data is protected in compliance with GDPR. Our customers can be confident that their personal data is secure when using our product discovery platform. If you have any questions about our technical and organizational measures, please contact us at email@example.com