Privacy and Security

Privacy & security

Privacy and security have organizational and technical aspects. For an organization it’s important to work on a “need-to-know” basis, users should only have access to parts of OpenStudio they need for their function. Technically, we implement security measures that are an effective mix between state of the art and being reasonable.
Implementing careful handling of personal data when setting up your workflows and using technical measures, is called privacy by design. During the development of products and services attention should already be given to privacy.

One thing to keep in mind is that your login information, especially if you have administrative privileges, is very sensitive information and shouldn’t be shared with anyone, ever. Even the best secured bank vault can be opened with the right key.

You are always the owner of your data

All data entered into OpenStudio will be yours, we only process data and make it available where needed. Your data is only used to improve OpenStudio and to make OpenStudio available to you. In no case will your data be sold and without your permission we will never contact your clients.

GDPR

Starting from the 25th of May 2018, the GDPR is being enforced. Important principles here are;

  1. Only store information that is required to run your business. Don’t save data that “might be useful… someday… maybe”.
  2. Inform your customers and employees in a clear and concise way about which data is processed for what reasons.
  3. Take fitting measures to ensure privacy and data security. This applies to all data, not just data stored in OpenStudio. For example, delete exports that are no longer needed and physically secure printed printed versions.

Legally, we are the Processor of the data and the customer of OpenStudio (you) are the Controller. We only process data by order of you. For customers within the EU, we will have to sign a processing agreement in case you use our standard hosting plan. This agreement will contain details about how privacy will be maintained and list measures to take in the unfortunate event of a data breach.

Using this processing agreement you can demonstrate a sincere effort to maintain privacy of your clients’ data.

Technical measures

“Working in the cloud” means that there is a server connected to the internet, so you can access your application anywhere you have an internet connection.

Your data is secured using at least the following measures,

  • HTTPS connections to encrypt communications for hosted applications.
  • A firewall, configured and active to allow only traffic required for system administration and the functioning of the hosted applications.
  • Use different files and databases for each application, to prevent customers from seeing data of other customers.
  • Daily off-site backups
  • Hosted in a data center in the Netherlands with various certifications for reliable and secure services.
  • A role based access control system allows fine grained control over who can do what in OpenStudio.
  • Save uploaded files using UUID names, to greatly reduce the chance of guessing filenames
  • Passwords are stored hashed
  • Check important operating system files regularly for unauthorized changes
  • Sessions are stored server side to prevent cookie tampering. 1 Cookie is used to link the user to a session, this cookie uses UUID to greatly reduce the chance of session hijacking.