All the tools listed below are monitored closely by the Privacy Officer. Each one is assigned to a special configurator role who is responsible for managing access and user accounts. All tools are also reviewed once a year by the Software Toolset & Suppliers role, who determines how much we still use and need the tool and whether incidents occurred that could impact our decision to continue working with them. We’ve signed DPA’s with all tools.
Amazon Web Services
Amazon Web Services is a public cloud platform. We use it to host our database and all images on Springest. Servers are located in the EU. All data on the AWS servers is encrypted. AWS has forced 2factor authentication. It was reviewed last March and was found very satisfactory. No security incidents occurred in the past year.
AppSignal is made by an Amsterdam start-up we know very well. It’s a tool to monitor performance and uptime of applications. Our developers mainly use this tool for bug hunting. The servers are located in the EU. No incidents occurred in the past year. We mostly share database ids. It may occur,very occasionally that personal data is forwarded to this tool, this is deleted automatically within 60 days. This data can consist of all data that is on our database, depending on what tool is debugged. The tool was reviewed last March and was found satisfactory.
We use Jotform to create custom web forms on Springest. Personal data shared with Jotform is "First name, last name, email, job title, IP address". Jotform uses the HTTPS protocol so the data in transfer is encrypted. Its servers are located in the EU. Jotform deletes its backups after 30 days. The tool was reviewed last March and was found satisfactory. Data in transfer is encrypted, not at rest.
We use Sendgrid to send emails from our platform. The servers are located in the US. Standard Contractual Clauses for data transfer are part of the Data Processing Agreement between Springest and Sendgrid. The tool was reviewed last March and was found satisfactory. After a product update in 2019 we drastically minimised the amount of user data that is shared with Sendgrid. Now we only share the minimum required personal data, which is the sender and receiver of the email + minimal personal data shared in the body of the email, which only occurs if the booker entered another contact person for booking, and/or another contact person for payment. Data in transfer is encrypted, not at rest.
Google Suite offers us many productivity tools, we mainly use it for Google Calendar, Google Drive and G-mail. Servers are located in the US. Standard Contractual Clauses for data transfer are part of the Data Processing Agreement between Springest and Google Suite. It offers 2 factor authentication. No incidents occurred in the past year. We are investigating the possibility of setting up EU hosting for Google Suite in the near future. Although the primary service offered by Google Suite is not aimed at processing user data, we monitor and treat it as a subprocessor because personal data is stored on our drive and is processed by G-mail more than occasionally.
Help Scout is our CRM system. Servers are located in the US (in HIPAA compliant, multi-tenant datastores in Amazon Web Services-controlled data centers, protected under a signed BAA with AWS). Standard Contractual Clauses for data transfer are part of the Data Processing Agreement between HelpScout and Springest. Accounts that are inactive for more than four years are deleted every quarter. Personal user data that is processed by Helpscout include: first name, last name, E-mail, phone nr. Personal data is only processed when users contact us or when we contact users. Data in transfer is encrypted, not at rest.