IT Security - eloomi IT Security & GDPR Compliance

Embracing GDPR

eloomi is 100% compliant with EU’s Global Data Protection Regulation (GDPR).

Plus, we’re audited and certified by Deloitte with ISAE 3402/3000/ISO27001 on both hosting, IT security and change management processes.

Secure infrastructure & process

Being a Software-as-a-Service, eloomi is handling customers’ personal data. We take this act of trust immensely serious. Consequently, we maintain and continuously invest in high security and data protection standards

The eloomi infrastructure has been certified and is being audited to meet the most stringent requirements globally:

ISAE 3402 Type II Microsoft Azure hosting
ISAE 3000 eloomi Change Management and IT Policy

Every employee in eloomi knows our IT Policy, get frequent training and has confidentiality clauses in their employment contracts.

Password & SSO security

To keep the user access safe, eloomi enforces 2 factor authentification, where possible and requires strong passwords that match industry standards and requirements. Unsuccessful attempts to login will result in the user account being suspended for a specific time. If the login attempts continue to fail for a specific number of attempts the account will be suspended. Reactivation of the account then requires a manual administration procedure. In addition, user sessions, which are authenticated, expire when the user has been inactive for a specific number of minutes.

Single Sign On

Customers may use Single Sign On (SSO) which requires users to be authenticated via an identity provider. Other authentication tools or social login possibilities like Facebook, LinkedIn & Google can be used as well.

Personal DATA

eloomi handles personal data that is covered by the GDPR requirements. This data includes e.g. name, email, ID number and other unique identifiers.

No employees have access to confidential or personal data in applications and systems unless they are authorised personnel whose tasks and responsibilities require access.

Access permission including all temporary and durable access to IT tasks and job roles is the responsibility of and requires eloomi’s IT management approval.

Mandatory criteria for managing access rights and control via Access Control Lists comprise:

Overview of user roles and access profile
Process for adding, changing and revoking access rights

The access control is documented for all applications, it systems and environments giving access to sensitive information or personal data.

The right to be forgotten

Users can be confident that their personal data has been backed up in accordance with GDPR principles of privacy by design and the right to be forgotten.

The right to be forgotten is a main pillar in GDPR. This principle, which makes it possible to identify the location of personal data – either all company data or individual user data – and to delete or anonymise it, is incorporated in all systems and processes.

It is possible to choose how long it will take before deleted users are anonymised. By default, deleted users are automatically anonymised after 72 months.

Audit logging

Another major change imposed by the GDPR is the audit logging. To make sure eloomi and our customers are compliant with the regulation our systems are logging who (users, admins, operators) are e.G. Viewing and editing which data and when. Unsuccessful user login attempts are also logged.

Audit logs are stored for 5 years in a safe place with restricted access.

Stay in the know

If you need more information on privacy and data protection and how we maintain GDPR compliance, please get in touch with our data protection officer (dpo)

Experience eloomi

Let’s begin a conversation to learn how you can quickly onboard new employees and raise engagement rates