IT Security
Embracing GDPR
eloomi is 100% compliant with EU’s General Data Protection Regulation (GDPR).
Plus, we are audited and certified by Deloitte with ISAE 3402/3000/ISO27001 on hosting, IT security and change management processes.
Secure infrastructure & process
Being a Software-as-a-Service, eloomi is handling customers’ personal data. We take this act of trust immensely serious. Consequently, we maintain and continuously invest in high security and data protection standards
The eloomi infrastructure has been certified and is being audited to meet the most stringent requirements globally:
- ISAE 3402 Type II Microsoft Azure hosting
- ISAE 3000 eloomi Change Management and IT Policy
Every employee in eloomi knows our IT Policy, get frequent training and has confidentiality clauses in their employment contracts.

Password & SSO security
Single Sign On
Customers may use Single Sign On (SSO) which requires users to be authenticated via an identity provider. Other authentication tools or social login possibilities like Facebook, LinkedIn & Google can be used as well.
Personal DATA
eloomi handles personal data that is covered by the GDPR requirements. This data includes e.g. name, email, ID number and other unique identifiers.
No employees have access to confidential or personal data in applications and systems unless they are authorised personnel whose tasks and responsibilities require access.
Access permission including all temporary and durable access to IT tasks and job roles is the responsibility of and requires eloomi’s IT management approval.
Mandatory criteria for managing access rights and control via Access Control Lists comprise:
- Overview of user roles and access profile
- Process for adding, changing and revoking access rights
The access control is documented for all applications, it systems and environments giving access to sensitive information or personal data.
The right to be forgotten
Users can be confident that their personal data has been backed up in accordance with GDPR principles of privacy by design and the right to be forgotten.
The right to be forgotten is a main pillar in GDPR. This principle, which makes it possible to identify the location of personal data – either all company data or individual user data – and to delete or anonymise it, is incorporated in all systems and processes.
It is possible to choose how long it will take before deleted users are anonymised. By default, deleted users are automatically anonymised after 72 months.
Audit logging
Another major change imposed by the GDPR is the audit logging. To make sure eloomi and our customers are compliant with the regulation our systems are logging who (users, admins, operators) are e.G. Viewing and editing which data and when. Unsuccessful user login attempts are also logged.
Audit logs are stored for 5 years in a safe place with restricted access.

IT security & infrastructure
IT security is one of our top priorities for our customers and we take pride in our security infrastructure.
Take a further look into our commitment and prioritisation of IT Security, infrastructure and compliance by viewing our audit reports and internal security policy.

Stay in the know
If you need more information on privacy and data protection and how we maintain GDPR compliance, please get in touch with our data protection officer (dpo)

Experience eloomi
Let’s begin a conversation to learn how you can quickly onboard new employees and raise engagement rates