Embracing GDPR

eloomi is 100% compliant with EU’s Global Data Protection Regulation (GDPR).

Plus, we’re audited and certified by Deloitte with ISAE 3402/3000/ISO27001 on both hosting, IT security and change management processes.

Secure infrastructure & processes
Password and SSO security
Personal data
The right to be forgotten
Audit logging

Secure infrastructure & process

Being a Software-as-a-Service, eloomi is handling customers’ personal data. We take this act of trust immensely serious. Consequently, we maintain and continuously invest in high security and data protection standards

The eloomi infrastructure has been certified and is being audited to meet the most stringent requirements globally:

  • ISAE 3402 Type II Microsoft Azure hosting
  • ISAE 3000 eloomi Change Management and IT Policy

Every employee in eloomi knows our IT Policy, get frequent training and has confidentiality clauses in their employment contracts.

Password & SSO security

To keep the user access safe, eloomi requires strong passwords that match industry standards and requirements. Unsuccessful attempts to login will result in the user account being suspended for a specific time. If the login attempts continue to fail for a specific number of attempts the account will be suspended. Reactivation of the account then requires a manual administration procedure. In addition, user sessions, which are authenticated, expire when the user has been inactive for a specific number of minutes.

Single Sign On

Customers may use Single Sign On (SSO) which requires users to be authenticated via an identity provider. Other authentication tools or social login possibilities like Facebook, LinkedIn & Google can be used as well.

Personal DATA

eloomi handles personal data that is covered by the GDPR requirements. This data includes e.g. name, email, ID number and other unique identifiers.

No employees have access to confidential or personal data in applications and systems unless they are authorised personnel whose tasks and responsibilities require access.

Access permission including all temporary and durable access to IT tasks and job roles is the responsibility of and requires eloomi’s IT management approval.

Mandatory criteria for managing access rights and control via Access Control Lists comprise:

  • Overview of user roles and access profile
  • Process for adding, changing and revoking access rights

The access control is documented for all applications, it systems and environments giving access to sensitive information or personal data.

The right to be forgotten

Users can be confident that their personal data has been backed up in accordance with gdpr principles of privacy by design and the right to be forgotten.

The right to be forgotten is a main pillar in gdpr. This principle, which makes it possible to identify the location of personal data – either all company data or individual user data – and to delete or anonymise it, is incorporated in all systems and processes.

Audit logging

Another major change imposed by the gdpr is the audit logging. To make sure eloomi and our customers are compliant with the regulation our systems are logging who (users, admins, operators) are e.G. Viewing and editing which data and when. Unsuccessful user login attempts are also logged.

Audit logs are stored for 5 years in a safe place with restricted access.

GDPR-certified

Stay in the know

If you need more information on privacy and data protection and how we maintain gdpr compliance, please get in touch with our data protection officer (dpo)

Get in touch
PM_19

Experience eloomi

Let’s begin a conversation to learn how you can quickly onboard new employees and raise engagement rates

Try eloomi

Platform

Company

Resources

Help Center

Newsletter

Get the latest eloomi news, resources and product updates sent straight to your inbox.

Facebook Twitter Linkedin Instagram
Facebook Twitter Linkedin Instagram
© 2019 eloomi A/S