GDPR
Data protection is and remains a top priority for Connective.
Learn more on the initiatives we take to protect your personal data.
Data Protection is embedded in Connective’s DNA
It is our mission to keep your (personal) data safe and secure at any moment in time. For years now, our customers entrust us with their confidential information and it is up to us to prove we are worth your trust. Throughout the years we have invested in data protection on several levels within our organization. Take a look to the most important efforts we have made.
Connective’s DPO Office
In 2017 Connective’s DPO Office was born to further structure our roadmap on data protection. Both technical, legal and operational stakeholders are involved from the beginning to make sure we have a 360° approach on protecting your data. Our internal stakeholders are certified as “Data Protection Officer” by the Data Protection Institute and are continuously trained on evolutions in privacy landscape.
Data protection
management
We implemented OneTrust Privacy Management Software enabling us to identify and monitor all relevant matters on data protection throughout our company. Processing activities are logged, vendors and suppliers are assessed before engagement, incidents are monitored and much more.
Security and compliance
We are continuously improving and updating our security measures, on a technical and organizational level. If you want to know more, our TOM Statement clearly identifies what kind of security we offer.
Our efforts made on this particular level also resulted in the numerous certifications we hold and which are renewed on a (bi)yearly basis.
Data protection awareness
As a company we are as strong as our people. This is why awareness is key. Each employee at Connective has its own data protection training schedule, tailor-made to its roles and responsibilities within our organization. They are trained on several matters related to data protection, based upon what their daily activities are. From our developers and support team to Marketing and HR, they all know what data protection is about.
Transparent data breach procedure
In the event a data breach would occur, we have strict procedures to follow in order to be fully transparent towards you as a data controller and for enabling all stakeholders involved to comply with the applicable legislation. As a customer you will be notified without undue delay of the circumstances and receive timely updates on the matter.
Data processing agreement
Each client is requested to sign a Data Processing Agreement before starting to use our services. It includes more detailed agreements on your specific use case and enables both you as a data controller and Connective as data processor to comply with article 28 of the GDPR.
Solutions developed with data
protection at the core
Whenever developing new features or functionalities for enhancing our solutions, we strive to find a way which is the least privacy intrusive as it could be. Data Protection by Design and Default is implemented within our development process as we truly believe processing as less data as possible without compromising on legal validity or user experience is key for future proof technology. And this is not only an empty promise. For example we developed the following features:
- Data Minimization
Minimizing data retention to a strict minimum via auto-deletion scripts making it possible to delete documents as soon as they are signed
- Flexible hosting or on-premise
Offering on-premise or (private) cloud installations for clients wishing to have as much control as possible over their own data
- Data subject access requests
Streamlining data subject access requests by implementing a DSAR procedure publicly available for all users of our solutions
- Transparency
Increasing transparency towards data subjects by providing convenient ways for our clients to upload and present their privacy policy in our tool
Data Protection FAQ´s
When offering our services Connective is generally considered as a data processor. This is why you will be requested to sign a Data Processing Agreement.
Connective’s services are by default hosted by Microsoft Azure in co-location facilities in Europe. The data centers we rely on are located in The Netherlands (Amsterdam) and Ireland (Dublin).
Connective engages different sub-processors when offering its services. Such sub-processors are involved to make available specific functionalities or services included within our solutions. More details and identification of the sub-processors involved (including the procedure which applies when a new sub-processor would be engaged by Connective) is available via our Trust Center here: https://connective.eu/nl/over-ons/trust-center/sub-processors/.
Depending on the service you use, different retention periods of personal data might apply. For a more detailled overview, we refer to our Trust Center: https://connective.eu/about/trust-center/processing-of-personal-data/.
The retention period of the uploaded documents depends on the configuration you have chosen for your Connective eSignatures environment and on how the individual users are using the solution. We advice our clients to make sure the documents uploaded for signing are deleted as soon as the document is signed (or after a specific period of time if they were not signed). This can be achieved by configuring an automatic auto-deletion or via manual functionalities within Connective eSignatures. Such configuration is aligned with the principle of data minimization and reduces the risk of processing.
Connective continiously improves the technical and organizational measures it has implemented to ensure a level of security appropriate to the risk when processing personal data. A detailled description of these measures is set out in our TOM Statement, available here and the certifications we have obtained are listed in the compliance section of our Trust Center.
In our experience data subjects will mostly contact the data controller directly when willing to exercise their rights (and Connective acts in general as data processor when offering its services). However, if we do receive a request from a data subject, we will identify such data subject as soon as possible and inform the relevant data controller without undue delay. Our solutions include different functionalities which enable data controllers to follow-up the request from the data subject. Additionally, our DPO Office is at your disposal in case of any additional questions.
As our client, you will be informed without undue delay in case of a data breach. Connective has implemented a data breach procedure, which ensures a prompt follow-up when these circumstances would occur.
