May 12, 2020 – Tech

GDPR and How We Handle Your Data – GatewayAPI is ISAE 3000 Certified

We understand that it is of the utmost importance to know that your company’s data is being handled professionally. To give you an insight into how we make sure that our processes are up to code, our in-house GDPR-specialist, Dennis Grade, has written a detailed account of how we handle your data.   

Have you ever asked yourself whether you can truly trust another entity with your company’s data? With a new focus on protecting individuals’ rights and privacy (in regard to personal data), a lot of confusion, misinformation, and uncertainty about whether a data processor is actually protecting your data or not – and whether a data processor can be trusted – has arisen. 

So how do you make sure that your data is protected? On what basis can you trust a company with your data or the data of your clients? How can you be sure that your data processor is qualified to ensure data protection?

ISAE 3000 certification

At GatewayAPI, we are constantly improving our data protection, both in regard to securing the data that is shared with us, as well as complying with the laws and regulations on data protection, but we didn’t have an official certification to show for our efforts.

Therefore, we have worked tirelessly over the last 8 months to achieve an ISAE 3000 certification (comparable to an SOC 2 Report). An independent third party – a state-certified company auditor – has controlled and certified our security measures, our compliance, and more (for a full list of certified areas, please contact gdpr@onlinecity.dk).

The report clarifies that we have implemented security measures and that those measures work efficiently. The report is also useful to you when it comes to assessing our compliance with your instructions and the data processing agreement that we have entered into with you.

Rock-solid security measures

The list of security measures is long, as is the report and the documents that make up the basis for this report. Although we cannot explain everything in this blog post, we would still like to give you an overview of our security measures.

We have set up the following security measures:

Technical security measures:

    • Data Centres in EU (Tier 4)
    • Password-protected login
    • Antivirus and Firewall protection
    • Strong encryption at transmission and rest
    • Backup measures
    • Automated anonymisation of personal data (SMS content and receiving phone number) after 30 days
    • Hashing and salting of sensitive data
    • High quality software and hardware

Organisational measures:

  • Securing guarantees for data protection with new suppliers and sub-processors
  • Securing that data processing by suppliers outside of the EU/EEA is covered by the EU-US Privacy Shield Framework
  • Contractually binding obligations are agreed with our suppliers, sub-processors, and other affiliates via data processing agreements, standard contractual clauses, confidentiality agreements etc.
  • Regular checkups of our suppliers level of IT-security and compliance with data processing standards and/or ISAE 3000/SOC 2 Reports
  • Separation of functions in authorisation level of employees, meaning that we only give access to personal data to employees with relevant functions for work-specific purposes
  • Secure storage of data storage media
  • Systems and buildings related to data processing are secured and safe
  • Awareness training of employees
  • Regularly updated guidelines, processes, and policies that are provided to employees, which ensure compliance with relevant law and effectiveness of our security measures. For more information, on our front page under the sign up box you can find:
    • our cookie policy
    • our personal data policy
    • our revised terms & conditions
  • Confidentiality agreements are entered into with all employees
  • Personally identifiable information is used, solely on behalf of the data controller and on their direct instructions, and is never used for marketing purposes or commercial use, neither sold to any third party
  • Risk assessments to help us better understand the risks we potentially face, in order to set up security measures to decrease the level of risk

Other measures:

  • A compliance specialist in charge of GDPR-matters, ISAE 3000, etc.
  • An IT-security council in charge of maintaining and evolving the IT-security measures and potential breaches of personal data security and IT-security incidents

The list above is our current security measures. We will continue to review and improve them to ensure your Company’s data is safe with GatewayAPI.

Global SMS Gateway

We have made it simple to implement SMS services into your business by offering some of the lowest prices in the world as well as easy integration, world-class customer support, an intuitive interface and a rock-solid uptime of 99.99%. If you don’t have an account yet, you can create a FREE account in less than two minutes here: Go to GatewayAPI or contact sales@gatewayapi.com

This article is written by our compliance specialist. If you have any questions, comments or issues regarding IT-security, data protection, etc, feel free to contact him at gdpr@gatewayapi.com.