Heyloyalty GDPR-summary

As a Heyloyalty customer, this GDPR-summary provides you with documentation that we, as your supplier and partner, meet the agreed requirements regarding IT-security.

This GDPR-summary is an expression of quality, security and safety, as we guarantee and document to our customers, with this documentation, that we have control over our operations, quality, security, preparedness, competencies and processes.

Scope of this description

Heyloyalty ApS is a supplier of an email and marketing automation system that helps our customers with cost-effective, tailored solutions, which, among other things, via marketing automation, machine learning and automatic triggers, can help to strengthen customers’ sales and retention of their customers and newsletter recipients via the production of personalized newsletters and SMS messages, as well as re-targeting via Facebook and Instagram.

As a supplier, Heyloyalty is responsible for establishing and maintaining appropriate procedures and controls to find and prevent errors, in order to comply with the requirements set out in this agreement. The core activity is the operation, development and maintenance of the Heyloyalty system, which together form the basis for this summary.

Description of Heyloyalty ApS

Heyloyalty ApS was founded in 2002 by CEO and Partner Nicolaj Balle Ladiges and we mainly serve small and medium-sized Danish companies. We are the supplier of our self-developed system Heyloyalty and provide development, service and support to users of the system. Our employees are competent, experienced, trustworthy and are highly committed to serving each individual customer, which creates security and safety in choosing Heyloyalty as a business partner.

Business strategy and IT-security strategy

Total supplier: Our overall goal is to be the e-commerce industry’s preferred choice within marketing automation systems. Heyloyalty’s system delivers, among other things, the following functions:

• Dynamic, personalized emails
• Newsletter production via individual Product Feeds – styled according to individual preferences
• Triggers, automatic email delivery based on specific criteria
• Abandoned cart triggers
• Winback triggers
• Drag & Drop editor for designing email templates
• Retargeting on Facebook, LinkedIn and Instagram
• Webpush messages/notifications via browser to visitors on customers’ website (with the option to pair with customers’ existing contacts)

Heyloyalty ApS works with IT-security at a business strategic level and continuously works to ensure a high level of service and quality. Through the security policy, management prioritizes that IT-security is an important part of the corporate culture. Heyloyalty has implemented relevant security measures within the following areas:

• Organizational security
• Technical and Physical security
• Access control
• Operational reliability
• Information security in the event of emergency and re-establishment of operations
• Communication security

Heyloyalty ApS – organization of IT-security

At Heyloyalty, part of the Arnsbo Group, there is a clear division of the organization regarding IT-security responsibility, with associated role descriptions regarding system access. The Executive Board has the main responsibility for IT-security in Heyloyalty ApS, while the system manager is responsible for day-to-day IT-security.

All employees are kept up to date with changes in the IT-security policy.

When using external partners, colaboration agreements and data processing agreements are drawn up before work begins. We have a non-hierarchical organization, with a short path from decision to action, and where employees are engaged in both developing the system and serving our customers, which helps create a deep knowledge of the Heyloyalty system and a unique relationship between us and the customers.

Risk management

Risks arising from Heyloyalty ApS’ activities are identified and limited at such a level that Heyloyalty ApS will always be able to maintain normal operations. Heyloyalty ApS has incorporated a fixed procedure for risk assessment when developing the Heyloyalty system, which includes thorough pre-release testing by an impartial developer and a system test by a supporter. This ensures that the risks associated with the system and associated services are minimized to an acceptable level.

All development takes into account the motto “Privacy by design & Privacy by default”, which all employees are trained in. Furthermore, “Process Excellent” has been introduced for customer support. The work process around IT-security is a continuous and dynamic process, which ensures that Heyloyalty ApS is always in accordance with customer requirements and needs.

Handling of IT-security

Management has the overall responsibility for IT-security, by ensuring that the overall framework and requirements for IT-security are in compliance. The IT-security policy must be reviewed and revised at least once a year. The IT-security policy applies to all employees and to all deliveries to our customers. In the event of errors or security breaches in our operation environment, the error/security failure is rectified immediately with the help of effective action, described in the emergency management/plan. The IT-security policy is, among other things, defined on the basis of the objective that the Heyloyalty system delivers stable and secure operations to customers and sets the basic policies for Heyloyalty’s infrastructure.

HR, employees and training

All employees at Heyloyalty must live up to the role assigned to them and must ensure that procedures are followed in accordance with the IT-security policy. At Heyloyalty, it is an absolute top priority that customer data and thus our business is taken care of. Role-based access control ensures that only relevant employees have access to specific customer data. Furthermore, all employees have signed a confidentiality agreement and received training in the applicable IT-security policy upon employment at Heyloyalty ApS.

The employees are regarded as Heyloyalty’s most important assets and we use, among other things, personal profile analyses in connection to onboarding, to ensure that the employees’ have the correct qualifications and approach to the delivery of Heyloyalty services. Heyloyalty ensures, via product training and weekly reviews of development tasks, to maintain the employees’ knowledge and security level in relation to the Heyloyalty system.

Physical security

Heyloyalty ApS’ servers are located at Team.Blue, with a disaster backup at an external location. Heyloyalty’s office is always locked outside regular working hours (weekdays 8-17), and the security alarm is always switched on when there are no employees present. The office is equipped with a fireproof, locked room in which all employees’ computers are stored outside working hours. Additionally, we focus on ensuring that all our subcontractors can be placed within the EU, in order to achieve full GDPR-compliance.

User management/access security

Users of the Heyloyalty system are only created based upon our customers’ request. Our own users are created based on authorization from the system owner. User rights are defined based on different roles and rights. Users’ passwords are personal and only the user themselves knows the password. The individual user has the option to reset their password and generate a new one. Users only have access to their own information. The Heyloyalty system has a built-in log of all creations/updates and deletions. There is also a log of unauthorized access attempts. Heyloyalty’s employees in the support and development departments have access to all customers’ information, but only access the customer’s information for support purposes by prior agreement.

Monitoring and management of IT-security incidents

Heyloyalty ApS has drawn up a formal and fixed procedure for managing emergency planning, this includes IT-systems and processes. All critical system security is supervised via OpsGenie, which is a flexible platform for incident and alarm management that integrates with various monitoring tables to improve operational reliability and flexibility.

A contingency plan has been established and everyone associated with the contingency system has installed the App that ensures immediate notification in the event of an alarm, so that if a critical error is detected, an alarm is immediately sent to the two responsible persons on duty, via text message. All security incidents are documented in an activity list. Goals have been set for the recovery time and there is a procedure for escalation, culminating in the CEO being involved. After the security incident, retrospective meetings are held for analysis and security assessment of the incident.

Backup tasks are managed by Inventio.IT, which ensures that Heyloyalty ApS’ customers’ data can be recreated quickly and accurately , so that customers avoid unnecessary down time. Furthermore, Inventio.IT ensures that cross-backups of all data are brought into another physical server room.

Communication security

Our internet provider is Nianet and a 200 Mbps fiber connection and a 200 Mbps Flatrate internet agreement with an SLA – Business Agreement (Service Level Agreement) have been installed. We are protected against ransomware with antivirus, spam filter and restrictions on what users are able to do in the systems. If Heyloyalty ApS’ customers should be affected by ransomware, we have ensured a quick recovery time with regular back-up.

Customer’s responsibility

In relation to the individual customer’s user and access to the Heyloyalty system, Heyloyalty ApS is not responsible for the allocation of access rights, including allocation, amendment and termination. The customer is obliged to ensure necessary controls in connection with the creation of own users, handling the security of passwords in relation to the prescribed guidelines and role descriptions/accesses. The customer is responsible for their own information and the collection of contact information (the customer’s customers) and that the necessary legal basis for the data collection exists.

Dedicated Personal Data Competencies

At Heyloyalty ApS, it is not a requirement that a Data Protection Officer (DPO) must be appointed, as the processing of personal data is not our core activity. However, we have chosen to appoint a GDPA with responsibility corresponding to a DPO (GDPA stands for General data Protection Administrator). The GDPA is carefully selected, and the person is appointed for a minimum of 2 years at a time and is a dedicated personal data administrator who strengthens our credibility and integrity, as well as knowledge in the area. The GDPA functions as a data protection advisor/personal data administrator, i.e. is a form of internal data protection ombudsman in Heyloyalty ApS.

This person is involved in all questions about data protection and advises on data protection regulations and ensures that personal data is processed in accordance with applicable regulations both internally and on behalf of our customers.

Questions?

If you have questions to the above or GDPR in general, you are, as always, very welcome to contact us.

Last updated: May 2022