General Data Protection Regulation (GDPR)

SECURITY

Effective Date: May, 2018

The new regulation requires both the controller and the controller to be able to implement appropriate technical and organizational measures to ensure an adequate level of security in relation to the risks involved in the processing and the nature of the personal data to be protected. In addition, not only appropriate measures must be taken but accredited at any time.

Among the security measures proposed by the new regulation are:

  • The pseudonymization and encryption of personal data to prevent or irreversibly prevent the identification of those affected.
  • The ability to guarantee the confidentiality, integrity, availability and permanent resilience of treatment systems and services.
  • The ability to restore availability and access to personal data quickly in case of a physical or technical incident.
  •  A process of regular verification, evaluation and assessment of the effectiveness of technical and organizational measures to ensure the safety of treatment.

1. Encryption measures

2. Guarantees of treatment systems and services.

Nextinit is 100% hosted on Google’s infrastructure: Google Cloud Platform and how we can ensure the confidentiality, integrity, availability and permanent resilience of our systems and treatment services because they are the same as Google’s.

The Google security model is a comprehensive process built on the 15 years the company has been protecting the security of its customers in applications such as Gmail, Search and many more. In the Google Cloud Platform, our application, nextinit, and the data it hosts enjoy the benefits of this same security model. For more information on the Google security model, we recommend reading the following document:

Google is committed to fulfilling its share of responsibility in maintaining the security of the projects they host, but it is a shared responsibility. To achieve this, we offer several functions, which are detailed below.

13. Operating system and application patches

Google is responsible for maintaining the security and patches of operating system hosting environments.

14. User administration and credentials in infrastructure

The Google Cloud Platform allows us to set user permissions on the project so that team members can have access with minimal privileges.

15. User administration and credentials in the application

Nextinit allows you to define several types of users with different permissions. Users will only have access to the nextinits where they have been registered and in no way in the nextinits of other clients.

The 3 types of users of nextinit are the following:

  • Basic user with access to the public part.
  • User of the innovation group with access to the public part but with additional permissions for the management of ideas, challenges, etc.
  • Administration user that besides the previous accesses has access to the administration of his own nextinit for the configuration of the data of his nextinit, the personal data of the users of his nextinit, the ideas and challenges of his nextinit.

There is a fourth user profile, called super user who has access to a management interface of all nextinits and can, if need be, configure or reset certain parameters of any nextinit. This super administrator only belongs to nextinit and is not shared with any client or partner.

16. Maintenance of network firewall rules

Every year, Nextinit assesses the security of the Cloud Platform infrastructure as well as our software with penetration tests (Black box type test). These evaluations are commissioned from independent external companies and the results can be provided to our customers on demand.

In addition, our clients have the possibility to carry out the same tests on their own account, something that has already been done by clients such as Vodafone or BBVA, giving a positive report as a result of these tests.

17. Registration and supervision

Cloud Platform offer tools like Google Cloud Logging and Google Cloud Monitoring to make it easier for us to collect and analyze request logs, as well as monitor the availability of our infrastructure services (for example, virtual machine instances). These tools also help us create custom dashboards and configure alerts for problems.

18. Independent audits of infrastructure, services and operations

Los clientes de Google (nosotros) y los organismos reguladores esperan que se realice una verificación independiente de los controles de seguridad, privacidad y cumplimiento. Para estar a la altura de estas expectativas, Google se somete regularmente a diversas auditorías de terceros independientes. Esto significa que un auditor independiente ha examinado los controles de nuestros centros de datos, nuestra infraestructura y nuestras operaciones. En Google se realizan auditorías anuales de los siguientes estándares:

  • SSAE16 / ISAE 3402 type II:
  • ISO 27001: one of the independent security standards with greater prestige and international acceptance. Google has obtained ISO 27001 certification for the systems, applications, people, technology, processes and data centers that Google Cloud Platform uses. More details about ISO 27001.
  • ISO 27017 (cloud security): international standard of practices related to information security controls. It is based on the ISO / IEC 27002 standard and focuses especially on cloud services. More details about ISO 27017.
  • ISO 27018 (cloud privacity): international standard of practices related to the protection of personal identification data in public cloud services. More details about ISO 27018.
  • Authorization to operate FedRAMP for Google App Engine.
  • PCI DSS v3.1.

Google follows a third-party auditing approach designed to be as comprehensive as possible in order to ensure the appropriate level of information security in terms of confidentiality, integrity and availability. Customers can use these third-party audits to assess whether Google products meet their compliance and data-processing needs.

3. Backup and restoration data

On a daily basis, a global backup of all nextinit data is made as well as a backup for each client (nextinit enterprise). These files encrypted by Google are stored on Google servers to be used afterwards to restore the entire structure or just a particular nextinit.

Our security protocol forces us to test every week that the backups have been performed correctly and each month we verify with a test nextinit that can be restored without loss of information thanks to one of these individual backups.

More details about Backup and restoration data

Second layer page

1. Responsability

Who is responsible for processing your data?
Identity Nextinit S.L. – CIF: B86750197
Postal Code Plaza Santa Maria Soledad Torres Acosta 2, 5C. 28004 Madrid – Spain.
Telephone number +34 91 535 96 12
Email info@nextinit.com
Data Protection Officer:
DPD contact: info@nextinit.com

2. Purpose

For what purpose do we treat your personal data?

At Nextinit we treat the information provided by interested parties in order to enable them to be authenticated in order to access the platform (web application or mobile applications). We also use this information to send notifications (via email or push notifications in the case of mobile apps) related to the platform. These notifications are NOT of a commercial nature, but are directly related to the use of the platform (new ideas published, new investments, new challenges, notice of contents of interest for a better use of the platform, etc …).

NO commercial profiles are produced based on this information.

How long will we keep your data?

The personal data provided will be kept as long as it is not requested to be deleted by the interested party or until the user ceases to use it because the user or his company no longer uses the platform and the information is cleaned within Nextinit. These cleanings are not automated or planned by default.

3. Legitimacy

In the case of Nextinit we are in the following case:

Legitimation by consent of the interested party:

  • When the legitimation for the main purpose does not find accommodation in any of the above legal bases, the consent of the interested party must be requested for the processing of his personal data, and this will be stated in this section.
  • In the event that the principal purpose is legitimized by any of the legal bases mentioned above, but any specific purpose requires the consent of the affected, both legitimations will be recorded.
  • In the latter case, the interested party should be informed that the main purpose is not subject to the consent of the data that are not necessary for said main purpose, since otherwise the consent would not be considered as “granted freely”.
Example: What is the legitimation for the treatment of your data?
The legal basis for the processing of your data is the authentication in the platform Nextinit, the correct operation of this platform and its use according to the terms and conditions that are available in this address:

www.nextinit.com/terms-of-service .

In case of accepting the terms and conditions, the platform will not be accessible.

4. Recipients

Example: To which recipients will your data be communicated?

The data will be communicated to other companies that Nextinit S.L. whose services we use in the platform for its correct operation (storage, sending of emails, etc.). These companies outside the EU are hosted by “Privacy Shield”. Below we list these companies and detail the use they make with this data.

Google. Nextinit contracts its virtual infrastructure according to a model of “cloud computing” through Google. As such, Google does not have access to this information and can not make use of it. The personal data of users of Nextinit (email, name, surname and photo) are stored on Google servers hosted in the USA. Google is hosted on “Privacy Shield”:

Mailchimp. In some cases, emails will be sent to users before opening the nextinit platform with training announcements. So emails and user names are loaded for each of these submissions and are deleted when they are no longer useful (a few weeks after the release of nextinit). Mailchimp can not in any way make use of this information. Mailchimp is hosted on “Privacy Shield”:

Mailgun. Nextinit uses Mailgun’s mail delivery services. User data are not stored as such within Mailgun but may appear in the service logs for tracking delivered, pending or failed emails. Mailgun can not in any way make use of this information. Mailgun is hosted on “Privacy Shield”:

The personal data stored in Nextinit are NOT communicated to outside companies other than those mentioned above. In case you have to store one of these data to make use of another external service, we will notify each user via email of this change.
In case of nextinit integration with third parties, such as Workplace by Facebook, Microsoft Yammer or Salesforce Chatter, there is a flow of information regarding the personal data of the employees between these systems and nextinit. It is totally out of our responsibility and our control the use that is made within these services and we invite each user to contact his company to have more information regarding the use that is made with said data once stored in these business services.

5. Duties

What are your rights when you give us your data?

  • Any person has the right to obtain confirmation as to whether we are dealing with personal data concerning Nextinit, whether or not they are concerned.
  • Las personas interesadas tienen derecho a si acceder a sus datos personales, así como a solicitar la rectificación de los datos inexactos o, en su caso, solicitar su supresión cuando, entre otros motivos, los datos ya no sean necesarios para los fines que fueron recogidos.
  • Interested parties have the right to access their personal data, as well as to request the rectification of inaccurate data or, where appropriate, request their deletion when, among other reasons, the data are no longer necessary for the purposes that were collected.
  • In certain circumstances and for reasons related to their particular situation, those interested may oppose to oppose the processing of their data. Nextinit will cease to treat the data, except for compelling legitimate reasons, or the exercise or defense of possible claims.
  • There is no portability of personal data due to the fact that we only store name, surname, email and a photo of the user.

The limitation of use or elimination of the personal data (in particular the email) will mean a cessation of use of the platform since nextinit needs the email as unique identifier of each user.
In case you want to use these rights, the person will have to send an email with your specific request to info@nextinit.com.

6. Source

How did we get your data?

The personal data that we treat in Nextinit can come from several sources that are the following:

  • They have been delivered by the company that has contracted Nextinit services for its employees, partners, etc.
  • They have been delivered by the user when he has registered in Nextinit.
  • They have been delivered by Third Party Service via a social login (Google+, LinkedIn, Facebook, Slack or similar services) under the prior approval of the user.

The data categories that are treated are:

  • Identification data (Name and surname)
  • Electronic address
  • User Photography

No protected data is processed.