A statement for clients
This document outlines current information security and personal data protection practices at Stape Europe OÜ. The privacy and security of our clients’ data are among our priorities.
We are implementing a comprehensive data governance system which aims at:
We aim to adhere to industry best practices in the field of information security. Below is the outline of the controls in place at Stape Europe OÜ that address core requirements (GDPR Art. 5.1, Art. 28.3, Art. 32.1) with a direct impact on the security of processing:
Art. 32.1.a) Encryption
All the communication is transferred through an encrypted channel using TLS encryption. A primary use case of TLS is encrypting the communication between web pages and servers.
Art. 32.1.b) Confidentiality, integrity and availability
Confidentiality is achieved through an access control restriction. Access to user data is provided on a “need-to-have” basis, available only to team members for whom access is required to perform their duties. Actions, such as access, rectification, or deletion, are logged in the system to provide traceability and accountability, and all team members are required to sign a Non-Disclosure Agreement (NDA).
Integrity is maintained by the use of Network firewall. Regular back-up schemes are implemented to ensure data availability.
Art. 32.1.d) Regular assessment
Stape Europe OÜ implemented a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures implemented.
Art. 5.1.c) and Art. 28.3.g) Data minimisation and destruction
The permanent deletion of data upon the end of data retention periods and termination of the relationships with clients.
We also take into account the local data protection frameworks applicable to the activities of our clients, such as LGPD or CCPA, and are ready to assist them in their compliance.
As we consider ourselves to be a data processor, we always sign a Data Protection Agreement (DPA) with our clients to make sure we process the personal data following the client’s instructions and due data protection safeguards. The DPA applies automatically when the client accepts our Terms and Conditions. A sample of the DPA can be found by the link.
Clients’ data stored on our servers have limited retention periods.
Upon termination of the relationships, we ensure that the personal data is destroyed from our systems, as well as from the systems of our subcontractors and vendors.
We pick only those third-party providers that provide sufficient guarantees of information protection. Our due diligence assesses the following items:
We are continuously working on improving our data protection efforts.
To help our clients comply with data protection requirements, we are ready to assist our clients with the following technical and organisational measures:
We aim that our privacy and security practices be consistent and systematic. As our organization and external environment continues to evolve, we regularly monitor and review our practices to ensure that the data is protected at all times.
If you would like to receive more information on our personal data protection practices, please contact us at privacy@eu.stape.io.