Privacy Policy

1. Introduction

This privacy policy (“Privacy Policy”) governs the relationship between SecureMind Group AB, reg. no 559201-3030, (“Platform Provider”) and you as a user (“User”) of the service SecureBug©️ when you register as a User at SecureBug (“SecureBug”).

2. User

The User is the data controller of any personal data entered into SecureBug. The User is responsible for the accuracy, completeness and correctness for any personal data or other information added in SecureBug. Platform Provider acts as data processor and has signed a Data protection agreement for that purpose.
Should you as User provide data concerning a third party, you shall also be responsible for such data and that consent has been given for the disclosure of such data by the third party concerned. Platform Provider hereby reserves the right when necessary or when legally required to inform the third party, whose personal data you as User have given to Platform Provider, regarding Platform Provider’s processing of that third party’s personal data.
It is also possible not to set up an account in the SecureBug, but only to agree that the Provider Platform sends information to such a person. In such a case, only the last subparagraph of point 4 shall apply, and the remaining provisions of the privacy policy shall apply respectively. The consent may be withdrawn at any time.

3. Personal Data

The personal data that Platform Provider may process includes, but not be limited to, full name, address, email address, certificates, education, work experience, photographs, assignments applied for and granted, CV’s, references, rates, availability and other related information that you have entered into SecureBug©️.

4. Purpose

Platform Provider may use the information that you provide for the following purposes:
• invite you to the Bounty program, the Customer, and assignment-related services and events
• send you newsletters with info from SecureBug©️
• send you updates with new requests
• compiling statistics
• for support and service regarding your User Account
• to administrate your User account
• to enable you to use SecureBug©️
• to enable the Customer to connect with you in SecureBug©️ and send you job requests
• to send you job offers, guides, blog, posts, invites to events and other information with content referring to the consultant market and SecureBug©️.

5. Your rights

User have the right at any time and at no cost request an extract of the file of User’s personal data that Platform Provider has saved concerning you. Should User’s data be incorrect, incomplete or irrelevant, User may request to have the information corrected or deleted. Platform Provider may not delete User’s data when a statutory requirement exists for storage, such as accounting rules or standards, or when other legitimate reasons exist as to why the data must be saved, such as unpaid liabilities. If User have provided information about a third party, such third party shall have the same rights.

6. Access to submitted data

User decide who has access to User’s data by choosing the setting on account. Platform Provider may transmit data to a third party, partners if necessary for executing and providing our service to User – for example for request administration or technical support. Data that is shared with a third party or third country will only be used in accordance with the purposes set forth in this Privacy Policy.
In addition, Platform Provider may provide personal data if Platform Provider be obliged to do so in accordance with prevailing legislation, a court ruling or if such is otherwise necessary in order to assist a legal inquiry.

7. Retention and storage of personal data

The information will be stored as long as User have an active account. User may at any time delete User’s account and the data will be not available.

8. Protection of personal data

SecureBug©️ have taken technical and organizational measures to protect personal data from loss, manipulation or unauthorized access. SecureBug©️ constantly adapts security measures in accordance with progress and development of the relevant technical area.

9. Contact

SecureMind Group AB, Kungsportavenyn 23 411 53 Gothenburg, Sweden Tel: +46 72 2807675 Corporate registration number: 559201-3030 Email: [email protected]
For questions on how we process your personal data please contact, [email protected]

Data Processing Agreement

Between

  1. SecureMind Group AB, reg. no 559201-3030 with registered office at Kungsportavenyn 23 411 53 Gothenburg, Sweden (the Processor); and
  2. The User that has entered into the Terms and Conditions for Service Providers SecureBug©️ (the Controller);

Processor and the Controller are referred to separately as “the Party” and together as “the Parties”.

1. Background

The terms and conditions specified below and Privacy Policy shall apply if and when Processor process personal data on behalf of the Controller and its affiliates in their capacities of data controllers. Should any conflict arise between a clause in this Data Processing Agreement and a clause in the Terms and Conditions for Service Providers SecureBug©️, the provisions in this Data Processing Agreement shall take precedence wherever the provision in this Data Processing Agreement provides greater protection for the Personal Data being processed.

The data processing activities hereunder are further described in the Annex 1.

2. Definitions

In this Data Processing Agreement, the following definitions shall have the meaning set forth below:

“Processing”, “Personal Data Controller”, “Personal Data”, “Personal Data Processor”, “Personal Data Incident”, and “Data Subject” shall have the same meaning as in Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (“GDPR”);

“Processing Agreement” is this Processing Agreement and any appendices and annexes to it; “Applicable Legislation” means legislation, regulations and directives in force at the time in the EU and in relevant Member States that are applicable to the Processor and the Controller; and “Applicable Personal Data Legislation” means legislation, regulations and directives in force at the time, including directives notified by relevant supervisory authorities, with respect to the protection of privacy and fundamental rights and freedoms of individuals and, in particular, their right to the protection of their Personal Data with respect to the Processing of Personal Data applicable to the Processor and the Controller, including legislation, regulations and directives within the meaning of Directive 95/46/EC and, from 25 May 2018, the GDPR;

and

“Third Country” is a country outside the European Union (EU) or the European Economic Association (EEA).

“SecureBug” means the services described in the Agreement;

“Agreement” means the Terms and Conditions for Service Providers SecureBug©️ entered into by the Parties for SecureBug©️.

3. Obligations of the Controller

3.1. The Controller is responsible for ensuring that the Processing of the Personal Data is carried out in accordance with Applicable Legislation and that the Data Subjects are informed about the Processing.

3.2. The Processor does not have an obligation nor the technical means to check the accuracy or completeness of the Personal Data entered into SecureBug©️. This obligation is the sole responsibility of the Controller.

4. Obligations of the Processor

4.1. The Processor shall

  • only process the Personal Data on written instructions (see annex 1) from the Controller;
  • based on the information about the consultant, prepare and make available a report which will better present the consultant as a candidate (profiling, without making automated decisions);
  • keep the Personal Data confidential and ensure that persons authorized to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
  • maintain a record of all Processing activities carried out on behalf of the Controller.
  • considering the nature of the processing, assist the Controller by appropriate technical and organizational measures, insofar as this is possible and reasonable, for the fulfilment of the Controller ‘s obligation to respond to requests for exercising the Data Subject’s rights;
  • assist the Controller in ensuring compliance with the obligations pursuant to applicable law, considering the nature of processing and the information available to the Processor as the processor;
  • at the choice of the Controller, delete or return all the personal data to the Controller after the end of the provision of SecureBug©️, and delete existing copies unless European Union or EU Member State law requires storage of the personal data;
  • make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in this section and allow for, and contribute to, audits, including inspections, conducted by the data controller under applicable law or another auditor mandated by the Controller.

4.2 Based on the information about the consultant and tests made by the consultant, prepare and make available a report which will better present the consultant as a candidate and match your profile to assignments (profiling, without making automated decisions). The workstyles derived from tests results or other information that you have provided.

4.3 SecureBug©️ allow sharing of information, including personal data, in many ways. Where we have made settings available, we will honor the choices make about who can see Content or restricting your content visibility from job and skills searching activities within the service). At this moment there is two main ways to share Content:

  1. a) Invite to bounty program
  2. b) following other User –
  3. c) accept searchable option

Other ways may be added in the future.

5. Security measures

The Processor takes appropriate technical and organizational measures to ensure that the Personal Data that are processed are protected from Personal Data Incidents. The measures must ensure that at least the level of security required by Applicable Personal Data Legislation and by applicable regulations and guidelines of relevant supervisory authorities for personal data security is in place. More information of the security measures taken by the Processor can be found in the Security appendix.

Furthermore, the Processor must, if so requested, assist the Controller with information necessary to enable the Controller, as applicable, to be able to meet its obligations to carry out an impact analysis and pre-consultation discussion meetings with relevant supervisory authorities concerning the Processing of Personal Data that are subject to the terms of this Processing Agreement. If the Controller requests the Processor to assist with an impact analysis, even though there is no obligation under Applicable Personal Data Legislation to carry out an impact analysis, the Processor shall be entitled to remuneration as set out in the price list in force at the time.

6. Personal Data Incident

Should a Personal Data Incident occur, the Processor must notify the Controller in writing of the breach without undue delay after the Processor has become aware of the Personal Data Incident.

If it is not unlikely that a Personal Data Incident poses a risk to the privacy of the Data Subjects, the Processor must, immediately after it has become aware of the Personal Data Incident, take all appropriate steps to prevent or minimize the potential negative consequences of the Personal Data Incident.

If requested by the Controller, the Processor shall provide:

  • a description of the Personal Data Incident’s nature, categories of and the number of Data Subjects affected, and categories of and the number of personal data items affected;
  • the likely consequences of the Personal Data Incident; and
  • a description of the measures that the Personal Data Processor, where appropriate, has already taken or intends to take to correct the Personal Data Incident and/or to minimize the potential negative consequences of the Personal Data Incident.

Should it not be possible for the Processor to provide the information in one go, the information may be provided in batches without any further undue delay.

7. Subcontractors

The Processor may hire subcontractors, consultants or other third parties for the Processing of Personal Data on behalf of the Controller (“Subcontractor”).

If the Processor hires a Subcontractor, the Controller consents to the Processor entering into a Processing Agreement directly with the Subcontractor. The obligations under such Processing Agreement with the Subcontractor shall be equal to and no less restrictive than those under this Processing Agreement. The Controller accepts that the Processor and the Subcontractor enter into the Subcontractor’s standard agreement for personal data processing when circumstances so require, on condition that such a standard agreement meets the requirements stipulated in Applicable Personal Data Protection Legislation.

Should the Processor hire a new Subcontractor, the Processor must notify the Controller in writing without undue delay of the following:

  • The Subcontractor’s identity (including details of the company’s name, organisation number and address);
  • the type of service performed by the Subcontractor; and
  • at which location the Subcontractor will be Processing Personal Data on behalf of the Controller.

With respect to hiring new Subcontractors, the Controller is entitled to make objections to the hiring of the Subcontractor.

The Processor is liable to the Controller for the Subcontractor’s Processing of Personal Data and on its own behalf. For approved subcontractors, please see appendix 2 Approved subcontractors.

8. Confidentiality

Without prejudice to the application of any obligations of confidentiality in the User Agreement, the Processor agrees to keep all Personal Data that is processed on behalf of the Controller strictly confidential. Accordingly, the Processor will not, either directly or indirectly, divulge, disclose or communicate any Personal Data to any third party without the prior written consent of the Controller, unless the Processor has an obligation under Applicable Legislation or a decision by a court or authority to provide the Personal Data, or where this is necessary in the fulfilment of the requirements of the Agreement or this Data Processing Agreement. The Processor shall notify the Controller if Personal Data is provided to a third party, unless prevented from so doing by Applicable Legislation or a decision by a court or authority.

The Processor accepts that the obligation of confidentiality shall remain in force even following the termination of the Personal Data Processing Agreement and until all Personal Data have been provided to the Controller or have been securely and irreversibly destroyed or anonymized.

The Controller agrees to keep all information that the Controller receives about the Personal Data Processor’s security measures, procedures, IT systems and any other information of a confidential nature strictly confidential and not to disclose to any third party any confidential information originating from or provided by the Processor or its Subcontractors. The Controller may only disclose such information that the Controller is required to disclose under Applicable Legislation or under the terms of the Agreement or this Processing Agreement. The Controller accepts that this obligation of confidentiality remains in force even after this Processing Agreement is terminated or otherwise ceases to be in effect.

9. Liability

The Processor shall indemnify the Controller against any and all liability, loss, claim or expenses that it incurs which has been caused by the Personal Data Processor, either intentionally or through gross negligence, processing personal data in breach of the terms of the Agreement or Applicable Personal Data Protection Legislation.

The Controller shall hold the Processor harmless from any and all liability, loss, claim or expenses that the Processor incurs as a result of the Controller Processing Personal Data in breach of the terms of the User Agreement or Applicable Personal Data Protection Legislation.

10. Rights of Data Subjects

The Processor shall, to the extent possible, assist the Controller by taking all and any technical and organizational measures that are necessary to enable the Controller to meet its obligation to respond to a request for the exercise of a Data Subject’s right according to the rights of data subjects as required by the Applicable Personal Data Protection Regulation. The Processor shall be entitled to compensation for any expenses that such assistance incurs at the rates stated on the price list in force at the time.

11. Third Countries

Processing and use of Personal Data under this Agreement shall only be carried out within the EU/EEA, and specifically storing of personal Data shall be limited thereto. Any transfer to, or extension into Third Countries requires prior written consent from or agreement with the Controller.

12. Additional protective measures

Processor shall maintain and promptly provide the Controller with up-to-date information regarding its data processing activities as the Controller may reasonably request to meet its obligations under legal data protection requirements.

Processor may not make any filings or publish any information regarding any Data Breach without the Controller’s prior approval unless required by mandatory law. To the extent the laws require that an individual or authority be notified of a Data Breach, Processor shall at the Controller’s request and prior approval of the content, form and timing, provide any notices to such an individual or governmental authority containing the information as mandated by the mandatory laws. Upon the Controller’s request, Processor shall at its own cost provide remediation services, customer care and other reasonable assistance to individuals impacted by the Data Breach directly or through a third party. Upon the Controller’s request, Processor shall cooperate and provide information about the nature, circumstances and causes of the event at issue. Processor will take all necessary actions to prevent further losses and otherwise limit the consequences of the event at issue. Processor shall conduct professional forensic and security review and audit in connection with such Data Breach. These data breaches, if any, shall be resolved according to the applicable data protection laws and the specific instructions that might be provided to Processor by the Controller.

Subject to what is permitted under mandatory law, if Processor receives a request or complaint from a governmental authority or body (“Authority”) regarding any Personal Data, it shall without delay notify the Controller identifying the Authority, the scope of the request and grounds presented for the request or complaint. Processor shall respond to such Authority request or complaint only with the Controller’s prior approval of the response.

13. Validity

This Processing Agreement shall become effective upon acceptance by the Parties (acceptance by the Processor is given by publication of this agreement on the website, after acceptance by the Controller, the Agreement is treated as concluded between the Parties), and shall remain effective throughout the term of the Agreement.

14. Transfers

Neither Party may transfer, in full or in part, its rights and obligations under this Agreement without the written consent of the other Party.

15. Amendments and additions

The provisions relating to amendments and additions set forth in the Agreement shall apply correspondingly to this Processing Agreement.

16. Applicable law and litigation

The provisions relating to applicable law and litigation set forth in the Agreement shall apply correspondingly to this Processing Agreement.

17. Business contact details

The personal data, including business contact details, of the Controller’s employees and other workforce whose data is provided in the course of carrying out this Agreement, the Agreement, shall only be processed to the limited extent required to administrate the business relation between the Controller and or Processor.

Annex 1

This annex constitutes the instruction for the Processor to process personal data on the Controller’s behalf.

Purpose of the data Processing

The Personal Data is processed for the following purposes:

  • invite you to the Bounty program, the Customer, and assignment-related services and events
  • send you newsletters with info from SecureBug©️
  • send you updates with new requests
  • compiling statistics
  • for support and service regarding your User Account
  • to administrate your User account
  • to enable you to use SecureBug©️
  • to enable the Customer to connect with you in SecureBug©️ and send you job requests
  • to send you job offers, guides, blog, posts, invites to events and other information with content refereeing to the consultant market and SecureBug©️.

Categories of data subjects

The Processor will process data about the following data subjects:

  • Users of SecureBug©️.
  • profiles added by the Service Provider

Categories of Personal Data

The personal data can possibly concern the following categories of data:

  • Phone number
  • Name (surname and first name)
  • Email address
  • Address
  • Photo
  • Log in credentials
  • CV
  • Rate
  • Assignment applications
  • Any information that a user adds in free text
  • Results of tests and analysis (Workstyles)

Processing activities

The Processor will conduct the following processing activities:

  • Collection
  • Storage
  • Structuring
  • Forwarding
  • Erasure

Storage of personal data

The personal data will be retained for as long as the User has an active account unless a longer retain period is needed to fulfill other contractual or legal obligations regarding the individual. The personal data will the delete once the User account is deleted.

Annex 2 Approved subcontractors

Security Appendix

1. Introduction

The Platform Provider of SecureBug©️ is committed to maintain a high level of security for Users data and internal data. We have a structured process in place to enable us to achieve this and we regularly evaluate its performance to continuously improve data security.

This Security Appendix explains how The Platform Provider works to achieve a high level of security for User data, which are processed in SecureBug©️, hereafter referred to as SecureBug©️.

The Appendix also contains a chapter on the requirements that the Platform Provider places on its user companies, and the opportunities and obligations of the user companies to help ensure that security procedures and practices are upheld.

2. Regulatory documents

The Platform Provider has its own set of regulatory documents covering system development, incident management, etc. to ensure that operational security is maintained in the operation and administration of SecureBug©️.

3. Organization

3.1. Security function

An in-house security function works in an integrated way with the business operations and provides the organization with expertise, evaluations and guidelines for data and IT security. The security function deals with a range of issues covering IT security, physical security and personnel security.

3.2. SOC (Security Operation Center)

The company has a team to manage cyber-attacks, with specialist expertise in communications security, client protection, data centers, and other infrastructures. Other specialist expertise can be drawn upon if necessary.

4. Personnel security

All personnel, both our own staff and consultants, sign a confidentiality and non-disclosure agreement before they are given access to IT systems. Employees who work with SecureBug©️ receive training in how the SecureBug©️ is used and what restrictions apply. We hold regular meetings with our own staff to detect and prevent improper conduct.

5. Asset management

The personal data processed in the SecureBug©️ is classified as confidential. The Platform Provider therefore works actively with allocation of access rights via roles. Access rights are only granted to personnel to the extent necessary for them to perform their duties.

6. Access control

Only a few people in The Platform Provider’s Operations Department have full access rights to databases. The team from The Platform Provider’s Systems Development Department, which is responsible for developing the SecureBug©️, has limited read access rights to the database. All logins to the SecureBug©️ are made via personal accounts and are logged into the central log management system.

The Platform Provider’s SecureBug©️ support staff can connect to the user profile and thus gain access to the user company’s data. Written permission to do so must first be obtained from the user . All readings of data in SecureBug©️ are logged for each individual case. These logs can be accessed in SecureBug©️ by authorized staff at the user company.

7. Encryption

The system uses SSL (TLS) encryption with publicly signed certificates. There are documented procedures in place for managing and updating cryptographic material such as keys for certificates.

8. Physical and environmental security

All our data centers are subject to the highest physical and environmental security with access controls, alarms, fire protections, protections systems and surveillance. There is a power protection system installed in case of a power outage. Only authorized personnel have physical access to the data centers. Access to the data centers is permission-based.

9. Equipment

The secure disposal of digital media requires all data on the media to be deleted and the digital media then to be destroyed. This is carried out at a secure facility by approved personnel.

10. Operational reliability

10.1. Communication

The data centers backbone network is connected to multiple Internet service providers. All traffic from and to the application flows through firewall and threat detection service that continuously monitors for malicious activity and unauthorized behavior. Only specific endpoints are exposed to the Internet where the rest of components are deployed in private non-routable networks.

10.2. Traceability and monitoring

Centralized log management is used for SecureBug©️ and for related network communications. Designated personnel actively work to detect high-risk activities via rules-based alarms and tools for analysis of non-conformities. Where necessary, relevant components of the logs can be made available to customer companies.

Data is protected using access rights and multi-factor authentication where it’s applicable that are controlled at all levels in SecureBug©️. Data processing, reading, editing and logins are all logged. Failed attempts to log in are also logged.

SecureBug’s time is taken from the System’s servers. Logged times are presented in the user browser’s time zone and the format is taken from the user’s language settings.

Manipulation of the logs is not possible from inside SecureBug©️. The logs are saved without changes unless the case is removed, or the user is deleted or inactivated. The system logs any changes to and readings of events data. Both successful and unsuccessful logins are logged. Changes to access rights are also logged. Access to logs is dependent on access rights of the roles.

10.3. Backups

Databases and transaction logs are routinely backed up and recovery of backups is tested regularly. The maximum data loss period (i.e. RPO) is 4 hours and the recovery time (i.e. RTO) is 8 hours. Backups of servers in both of the data centers are stored separately from the original.

10.4. Malware protection

SecureBug©️ is separated from other IT systems within the Platform Provider via firewalls. All servers in the environment are protected from malware by whitelisting software. Clients that are used to connect to the servers have anti-virus software enabled. Both servers and clients are hardened prior to deployment. Additionally, all files sent by users are scanned by antivirus software.

10.5. Vulnerability management

A team of dedicated staff is responsible for monitoring information from suppliers about products and components concerning security deficiencies and available updates. A risk analysis is performed, after which serious security deficiencies and important updates are addressed immediately. Other issues are addressed in line with documented procedures for routine version management. All changes to software used and to constituent third-party components in SecureBug©️ are documented.

11. Communications security

The solution is protected by a firewall so that only pre-defined traffic is allowed network access to the solution.

All traffic that passes the firewall is logged. The logs are saved for a period of 12 months. All entries are saved for the same period of time.

12. Acquisition, development and maintenance of systems

12.1. Testing and development

Development team

Systems are developed using an agile approach, based on proactive quality assurance with continuous testing and feedback of performance. The agile approach to system development includes a requirement process and testing. The development team is responsible for all activities needed to assure the quality of each product backlog item (PBI) in each sprint.

The team is also responsible for assuring the quality of SecureBug©️ and the product over the long term.

IT environments

Separate IT environments are used for production and for testing and developing SecureBug©️. To ensure the best quality of the software we deliver we use Continuous Integration process that automates code integration, builds the application and executes the tests.

12.2. Penetration testing

Internal and external parties conduct thorough penetration tests at least once a year to evaluate the system’s security. User companies may not conduct security audits or penetration tests on SecureBug©️ without prior permission of the Platform Provider. Contact The Platform Provider’s support for further information.

13. Managing data security incidents

The Application Manager is responsible for the operative management of serious IT incidents. This involves communication, investigation and reporting of incidents. The Application Manager analyses the IT incidents to ensure that adequate action has been taken to manage the incident and that the experience gained from the incident can be used in the organization’s operative risk management processes.

A solutions team is appointed to solve the incident and assist the Application Manager with the investigation. In the event of a cyber-attack, SOC is enabled. The Platform Provider’s Crisis Management Team can be activated if warranted by the seriousness of the incident.

Incidents relating to personal data are managed in accordance with the Data Processing Agreement.

14. Business continuity management

SecureBug©️ is mirrored in two separate data centers in the EU area. Each data center has the capacity to maintain system availability should one of the data centers go down.

15. Compliance

Securebug is ISO27001-ISMS Certified,The Platform Provider’s Internal Audit operates to an annual audit plan. Internal Audit reports to the Board of Directors and the CEO. The Audit Plan is prepared through an objective and independent assessment of materiality and risk to provide an overall opinion on the adequacy of internal governance and control.