Legal

28·11·2018
Terms of Service

24·05·2018
Privacy policy

Privacy policy

Data Privacy Policy

Website www.volum3.com and Web platform Location app.volum3.com

Agreement on order processing pursuant to Art. 28 GDPR https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32016R0679

1. General

Among other things, VOLUM3 processes personal data (such as name, e-mail address, etc.) that are collected from the client, processed on VOLUM3 systems and stored for the purpose and duration required. In particular, the following activities are included:

2. Data types

The following types of data are regularly the subject of processing:

VOLUM3 processes the data of the client and its users for the stated purposes and the client expressly agrees to this processing. The client may revoke his consent at any time.

Personal data: When registering, VOLUM3 saves the e-mail address and personal password for log-in to the secure area of VOLUM3. VOLUM3 also uses users’ email address to provide users with system notifications when using the services (such as notification of new task in a project) and information about VOLUM3’s system and products. VOLUM3 also stores Name, Surname, Profession and Company data - VAT number, Number of employees, address (street, house number, zip code, city, state, e-mail address), telephone number, and company name of the client for the provision of services and their billing.

Files: In the context of the use of the services of VOLUM3, the client can save plans, photos, pictures, texts, audio information, etc. on a specific project on the web servers of VOLUM3. The stored files are made accessible to every user whom the customer has activated for this project. 

Login data: If the user logs in to VOLUM3 with his e-mail address and personal password, VOLUM3 stores the login time and date. VOLUM3 uses this data to detect and correct errors, improve the service, and handle customer queries or complaints.

Google Analytics: The VOLUM3 website uses Google Analytics, a web analytics service provided by Google Inc. (“Google”). Google Analytics uses so-called “cookies”, text files that are stored on the user’s computer and that allow an analysis of the use of the website by the user. The information generated by the cookie about the use of the website (including the IP address) is transmitted to a Google server and stored there. Google will use this information for the purpose of evaluating the use of the website, compiling reports on website activity for website operators and providing other services related to website activity and internet usage. Google may also transfer this information to third parties if required by law or as far as third parties process this data on behalf of Google. Google will never associate the IP address with other data. The user can prevent the installation of cookies by setting the browser software accordingly; VOLUM3 points out, however, that in this case, the user may not be able to fully use all functions of the website. By using the website, the user agrees to the processing of the data collected about him by Google in the manner described above and for the aforementioned purpose.

Mailgun 

VOLUM3 uses Mailgun Technologies, an email service provider for email notifications. For information on MailGun data privacy visit https://www.mailgun.com/privacy-policy/

Cloudflare One

VOLUM3 uses Cloudflare One for secure, fast and reliable network services. For information on Cloudflare One data privacy visit https://www.cloudflare.com/privacypolicy/?utm_referrer=https://www.google.com/

3. Categories

The following categories of affected persons are subject to processing:

4. Duration of the agreement

The agreement ends with the completion of the data processing and the obligatory data deletion by VOLUM3.

5. Duties of VOLUM3

VOLUM3 undertakes to process data only in the context of the client’s written orders. If VOLUM3 receives an official order to publish data of the client, it must – insofar as legally permissible – inform the client immediately and refer it to the authority.

VOLUM3 declares legally binding that all persons commissioned with data processing are obligated to confidentiality prior to commencement of the activity or that they are subject to an appropriate statutory confidentiality obligation.

VOLUM3 declares legally binding that all necessary measures have been taken to ensure the security of processing under Art. 32 GDPR https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32016R0679

VOLUM3 takes the technical and organizational measures so that the client can fulfil the rights of the data subject under Chapter III of the GDPR at any time (information, disclosure, correction and deletion, data portability, opposition, as well as automated decision-making in individual cases) within the statutory periods and leaves the customer all necessary information. If such a request is made to VOLUM3 and it indicates that the applicant mistakenly considers it the principal of the data application operated by it, VOLUM3 must immediately forward the request to the principal and notify the applicant.

With regard to the processing of the data provided by the customer, the client is granted the right to inspect and check at any time, even if it is also commissioned by third parties. VOLUM3 undertakes to provide the client with the information necessary to control compliance with the obligations set out in this agreement.

VOLUM3 is required after the termination of this agreement to destroy all processing results and records that contain data on behalf of the principal.

VOLUM3 must immediately notify the client if VOLUM3 believes that the client’s instructions violate the data protection provisions of the European Union or the member states.

6. Place of execution

All data processing activities are carried out exclusively within the EU or the EEA.

7. Sub-processors

VOLUM3 is adding the following subcontractors for hosting: DigitalOcean https://www.digitalocean.com/

8. Obligations of the client

When handling personal data, the client will observe the provisions of the Data Protection Act and the Telecommunications Act and will take the technical and organizational measures required by the client for data protection in the area of responsibility.

The client undertakes, and in particular his employees, to comply with the provisions of the Data Protection Act.

The client takes all reasonable measures in his area of responsibility to protect the stored data and information against unauthorized access by third parties. VOLUM3 is not responsible if third parties succeed in illegally gaining access to the data and information.

The client may invite other users (e.g., their subcontractors) to use the software for a specific project by entering their e-mail address (es). In this case, the client will obtain in advance the verifiable consent of the respective user for the use of his personal data.

 

9. Security Concept

See Document VOLUM3 Security / Privacy Standards (Addition 1. VOLUM3 Security / Privacy Standards)

 

10. Your rights/contact

You are basically entitled to the rights of information, correction, deletion, restriction, data transferability, revocation and opposition.

You can reach us at the following contact details:

VOLUM3 d.o.o.

Trg Eugena Kvaternika 3/3

10000 Zagreb

You can contact our data protection officer at [email protected]

Addition 1. VOLUM3 Security / Privacy Standards


SECURITY / PRIVACY STANDARDS

INTRODUCTION

This document should briefly outline the measures and efforts of VOLUM3 to provide modern and high standards for data security, privacy and service availability for our SaaS.

INFRASTRUCTURE/HOSTING

Digitalocean legal documents

https://www.digitalocean.com/legal/

Digitalocean security

https://www.digitalocean.com/trust/

Digitalocean privacy

https://www.digitalocean.com/legal/privacy-policy/

https://www.digitalocean.com/legal/privacy-shield/

Information on Digitalocean compliance and certifications

https://www.digitalocean.com/legal/certifications/

Configuration management

We follow the principles of immutable infrastructure and infrastructure as code.

In case of error/failure, the system can be regenerated based on its templates and source code.

We use chef and docker for our infrastructure.

High availability / Scalability

Digitalocean makes our system responsive to high load spikes and it will automatically provision more resources if that is necessary. Our customers will not experience performance impacts.

DDOS / Web vulnerability Protection

Our web application is shielded and protected with the Cloudflare (www.cloudflare.com) web proxy system.

Cloudflare DDoS protection secures websites, applications, and entire networks while ensuring the performance of legitimate traffic is not compromised.

Cloudflare has been ISO 27001 certified since 2019 and the certificate is available upon request.

ISO/IEC 27001:2013 is an industry-wide accepted information security certification that focuses on the implementation of an Information Security Management System (ISMS) and security risk management processes.

SOFTWARE DEVELOPMENT

Implementation

Our system is based on modern, robust and battle-proven open source technology.

Our web application is developed with PHP programming language in its latest stable version (7.4), including Laravel framework (8.9.0) on the backend, and React framework (16.13) on the frontend side.

All data transfer is done via HTTPS/TLS and the data is encrypted at rest. (In our relational database and in our object storage).

All images, plans and document assets are stored in the highly durable Digitalocean storage system https://www.digitalocean.com/products/block-storage/

OWASP

In our implementation, we follow the security by design principle.

https://www.owasp.org/index.ph...

PROCESSES

Employees

All our employees but especially in support and engineering are aware of data privacy/security and get training and SOPs for a responsible treatment of our customers’ data.

All employees only get the minimum necessary access to our IT systems.

Customer data is only accessible by a small selected group of support and operation engineers.

Incident management

Security and privacy incidents are collected on every point of contact and then routed to the responsible organizational unit. Our logging systems detect anomalies in system usage and sends automated alarms if necessary.

We have written procedures for disaster recovery and backup restores.

Access

Access to administrative systems is limited to certain ips and vpns and protected by 2 factor

authentication.

ISO/IEC 27001 Information Security Management Certification

We plan to get certification for development and operations until Q2 2021