Last updated: 2018-08-30
Information we collect
Account and Profile Information
Upon registration all users in PING PONG will provide us with data to enable the usage of the functionality to its full extent. Information such as organisation name, user names, email addresses, payment information, configurable fields detailing organisational belonging and similar are collected by PING PONG.
As part of using the system communication through different channels such as mail or other notification channels will occur.
Logging and backups
Account activities done within the system and when the system communicates with its users may be logged in the system and kept safe by PPAB. Logs are regularly deleted of old content. The system is for security and safety reasons backuped regularly. These backup contain all data and old content is deleted on regular basis.
Website data collection
PING PONG website, owned by PPAB, uses Google Analytics which allows it to see information on user activities including, page views, source and time spent on our website. This information is displayed as numbers and cannot be tracked back to
individuals. Users may opt-out of PPAB’s use of Google Analytics by visiting the Google Analytics opt-out page.
Our processing of your information
Your provided personal data will be used to organise users in groups, create and execute courses and training within the system as well as performing analytics of results from training. Communication as part of interacting with PING PONG will occur in form of mails or other notification procedures.
Who we share data with
PPAB will not sell, rent or trade personal information to any third party. However, PPAB may share personal information when authorized and/or required by law or as follows:
● Service Providers. We may provide access to or share your information with select third parties who perform services on our behalf. These third parties provide a variety of services to us, including without limitation billing, sales, marketing, provision of content and features, analytics, data storage, communication, security, payment processing, and legal services. PPAB will ensure that the third party maintains reasonable data management practices covering confidentiality, security and preventing unauthorized access.
● As permitted or required by law. PPAB may disclose personal information as required by applicable law or by proper legal or governmental authority. PPAB may also disclose information to its accountants, auditors and lawyers in connection with the enforcement or protection of its legal rights.
● Business transaction. PPAB may disclose personal information to a third party in connection with a sale or transfer of business or assets. However, in the event the transaction is completed, personal information will remain protected by applicable data protection laws.
The way we secure your data
Data security is of utmost importance for PPAB and we take every reasonable effort in securing and protecting your data.
Security in our Software Development and Deployment
PING PONGs SW is version controlled. Changes to PING PONG SW goes through a series of quality assurance principles to ensure highest possible quality as well as
minimal risk of data loss or data breach. Each change is performed by at least two persons. Automated tests are developed and run for each change. Regressions test are executed and not until 100% pass rate is archived change can be deployed to production system. Prior to deployment a risk analysis is performed and actions taken in case of any disturbance to ensure minimal risk on data breach. We also work with third-party security professionals to test our code for common exploits and we use network scanning tools against our production servers. On yearly basis we perform, document and act upon findings from penetration tests against our production servers.
PING PONG architecture and reliability
Asana uses Amazon Web Services along to manage user data. The database is replicated synchronously so that we can quickly recover from a database failure.
Office and data center security
PPAB office has a security design intended to prevent any compromise of its own information systems, computer networks or data files by unauthorized users. PPAB uses Amazon Web Services. Amazon employs a robust physical security program with multiple certifications, including an SSAE 16 certification. For more information on Amazon’s physical security processes, please visit AWS Security.
PPAB personnel security competence
Access handling to personal data stored in PING PONG
PPAB strive to minimize people with access to personal data stored in PING PONG, each person must have a genuine business need-to-know prior to access. Each access request is determined by Company Chief Technology Officer, CTO.
Each change to PING PONG undergoes a risk analysis with respect to personal data. Not until risks has been validated and dealt with a release is possible. Documentation of process adherence is performed within our SW delivery process. PPAB also regularly, but at a minimum on a yearly basis, undergo review of policies and risks. Weaknesses if any are documented and acted on.
PPAB will store and process the personal information in a manner consistent with industry security standards. PPAB is headquartered in Sweden and data is stored by default within European union, except mails which are handled through Sendgrid located in the United States. Mails are stored a short period of time which helps us
secure that all mails are delivered. PPAB hold a Data Processing Addendum as well as a Privacy Shield agreement with Sendgrid ensuring your data is protected.
However, if you have concerns that data is stored in Europe we have the ability to transfer data and only store data in the United States upon demand. Contact email@example.com in case of such demands.
PPAB shall immediately notify Customer of any suspected or actual loss of data or breach which result in the loss or unauthorized access, disclosure, use or acquisition of personal data. PPAB shall promptly take all necessary and advisable corrective actions, and shall cooperate fully with Customer in all reasonable efforts to mitigate the adverse effects of Data Incident and to prevent its recurrence. All incidents are documented by appointed incident manager. All personal data incidents considering EU citizens shall be reported to Data protection Agency by Data Controller, Customer, within 72 hours. PPAB is registered in Sweden and appropriate agency is Swedish Data Inspection.
General Data Protection Regulation – GDPR
Regulation (EU) 2016/679 – GDPR is an important regulation covering personal data for EU citizens and is valid for all global companies storing any personal data concerning EU citizens. The regulation will be valid as of May 18, 2018.
PING PONG has from day wóne been designed with GDPR as an important guideline and the system is designed for privacy in all reasonable aspects.
In terms of GDPR and PING PONG, PPAB is the Data Processor and Customer is Data Controller. In the capacity of Data Processor, PPAB covers following regulatory items:
● Customer are responsible for collecting consent from the users they add to PING PONG.
● Right to be informed; This document holds the information on what data is stored and how it will be processed.
● Right to access; PPAB will support Customer in presenting all personal data stored about a user.
● Right to be rectified; PPAB will support Customer in correcting any personal data not correctly stored in PING PONG.
● Right to be forgotten; PPAB will support Customer in deleting user and all personal data connected to user.
● Right to data portability; PPAB will export user data along with all personal data if so requested by Customer.
● Right to object; PING PONG, provided by PPAB, does individual adaptations to training schedule. This can be opted out on an individual basis. This will limit the functionality and may increase notifications from PING PONG.
PPAB uses AWS as operating environment for the system PING PONG. Amazon web services statement on GDPR.
This Policy was last updated on Aug 30th, 2018.