Privacy Policy – Heap360 / CC TECH
DATA PROCESSOR AND DATA RESPONSIBLE
CC TECH (hereinafter “we, our, us”) does not collect personal information, but only processes personal information in our capacity as data processor when we, following documented instructions from our customers / data controllers, provide SaaS (Software-as-a-Service). We therefore only process personal data as a data processor in accordance with the data processor agreement we have entered into with our customers. The personal information we transmit is never ours, but rather our customers’, which determines for what purpose and how personal information is processed. It is therefore also our customers who have politicians for how they use personal data. It will most often appear on our customers’ websites how they process and protect personal data.
If registered courts contact us, we will forward the inquiry to the customer responsible for the data, who will subsequently answer the inquiry.
LOCATION OF DATA
We store our customers’ data at Amazon in Frankfurt, Germany, as well as at Hetzner, Germany and never send data out of the EU. Our customers’ data will always be covered by the protection in the Personal Data Regulation.
TECHNICAL AND ORGANIZATIONAL MEASURES
We have taken technical and organizational security measures to protect your personal information from being destroyed, lost or altered, from unauthorized disclosure, and from being accessed or disclosed to unauthorized persons. Our security measures are continuously revised in line with technical developments.
Our software and data are hosted by cloud providers within the EU, all of which comply with the GDPR, for example Amazon Web Services. All data is encrypted “at rest” and “in transit”. Access to production data and services is severely restricted, and passwords / keys are secure and stored in a private key store. All data on test and staging environments are anonymized.
When a user has been inactive for more than 2 years, we anonymize the users data.
We make backups continuously throughout the day and store it for 35 days. In the event that a user has requested deletion and a backup has been restored, we maintain a list of deleted user IDs and filter the users data from the recovery, ensuring that the users data never touches the database again.
We have implemented a “Privacy by Design” approach to our software development, which means that when we design new features, we actively consider privacy protection. In addition, we regularly review our software to see if improvements can be made to our privacy and data security, and to ensure that we comply with applicable laws.
We strive to help our customers comply with their GDPR requirements by providing the necessary tools and information in our software and further warn when the customer takes actions that may have consequences for the GDPR.
All actions in the system related to changes to personal data are recorded. These logs are available to our customers.