Data Privacy & Security

As an EU-based SaaS company, the security of your data is a top priority for us. Below, we answer the most frequently asked questions about our protection measures. We are happy to answer further, more in-depth questions at any time.

Frequently Asked Questions

General Data Protection Info

Does Zavvy have a DPO?

For all questions regarding data protection, we work together with the experts from Dataguard - one of the leading providers in the area of DSGVO compliance.

Our data protection officer is thus:
DataCo GmbH
Dachauer Straße 65
80335 Munich
Germany
+49 89 7400 45840

www.dataguard.de

How else does Zavvy ensure that employees entrusted with processing orders are familiar with the legal provisions on data protection?

Data protection training is part of Zavvy's mandatory onboarding process.
All Zavvy employees are required to maintain confidentiality or comply with data protection and are made aware of the consequences in the event of violations.

In addition, the company conducts regular training and awareness-raising measures on the handling of personal data, the GDPR and legal innovations. 

Do we have to conclude a DPA with Zavvy?

Yes, both our customers as the controller and we as the processor are obliged to conclude a corresponding contract in accordance with Art. 28 EU-DSGVO.

The conclusion of the contract by both parties is a mandatory prerequisite for the use of our software. We will be happy to send you our template upon request.

What happens when a data breach occurs?

In the event of an unexpected data breach in which the personal data collected from the website's customers is compromised and the breach is likely to jeopardize the rights and freedoms of the customer's employees, Zavvy will follow a procedure established by the Data Protection Officer, Dataguard.

This involves promptly notifying the Customer of the contractual obligations so that the Customer can comply with its legal obligations to notify the supervisory authorities and the data subjects.

Has the application been developed in accordance with the requirements for data protection through technology design and has it been preset in a data protection-friendly manner?

As a European company, data protection and compliance with the GDPR are central components of our product strategy.

That is why we already pay attention to principles such as data economy and the use of state-of-the-art measures to ensure an appropriate level of protection when developing our features.

In addition, we offer our customers the option of creating custom report formats to meet their individual needs in terms of anonymizing individual components.

To ensure this on a permanent basis, we have also defined a process that continuously incorporates the legal requirements into the product development process and reviews the application at regular intervals.

Is the application GDPR compliant?

Zavvy fulfills the requirements of the EU General Data Protection Regulation and is data protection compliant as an organization as well as software according to EU-DSGVO.

To this end, we have checked our product from the very beginning for the essential legal requirements such as data protection through technology design and through data protection-friendly default settings (Art. 25 EU-DSGVO) or also the support of the customer in safeguarding data subject rights such as the right to erasure, the right to information or the right to data portability (Chapter 3 EU-DSGVO) and have made appropriate adjustments.

Encryption and pseudonymization

Is the transmission of customer data encrypted?

Yes - For all communication between users and our servers, HTTPS is enforced with SSL certificates that are renewed every 3 months.

SSL (Secure Sockets Layer) is the standard security technology for establishing an encrypted connection between a web server and a browser.

This connection ensures that all data transferred between the web server and the browser remains confidential and unalterable. SSL is an industry standard and is used by millions of websites to protect their customers' online transactions.

Confidentiality and integrity

Where does Zavvy store user-related data?

Zavvy relies on the services of Amazon Web Services (AWS) in Frankfurt (https://aws.amazon.com/de/compliance/gdpr-center/) for hosting the software.

The data centers used are ISO/IEC 27001 certified and thus meet our high requirements for the physical security of our customers' data.

When selecting external service providers that are necessary for the operation of the software (e.g. mail dispatch), the hosting of the data within the EU is a mandatory basic criterion.

Who can access customer data at Zavvy?

The assignment of access rights is logged and based on the "need-to-know" principle.

On the Zavvy side, only our engineering team (server side) as well as our product managers and the employees of the Customer Success or Learning Experience Team (customer system side) have access on an ad hoc basis.

This is necessary to support the initial setup of the account and the processing of service requests.

How is user authentication performed?

Access is exclusively via personalized user accounts that are uniquely assigned to a person. Login is done with a user name and a password, which must be set upon initial login according to the secure password policy implemented in the application.

Password minimum requirements are:

- At least 8 characters long
- At least 1 number or special character
- At least 1 lower case letter
- At least 1 upper case letter

Who has access to which data on the customer's side?

In principle, the access rights are designed in such a way that the requirements of Art. 24 EU-DSGVO for data protection-friendly default settings are met.

This means that newly created employees "by default" have no rights beyond editing their own profile.

However, you as a customer are able to assign rights individually based on your own authorization concept.

Earmarking

Who owns the data?

The customer is "master of the data" both in the contractual relationship and in the sense of data protection law. He is the sole authorized party with regard to the power of disposal of all data used by him (data entered, data processed, data stored, data output).

This also means, in particular, that the Customer is responsible for safeguarding the rights of data subjects (Chapter 3 EU-DSGVO).Zavvy is a processor and thus processes your data exclusively on your instructions and for the purposes regulated in the contract for commissioned processing.

This specifically means that Zavvy will not sell or share data with third parties under any circumstances.This excludes the transfer of data to subcontractors, which is regulated in the contract for order processing with our customers. Furthermore, Zavvy reserves the right to use completely anonymized data, e.g. for the purpose of testing or further development of the product.

Such anonymization is carried out exclusively within the framework of the legal provisions and takes into account the state of the art as well as the recommendations of the Article 29 Working Party and the European Data Protection Board. Anonymized data means that no conclusions can be drawn about Zavvy or companies.

This means that there is no risk for our customers. Zavvy attaches particular importance to protecting the privacy of the customer.

Together with our data protection officer Dataguard, we have therefore implemented technical and organizational measures to ensure the security of processing, which we are continuously developing. Zavvy complies with all requirements of the EU General Data Protection Regulation and is data protection compliant as an organization as well as software according to EU-DSGVO.

What happens to the data after the termination of the contract or cessation of business operations by Zavvy?

Upon termination of the business relationship, the Customer's authorized persons may request the release of the data, after which the data will be irretrievably deleted upon expiration of the contractually defined period.

In principle, in the unlikely event that Zavvy ceases business operations, there is no deviation from this, as the Customer is "master of the data" and Zavvy is merely a processor and thus cannot/will not otherwise dispose of the personal data.

Security and recoverability

Are regular backups performed?

We create daily backups of our database and store them securely in our AWS cloud infrastructure. If a restore from a backup is required, our lead engineers can access it.

How is the security of the processing verified?

We conduct regular audits of our organization and product based on the legal requirements for data protection. We use the results of these audits as an opportunity to take measures to further develop our documentation, processes, structures or functionalities as well as technical and organizational measures. 

Do you still have questions? Write to us at info@zavvy.io or arrange an individual consultation.