YOur data, our priority

Security and Privacy

At Drieam, we place security as the highest priority in the operations of our suite of products and services.

We strive to continuously provide a robust set of security measures and practices to guarantee the privacy & security of our customers’ data. Therefore, we always work in line with our Data Protection policy, meaning we carefully deal with all collected and processed data and that we comply with the applicable legislation, including the General Data Protection Regulation (GDPR) and its Implementing Act.

Privacy Policy

In our Privacy Policy, you will find information about how, whether, and why we collect and use personal information with our apps and systems.

Security Measures

At Drieam we take adequate technical and organisational measures to make sure our customers’ data is secure and protected. The key principles which we use for this purpose are Security by Design (like data minimisation) and Security by Default. Moreover, we periodically carry out internal audits in line with the IT security guidelines for web applications, defined by the Dutch National Cyber Security Centrum (NCSC).

Responsible Disclosure

Despite our dedicated measures to ensure the security and privacy within our apps and systems, it still can happen that a vulnerability occurs. Therefore, further to our actions to find possible vulnerabilities, at Drieam we are always open to notifications about weaknesses that can be found by others. A vulnerability in one of our systems can be notified directly to our security officer. We are excluding our WordPress hosting from the Responsible Disclosure program. Together with the notification, we kindly request an extensive description of the found vulnerability, so we can reproduce and resolve it. Moreover, we kindly request the reporter to not share the identified vulnerability with others; notifications will always be treated as confidential information. For each notification, elements cannot be downloaded, changed, or removed. We strive to solve any found vulnerabilities as soon as possible and to make sure they will not occur again.

Our Partners

When performing our services, our partners might have access to personal data. They are, therefore, (sub-)processors of personal data as referred to in article 4 of the General Data Protection Regulation (GDPR). At Drieam, we take several measures to ensure that this data is processed in a safe and responsible way, in line with article 28(2) of the GDPR.

When possible, we keep data in Europe and we concluded a data processing agreement (DPA) with each of our partners. In addition, we only work with partners located in the European Union, or at the United States, provided they comply with the GDPR rules and regulations when processing our data. Below you find the updated list of the partners, which might have access to the processed/ collected data by Drieam:

Sub-processor Purpose Country of processing Certification Remarks Country entity
Amazon Web Services (AWS) AWS is used to host, backup and process Drieam’s web applications and all its data. EEA / US (Qualtrics LTI hosted in US) ISO 27001, 27017, 27018 certification and SOC2 Type II attestation Ireland
Heroku [Salesforce] Cloudplatform as a service (PaaS) to build, run and operate Drieam’s web applications. Europe / US (Qualtrics LTI hosted in US) ISO 27001, 27017, 27018 certification and SOC2 Type II attestation US
Appsignal Application performance monitoring EU Application data stored in ISO 27001 certificated facilities NL
Mailgun Transaction email service to send, receive and track emails EU/US SOC2 Type II attestation Applicable to Eduframe, Portflow and Canvas hosting US
Instructure Learning Management System (LMS) EU www.instructure.com/canvas/security Only applicable when reselling Canvas LMS US
Qualtrics XM Distribution of surveys and saving and reporting of survey results EU ISO 27001 Certification https://www.qualtrics.com/security-statement/ Only applicable when reselling Qualtrics. US
Freshdesk Helpdesk software EU ISO 27001, 27017, 27018 certification and SOC2 Type I attestation Only personal data of Drieam’s direct contact persons at the customer is being processed. US
Google Workspace Used for email communication, calendar events and cloud storage of our team. US & EU Application data stored in ISO 27001 certificated facilities Only personal data of Drieam’s direct contact persons at the customer is being processed. US

SOC2 type II certification

Drieam was assessed on internal control policies and practices and has received SOC2 type II certification by meeting the stringent requirements set forth by the AICPA and CICA.

Drieam has access control procedures in place and we are fully trusted with highly confidential information such as passwords, documents and secure images.

Read more here

Contact

Feel free to contact our security officer for any question or comment related to Drieam’s (data) privacy & security: securityofficer@drieam.com

For information concerning our external Data Protection Officer (DPO), please consult our Privacy Policy.