Security and Privacy
At Drieam we place security as the highest priority in the operations of our suite of products and services. We strive to continuously provide a robust set of security measures and practices to guarantee the privacy & security of our customers’ data. Therefore, we always work in line with our Data Protection policy, meaning we carefully deal with all collected and processed data and that we comply with the applicable legislation, including the General Data Protection Regulation (GDPR) and its Implementing Act.
At Drieam we take adequate technical and organisational measures to make sure our customers’ data is secure and protected. The key principles which we use for this purpose are Security by Design (like data minimisation) and Security by Default. Moreover, we periodically carry out internal audits in line with the IT security guidelines for web applications, defined by the Dutch National Cyber Security Centrum (NCSC).
Despite our dedicated measures to ensure the security and privacy within our apps and systems, it still can happen that a vulnerability occurs. Therefore, further to our own actions to find possible vulnerabilities, at Drieam we are always open for notifications about weaknesses that can be found by others. A vulnerability in one of our systems can be notified directly to our security officer (email@example.com). Together with the notification, we kindly request an extensive description of the found vulnerability, so we can reproduce and resolve it. Moreover, we kindly request the reporter to not share the identified vulnerability with others; notifications will always be treated as confidential information. For each notification, elements cannot be downloaded, changed or removed. We strive to solve any found vulnerabilities as soon as possible and to make sure they will not occur again.
When performing our services, our partners might have access to personal data. They are, therefore, (sub-)processors of personal data as referred to in article 4 of the General Data Protection Regulation (GDPR). At Drieam, we take several measures to ensure that this data is processed in a safe and responsible way, in line with article 28(2) of the GDPR.
When possible, we keep data in Europe and we concluded a data processing agreement (DPA) with each of our partners. In addition, we only work with partners located in the European Union, or at the United States, provided they are affiliated with the EU-US Privacy Shield. Below you find the updated list the partners, which might have access to the processed/ collected data by Drieam:
|Subprocesser||Purpose||Country of processing||Certification||Country entity||Remarks|
|Amazon Web Services (AWS)||AWS is used to host, backup and process Drieam’s web applications and all its data.||Frankfurt, Germany; Dublin, Ireland||ISO 27001, 27017, 27018 certification and SOC2 Type I attestation EU-U.S. Privacy Shield framework certified||Ireland||-|
|Heroku [Salesforce]||Cloudplatform as a service (PaaS) to build, run and operate Drieam’s web applications.||Europe||ISO 27001, 27017, 27018 certification and SOC2 Type I attestation EU-U.S. Privacy Shield framework certified||US||-|
|TransIP||Webhosting||NL||ISO 27001 certification||NL||Only applicable to Canvas hosting|
|Appsignal||Application performance monitoring||NL||Application data stored in ISO 27001 certificated facilities||NL||-|
|Bugsnag||Reporting, monitoring and resolving issues in our software||EU||EU-U.S. Privacy Shield framework certified||US||Phase out in Q22020, replaced by AppSignal|
|NewRelic||Digital Performance Monitoring and Management||EU||EU-U.S. Privacy Shield framework certified||US||Phase out in 2020, replaced by AppSignal|
|Mailgun||Transaction email service to send, receive and track emails||EU||EU-U.S. Privacy Shield framework certified||US||Only applicable to Eduframe and Canvas hosting|
|Userpilot||Software to support in-app onboarding||US||-||US||Offered as an opt-in feature for our customers|
|Instructure||Learning Management System (LMS)||EU||www.instructure.com/canvas/security||US||Only apllicable when reselling Canvas LMS|
|Hubspot||Store leads info, establish communication channels and track progress along the buying lifecycle||EU & US||EU-U.S. Privacy Shield framework certified Application data stored in ISO 27001 certificated facilities||US||The data that is processed is limited to Drieam’s direct contact persons at the customer/lead|
|Moneybird||Invoicing & accounting software||NL||-||NL||Only personal data of Drieam’s direct contact persons at the customer is being processed.|
|Slack||Used as internal communication system at Drieam. Although sharing personal data of our customers over is limited, a processing agreement with Slack has been concluded.||US||EU-U.S. Privacy Shield framework certified||US||Only personal data of Drieam’s direct contact persons at the customer is being processed.|
|Freshdesk||Helpdesk software||US & EU||ISO 27001, 27017, 27018 certification and SOC2 Type I attestation EU-U.S. Privacy Shield framework certified||US||Only personal data of Drieam’s direct contact persons at the customer is being processed.|
|Google Suite||Used for email communication, calendar events and cloud storage of our team.||US & EU||EU-U.S. Privacy Shield framework certified Application data stored in ISO 27001 certificated facilities||US||Only personal data of Drieam’s direct contact persons at the customer is being processed.|
Feel free to contact our security officer for any question or comment related to Drieam’s (data) privacy & security: firstname.lastname@example.org
Drieam enables higher education, commercial training providers & business schools to deliver the ultimate learning experience with Canvas. We do this by leveraging the best software out there, including our own solutions. All seamlessly integrated.
Copyright © Drieam 2020