GDPR / Security

Safety

When you want to be absolutely sure

etrack1 is your guarantee of safety – your operating and backup data are located in Denmark. Hosting is based on redundancy, and communication with customers takes place according to the highest requirements for security. The classification of data in etrack1 is another element of the market’s most secure ticketing system.

Security

On etrack1 security

Data security and etrack1

Data security should be one of the key elements of any cloud-based service. Storage, transport, processing, access and monitoring are all elements of the “capsule” as a solution which etrack1 is wrapped in.

We operate the etrack1 servers at Itadel A/S on redundant servers in Copenhagen and Ballerup on split DMZs. Our customer data backup takes place every 5 minutes to a 3rd location in Denmark, and the only people with access to our customers’ data are employees at etrack1 who have a “functional” role in delivering to our customers. We don't use any other subcontractors.

The key elements in our routines before we start are always risk-assessing new development, conducting code review before commissioning, stress tests and testing rollback procedures.
In this way, we ensure that we comply with all the requirements of our customers and requirements that GDPR imposes on us as data processors and you as controllers.

In other words: Your data is in the best hands with us, and we guarantee that etrack1 ensures the absolutely essential GDPR compliance.

On etrack1 security

Security

GDPR-compliance and ISAE-3000

Responsible processing of data with etrack1

The fact that a company is GDPR compliant means, among other things, that it, as etrack1 does, complies with a number of well-defined areas of “processing security”.

This means, among other things, and as examples:

  • Consistency between the collection of information and the purpose for which it is to be used (purpose and use)
  • Only persons who are part of the purpose of processing may have access to data
  • That when data is no longer needed, it is deleted/anonymised
  • That you, as a data controller, must ensure “appropriate organisational and technical measures” to secure data subjects.
  • That you must collect and prove that you have consent for processing
  • That such consent is not implicitly (passively) but actively accepted by the data subject prior to data processing.

Most people know about the consequences of not complying with GDPR... but it is under our control!

Our responsibility is regulated through the in-depth data processing agreements that we design individually from customer to customer. The data processing agreements are based on the Danish Data Protection Agency’s standard and are regulated in accordance with Danish law.

Once a year in March, Deloitte reviews our procedures to ensure that we meet the requirements. We send a copy of the statement to all our customers, but you can also find it here.

Safety

TLS, DKIM and email relay

Select your preferred encryption

On the technical side, our control of security is complete in connection with picking up and delivering emails.

We support both “optional” and “forced” TLS, or you can choose to relay all emails through your existing email infrastructure.

If etrack1 is to deliver emails directly to recipients, this is based on an updated SPF record, where the etrack1 email server is approved to deliver on your behalf. This is of course with installed DKIM signatures, which means that emails will not be rejected due to lack of authenticity verification.

The security

e-boks

Extra security with e-boks

If you want to be sure to deliver to a specific recipient and at the same time want “end-to-end encryption”, you can convert regular emails to messages in e-boks with etrack1.

In etrack1, the employee simply chooses:

  • “send as e-boks message”
  • Enters a CVR or CPR number
  • Writes the message and attach any documents
  • Clicks “send”

If the recipient responds to the email from e-boks, it naturally enters thread in etrack1 from which it was sent.

e-boks

The security

Redundant hosting in Denmark

No data loss with etrack1

The infrastructure on which etrack1 sits is established at itadel A/S – at two separate hosting centres which are in Copenhagen and Ballerup respectively. Backup is continuously made to a third location in Aarhus.

The network on which this redundant setup runs is separated, so etrack1 can continue to run even if one centre disappears. We guarantee that even if this happens, there will be no data loss.

The network is protected by an advanced anti-DDOS setup which ensures uptime, accessibility and practically invulnerability. Thus, we have invested heavily in our hosting facilities and regardless of price, we never compromise on protecting data and accessibility.

Our goal is for no other ticketing system vendor to be able to match us – we want to be the safest solution on the market.

Redundant hosting in Denmark

The security

Subconractors

Who has access to your data?

The data processing agreement regulates who we as suppliers are allowed to work in terms of subcontractors with access to your data.

A data processor agreement that also regulates and obliges us to take extra care of your data through “technical and organisational measures”.

To minimise the risk of data breaches and make our responsibility as clear as possible, we use only one subcontractor – Itadel A/S in Denmark. All others with access to data are employees at etrack1, who are subject to strict confidentiality clauses and of course auditing and logging of access and functional separation.

The security

AD-integration

Security with AD-integration

To control employee access to etrack1, as an etrack1 customer, you can choose to use the user and rights control that is built into etrack1. Alternatively, you can verify user access against an existing “active directory”.


If you use etrack1 user and rights control, there are built-in default settings for compliance with the level of safety, e.g.:

  • Password length and content
  • Time interval for password changes
  • IP-address limitations
  • Roles and rights management

    Whichever model you choose, as a supplier, we guarantee that if you follow our instructions, data will be secure at etrack1.
AD-integration

The security

Back-up og restore

Data loss is pretty much theoretical.

We do a monthly full backup and “incrementals”, i.e. backups of the files which have been changed, on all other days.

In addition to this, we perform “log-file-shipping” every 5 minutes so that the maximum amount of data that can be lost in connection with a total crash is 5 minutes of activity.

Once in the quarter we perform a ‘disaster recovery test’ and determine the outcome of this, both in relation to data integrity and in relation to the time needed for re-establishment.

Documentation of the conduction of these tests is also provided in our ISAE-rapport from Deloitte.

We are continuously working on this process, and in 2021, we will change our backup routines so that, in addition to being run as they are now, they will be re-established on a hot-standby SQL server every 5 minutes so that it contains the latest data from our backup and “log-file-shipping”.

If an accident happens, our restoration of the operating environment will take place in less than 60 minutes once the new process is implemented.

Back-up og restore
Search
Contact us