Privacy and Cookie statement


1. INTRODUCTION 
This document describes the measures taken by UNLOQ Campus to ensure proper levels of service, privacy and security. This Privacy Policy is based on the ICT safety guidelines for web application of the Dutch National Cyber Security Center (NCSC). Additionally, this Privacy Policy is created in accordance with the General Data Protection Regulations (GDPR) and other regulations related to data privacy from the Dutch Privacy Authority (Autoriteit Persoonsgegevens (AP). UNLOQ Campus has the right to change this Privacy Policy. Changes will be published on this website.

2. WHO CAN SEE MY DATA?
Accessibility of data for the different roles of users. UNLOQ Campus users only have access to their own data and to data that has been specifically shared within the coach-client relationship. Thereby UNLOQ Campus takes the possible professional secrecy of a coach into account. There are three different roles within UNLOQ Campus with different access levels. The roles within the application are organization manager, coach and client.

  1. Organization managers: manage the organization account in UNLOQ Campus. They manage the profile information (such as name and email address) of coaches and coachees. They do not have access to data and information that has been shared within the dialogue between coach and coachee.
  2. Coaches only have access to their own personal data and to the personal data of their coaches that has been shared by the coachee.
  3. Coachees only have access to their own personal data and to the (personal) data that has been shared by the coach.

We only keep your data as long as necessary. Coachee data is kept until two years after the end of the coaching trajectory. Coach data will be kept until two years after the end of the agreement. If requested, UNLOQ Campus can delete all data from an account earlier. Also, coachees can easily delete their own account within UNLOQ Campus. By doing that, they delete all known personal data from UNLOQ Campus as well.
Employees of UNLOQ Campus make sure that other privacy right requests are handled correctly and timely.
For more information on privacy rights, please see the Privacy Regulations.
The privacy rights are:
  1. Right of inspection
  2. Right to rectification
  3. Right to oblivion
  4. Right to limitation of processing
  5. Right to transferability of data
  6. Right to submit a complaint

Notification e-mails in UNLOQ Campus: Email is an unsafe medium. Therefore, all emails that are sent from UNLOQ Campus never contain confidential information. The emails you receive from UNLOQ Campus are used as notification. Only after logging in your UNLOQ Campus environment, you will be able to see the actual message.
Sharing data with third parties: Data is not sold to third parties. Data is only transferred to third parties if this is necessary for execution of our agreement between UNLOQ Campus and customer or if we are forced to do so by Dutch law. All parties UNLOQ Campus collaborates with, keep at least the same security levels as we do. No data is transferred to “patriot act” liable parties.
User statistics: Within the safe application of UNLOQ Campus (campus.unloq.org) we do not use Google Analytics or other trackers. This means that we do not analyze your behavior within the actual secure UNLOQ Campus environment (something other parties do to offer you personalized advertisements based on your personal information). Within our marketing website (unloq.org), we do use Google Analytics and trackers to be able to share advertisements and information with people who may be interested in UNLOQ Campus. Please see our Privacy and cookie policy for more information about this.


3. OUR LOGIN PROTOCOL
Passwords: Users add their own password. Passwords are at least 8 signs long, including one number and one capital letter. This makes the password difficult to guess for others. When you forgot your password, we will send a unique link to your email address with which you can set a new password. No passwords are sent through email. Passwords are encrypted in the database.
Two-factor authentication (2FA) through SMS-codes or Authenticator: Additional to logging in with the username and password, UNLOQ Campus offers the option to add two-step verification. If two-step verification is enabled, you add an extra code after entering your user name and password. You have received this code on your mobile phone. Your account is extra safe with two-step verification.


4.  TECHNICAL CONTROL AND HOSTING
Hosting provider: UNLOQ Campus has its IT-hosting infrastructure hosted by True Managed Hosting from True. True takes care of and manages the technical aspects of UNLOQ Campus, such as infrastructure and datacenters. True delivers dedicated servers to us and continuously optimalizes the server environment.
Certificates: We chose True because of its safety. True is ISO 27001:2013 (information security), ISO 9001 (risk and quality management) and NEN 7510:2011 (information security in health care) certified and uses certified datacenters that are located in the Netherlands. With these certifications, True adheres to the highest standards of information security.
Datacenter location security: All datacenters that are used by True have the standards of the highest level to prevent unauthorized physical access to the servers, including biometric access controls, cameras, digital code locks and safety personnel. Only authorized employees have access to the server location.
Control: True is certified for all aspects of the daily managed hosting service. The safety and performance of the UNLOQ Campus servers and applications is guarded 24/7.


5. HOW DO WE KEEP UNLOQ Campus SAFE?
Ruby on Rails. The UNLOQ Campus application is built using Ruby on Rails. Rails is a web application development framework written in the Ruby programming language. Rails has been used for over 15 years and has an excellent safety track record.
Protection of data traffic: User information is only transported if it is locked and kept safe through SSL (Secure Sockets Layer) encryption. This means that data is not readable when someone intercepts it. Accordingly, technical updates, improvement- and maintenance data are only transported if coded (through protected SSH connections). SSH is a cryptographic network protocol for protecting data communication.
Audits: IT systems and procedures of our partners are subjected to audits. In addition, UNLOQ Campus is subjected to audits and has as part of UNLOQ an ISO 27001 certification.
Firewalls: To safeguard UNLOQ Campus from cyber attacks, all UNLOQ Campus servers have a Linux Iptables based Firewall. This means that UNLOQ Campus checks all incoming network traffic and blocks it. The traffic can only pass if it has been classified as a reliable source for incoming HHTP- and HTTPs- traffic. The firewall is instructed to block cyber hat have as goal the unavailability of the application (Denial-of-service) or intentional delay of the application (throttle traffic).
Back-ups: Daily back-ups are made of the data that is put in the application. Each night, a back up is transferred to an offsite back-up server. This means that the data that has been shared in UNLOQ Campus does not get lost when a problem occurs.


6.  DEVELOPMENT AND MAINTENANCE
UNLOQ Campus is continuously being monitored and developed. When we develop the application or do a security update, we do this safely. Our maintenance and development takes place through a DTAP-street (Development, Testing, Acceptance and Production). This means that all updates and new functions are put on a test server first, where they are tested and checked extensively by authorized people. Only when they approve, the update or new function goes to an acceptation – and production server. In this way, we can recognize safety or critical issues timely. The actual change to the application is only made when we are confident that it will not lead to problems in security or availability of the application.


7. WHAT CAN I DO? 
At UNLOQ Campus, we do everything we can to keep data as safe as possible. You, as user of UNLOQ Campus, can do some things as well to work as safely as possible. We have some tips for you right here:
  1. Passwords: Naturally, you want to prevent that someone else has access to your account. Therefore, keep your password safe and never share it with other people. Make sure that the password is not easy to guess. Also, we recommend you not to log in automatically (that is, let your browser remember your password) because, if you lose your computer, smartphone or laptop, someone else may log in automatically to your profile and have access to all your information!
  2. Two-factor authentication (2FA): We recommend to use two-factor authentication in your profile (see section 3).
  3. Know your rights.
    - Are you a coach? Inform your coachees about their privacy rights. UNLOQ Campus does this already when the coachee logs in to UNLOQ Campus for the first time. If you do this as well, you can be confident that your coachee knows his or her rights.
    - Are you a coachee? Consider whether you have been informed well. If not, please contact your coach and ask questions.
  4. Do not collect unnecessary data. As a coach, you must always wonder if you do not collect more data than you need for this trajectory. Minimalize the amount of data that you collect, to minimalize the change of privacy issues.


Contact details
For any questions or requests about your privacy and our cookie policy, please contact us by e-mail through support@unloq.org.