Integrity and Security

We at the Examinare care about protecting your privacy and security. GDPR, the new Personal Data Processing Act, places greater demands on transparency and therefore this page is for you to know what we do in the processing of personal data. There are a number of areas that together give you the whole idea of how we look at integrity and security, both regarding Examinare programs and for you as a user and customer of Examinare. These we have divided into a number of sections that may be updated and filled in with more information in the future.

GDPR - The law on the processing of personal data.

GDPR is in charge of the General Data Protection Regulation and is a new data protection regulation from the EU that will become a law in all EU member states from 25 May 2018. GDPR will replace the current law of the Swedish Personal Data Act (PUL). The law is intended to protect the integrity of individuals and to modernize, harmonize and strengthen protection within the EU.

Within each EU member country there is a supervisory authority that will check this. In Sweden, this authority is called the Integrity Protection Authority (Integritetskyddsmyndigheten), former Computer Inspectorate (Datainspektionen). On their website there is more information and help that you can check to find out what you need to do. https://www.datainspektionen.se/dataskyddsreformen/ (Page is in Swedish)
You may also find an English page on GDPR here: https://www.eugdpr.org/

Processing of personal data.

The law describes how to process personal data, which has two important concepts to understand. Personal data can be explained as any information relating to an identified or identifiable individual (also called a registered person), an identifiable physical person being a person identified directly or indirectly, in particular with reference to an identifier such as a name, an identification number, a location or online identifiers, or to one or more factors specific to the physical, physiological, genetic, psychological, economic, cultural or social identity of the physical person. Processing of this data means that you undertake an action or combination of personal data or a set of personal data, regardless of whether they are performed automatically or not. Examples of such treatment are collection, structuring, storage, processing, dispersion or deletion.

Sensitive personal data.

There is a special category of personal data that the law addresses and which you as a personal data controller need to pay extra attention to, it is sensitive personal data. Examples of sensitive personal data are data revealing ethnic origin, political opinions, religious or philosophical beliefs or information on health and sex life. The starting point is that it is forbidden to process this personal data, but there is a number of exceptions. In Sweden, an investigation is being carried out on these tasks and they are looking forward to developing supplementary Swedish legislation. Read more about sensitive personal information here. (It in Swedish, but there is a translation provided by the website).

Personal Data Responsible and Personal Data Counselor.

In the processing of personal data, there are primarily two roles that you should know about and depending on what role you have, there are different areas of responsibility. The personally responsible person (PuA) is the one who, under the law, has ultimate responsibility for the treatment and determines the purpose and means. The person responsible for personal data will ensure that the law is followed, inform the persons, whose personal data is processed and ensure compliance with the privacy data. The Personal Data Adviser (PuB) processes the personal data on behalf of the Data Protection Officer and is responsible for the technical and organizational security measures.

Responsible and assistant for the tasks in Examinare Services.

All processing of personal data in the programs is your sole responsibility. Examinare is a personal information officer and takes technical and organizational security measures to make sure that your collected personal data is processed safely and in accordance with the law. Examinare Technical and Organizational Actions are described under Security.

You can find the Security information here.

Examinare as personally responsible.

All processing of personal data about you as a customer, user or participant in our training is our responsibility for the personal information, when you order Examinare Services, Contact Us or register for any of our programs. What we do or not, with your personal information, we have described in our Privacy Policy.

You can find our Privacy Policy here.

Basic principles of GDPR.

The law is based on 7 basic principles:

  • Legality, Correctness, and Transparency
  • Purpose Limitation
  • Data Minimization
  • Correctness
  • Storage Minimization
  • Integrity and confidentiality
  • Accountability

What the basic principles mean, you can read about here: https://www.datainspektionen.se/dataskyddsreformen/dataskyddsforordningen/principer-for-behandling-av-personuppgifter/ (The link is in Swedish, but English translation is provided by the website).

In compliance with the principle of legality, regularity and transparency, you need support in the Data Protection Regulation to allow the processing of personal data. These legal bases are what you need to have an agreement, legal obligation, basic interests, public interest, authority or balance of interests to process personal data.

Unstructured material.

In PUL we have had an exception in Sweden, where we did not have to think about how personal data is processed. This exception is called "Code of abuse"(Missbruksreglen). It meant that we have been able to have personal data in so-called unstructured material, which is running text and free text such as document, e-mail, web pages or notepad in a system. The abuse rule now disappears through GDPR and means that you need to chart which personal data is contained in all unstructured materials and need to begin handling it in the same way as structured material.

This is what you need to keep in mind, when use Examinare Services.

You as a customer have a number of things that you need to consider regarding the processing of personal data in Examinare programs, where you are personally responsible and only you determine the purpose and the means.

Overview of personal data in Examinare programs.

Examinare is a program provider and personal data counsel for the processing of personal data in the Examinare programs. As our user, you are responsible for the data and need to know what information you collect, why and how long you will retain information in the program. What personal data will be processed by you in the Examinare programs is known only by you. If it is personal or private company's data, then it is considered personal data or a company's data. Only you know what data you save and process in the Examinare programs. We did our own investigation on where and which personal data may be processed in our programs and found that the following information may be personal data.

 

Part of program/service Type of data Fields Extra information
Recipients database Personal data Name
Surname
Email
Cellphone number
Phone number
Gender
Year of birth
Month of birth
Day of birth
Attention address (C/o)
Street address
Zip-code
City
State
Country
 
Recipients database Company/Personal data Company name
Department
Company title
 
Survey Data Personal data Name Name is saved together with Contact ID to preserve statistic reliance.

Examinare has also the ability to create custom fields and data saved in these fields is not added to the above list.

Handling between Examinare programs through Examinare API and External services.

Since the majority of Examinare's services use the Examinare API to function, we also need to inform you about how they are used. The integrations you use in your account are up to you and only you know what personal information is used in these systems.

As a rule, Examinare Survey Tool is always used as the main storage and "temporarily lent" to external systems through the Examinare API. All processes in Examinare external programs use API keys. We have made sure that no information about your recipients is saved outside Examinare Survey Tool. 

All the information is retrieved via an encrypted connection. Data retention policy for both Examinare Survey Tool and Examinare external services can be found by clicking here.

Below is a summary of the integrations that are developed and maintained by Examinare, showing what kind of information is being managed and if something is temporarily stored on these servers or for the system to work.

Program/Service Type of connection Saved information Extra information
Dropbox One-way outgoing direction Reports that you decide to sync.[O] No reading of information
eBox Sync One-way outgoing direction Reports that you decide to sync.[O]
Uploaded files.[O]
Structured data for controlling surveys.[O]
eBox is hosted by Examinare according to Examinare external services.
Fortnox Integration One-way outgoing direction Customer data:[E]
- Email
- Name
- Surname
- Phone number
- Mobile Phone
 
MailChimp One-way outgoing direction Recipient data:[E]
- Email
- Name
- Surname
 
Prestashop One-way outgoing direction Customer data:[E]
- Email
- Name
- Surname
- Phone number
- Mobile Phone
- Order ID in Prestashop
 
Shopify One-way outgoing direction Customer data:[E]
- Email
- Name
- Surname
- Phone number
- Mobile Phone
- Order ID in Shopify
 
Twilio One-way outgoing direction Personal data:[E]
- Phone number
- Mobile Phone
- Call ID in Twilio
 
Woo Commerce One-way outgoing direction Customer data:[E]
- Email
- Name
- Surname
- Phone number
- Mobile Phone
- Order ID in Woo Commerce
 
Zendesk (ALL) One-way outgoing direction Ticket Data:[E]
- Email
- Name
- Surname
- Ticket ID in Zendesk
 
Clinic Evaluator One-way incoming direction [K] API Key
Recipient Full Profile [E]
Serial number of Recipients [O]
Configuration settings[O]
Configuration settings involve Email message configuration. 

Recipient Full Profile = All the information you decide to save into the system.
Delivery Feedback Survey One-way incoming direction [K] API Key
Recipient Full Profile [E]
Serial number of Recipients [O]
Configuration settings[O]
Order ID [O]
Configuration settings involve Email message configuration. 

Recipient Full Profile = All the information you decide to save into the system.
Food Evaluator One-way incoming direction [K] API Key
Recipient Full Profile [E]
Serial number of Recipients [O]
Configuration settings[O]
Configuration settings involve Email message configuration. 

Recipient Full Profile = All the information you decide to save into the system.
KursEval One-way incoming direction [K] API Key
Recipient Full Profile [E]
Class Profile[O]
Serial number of Recipients [O]
Configuration settings[O]
Configuration settings involve Email message configuration. 

Recipient Full Profile = All the information you decide to save into the system.

Class Profile includes only serial numbers of recipients and no personal information.
Stay Evaluator One-way incoming direction [K] API Key
Recipient Full Profile [E]
Serial number of Recipients [O]
Configuration settings[O]
Configuration settings involve Email message configuration. 

Recipient Full Profile = All the information you decide to save into the system.

Why Cancel One-way incoming direction [K] API Key
Recipient Full Profile [E]
Serial number of Recipients [O]
Configuration settings[O]
Configuration settings involve Email message configuration. 

Recipient Full Profile = All the information you decide to save into the system.

[O] = Information saved inside external service. [E] = Information from the external program is saved into Examinare survey tool account. [A] = Information that is accessed, when you or your co-workers are using the external service, but is not stored inside the system. [K] = API Key information that is saved inside the external service, but protected with encrypted storage and only accessed on-behalf of you during using the program.

One-way incoming direction means that the program will use your saved API-information to access information on your behalf only through authorized logins.

One-way outgoing direction means that Examinare Survey Tool is contacting an external service and in some cases, it entitles a temporary API connection from Proxy to Examinare Survey Tool to be established. After the individual request has been completed, this temporary API connection is removed and never reused.

 

Cookies on our websites

All Examinare's websites and owned external services sites contain so-called Cookies. Cookies allow the website to remember important information that makes your visit to the website more comfortable. Some functions rely on Cookies to function and it is important that you note what cookies to allow and what cookies you can block.

What are cookies and how do we use cookies?

Cookies is a small text file that is placed on the computer by a web server and acts as an ID card. Cookies allow the website to remember important information that makes your visit to the website more comfortable. Like most other websites, Examinare's cookies are used to enhance your internet experience as follows:

  • You have logged in to the site and will not need to log in again on the next page visit.
  • Help you to keep track of the items that you have added to your shopping cart or the service you are ordering.
  • Customize our page/services according to the user preferences you have specified.
  • Count the number of users and traffic. By understanding how the site is used, we can develop and improve it.
    (No personal information is recorded)
  • Customize our services, so that you get ads that are relevant to you. (In some cases, never inside our tools)
  • Collect and analyse behavioural data based on the use of website and services in order to enhance the user experience and also enable personalized communication and message to the user. (No personal information is recorded)

There are two types of cookies and both are used on Examinare's websites. One type, called Permanent Cookie, saves a file that is left on the visitor's computer. For example, it is used to customize a site according to the visitor's wishes, choices and interests, as well as for the statistical follow-up. 

The other type is called Session Cookie. While a visitor is on a webpage, it is temporarily stored in memory of the visitor's computer. Session Cookies will disappear, when you close your browser or will live according to your own browser settings Examinare's websites also use third party cookies for, among other things, Google Analytics and Remarketing. The purpose is to understand how our sites are used and be able to improve it, as well as to do targeted advertising. If you do not want to receive cookies, you can change your settings for cookies in your browser, and you can also block cookies. Please note, that if you block cookies, you will not be able to use all the features on Examinare's websites.

List of Cookies and websites belonging to Examinare.

Since Examinare is providing the customers with not only one, but multiple services, it would be a very long document, if we list them all. Therefore to keep it a little bit shorter we have listed the type of websites and the way Cookies and Information is handled. There is also more detailed information accessible here in our Privacy Policy.

Survey Tool Sites

Survey Tool Sites include country based websites for promoting Examinare Survey Tool. The websites are country based extensions of Examinare name, for example, but not limited to: examinare.se, examinare.ru. 

Examinare Chat

To give an excellent service to existing customers and new contacts we use a chat tool that is self-hosted by us. In this chat tool we record place, but never personal information, if not entered by you. To block the Examinare chat you can safely block the following cookies from domain chat.examinare.com:

  • PHPSESSID
  • lastactivity
  • usrsession

Blocking any of the cookies from Examinare chat will make it impossible for you to contact us by chat. 

Information that is recorded by the chat functionality without chatting with us:

  • Country and in some cases City from your Internet Service Provider. (Not personal information)
  • Duration of visit and what pages were visited.

The information you are entering into our chat widget:

  • Name
  • E-mail
  • Message
  • Phone number
  • Chat Log

This information is recorded in a database during the chat conversation. When the conversation ends the information is held in a database after the chat has been closed. All information can be requested to be removed by contacting us. 

See more information here in our Privacy Policy.

Examinare.com

Examinare.com is used for communicating with Examinare's business services and does not use Cookies originating from Examinare website. 

The information you enter into forms on the website will be sent to email and to the ticket management system used internally inside Examinare.
Customer Zones

Examinare Customer Zones handle all data with encrypted connections. In the communication, there is only a SESSION Cookie with the name SESSIONID saved (can differ depending on proxy technology). In this cookie, there is only a serial number that helps you to be logged into the customer zone. 

Domains: myzone.examinare.com and myzone.buyfrominternet.com

No personal information is written in any Cookies.

Ordering Processes and Checkouts.

During the order process of a service from Examinare, the website is based on the above-mentioned Customer Zone, but uses Cookies to capture when your customer profile has been created to identify your login during the checkout process. 

Examinare External Services.

Under Examinare External Services our own added products and services are meant, for example, but not limited to :

  • Stay Evaluator
  • Clinic Evaluator
  • Why Cancel
  • Delivery Control Survey / Leveranskontroll
  • Food Evaluator

When you are visiting the websites as a visitor, there are no Cookies being sent to your browser. However, when you are signing into Examinare External Service, a Session Cookie is used to identify your browser as a logged in person.

Examinare Hosting / Buy From Internet

Examinare has a hosting service for both websites and survey related projects and these services have their own regulations regarding data storage. The website has no cookies, but the ordering page as the above chapter "Customer Zones" uses Cookies to capture when your customer profile has been created to identify your login during the checkout process.

Cookies Overview List.

Here is an overview of the website cookies mentioned above. All of our websites are more or less using the same structure.

More Security Information.

For more information about Security on our Servers, click here.

For more information about your privacy read our Privacy Policy here.

 

Privacy Policy

Welcome to Examinare's page about processing personal data. This page will help you make an informed decision regarding your relationship/communication with us.

Also make sure you check our page on Cookies and handling of information, found by clicking here.

Before we go into detail, we would like to highlight three important points that this document is about. The points are important to us because we know they are important to you:

  • We want to clarify the responsibility for protecting your rights and privacy.
  • We explain how we use the personal information you share with us in order to provide you with our Services and provide you with the best experience of them, the website and when you are in touch with us.
  • The document will give you an understanding of what information we collect and what we do with them and what we do not do with them.
Parties and Responsibilities for the processing of your personal data.

Examinare AB, 556773-2598, Krinova Science Park, is a program provider of web-based applications, including survey tools, customer survey knowledge systems, hereinafter referred to as "the Service". Examinare AB is a personal information officer for processing your personal data in the Service and is then responsible for the organizational and technical security measures described on the Examinare website. Personnel responsible for processing your information in the Service is the "Customer", which is the registered organization of Examinare, which may be companies of all sizes and individuals. You, who are users and have their own login information for the Service are called below for the "User". In the Service, the "Responsible Person" sole representative of the Customer in the Service is responsible for adding and editing of users and other system administrators, assigning rights and giving instructions to Examinare regarding the processing of data, including. personal data in the Service. You as a partner, supplier or reseller of the programs are referred to as "Business Partner" below. Customers and Business Partners have persons whose contact details are registered with Examinare so that we can contact you, they are called "Contact persons".

 Examinare is the data controller for the processing of the personal information you share with us at:

  • You order the Service.
  • You get login information and become a user of the Service.
  • You are using the Examinare external services.
  • You enter into an agreement with Examinare and become a business partner.
  • You are registered as a contact at Examinare for your organization.
  • You apply to get a custom quotation for a project.
  • You have a question and / or contact us.
  • You visit our website and accept cookies.
What personal data do we process about you?

What personal data is processed varies depending on the type of business you have. Corporate data can be personal data for a customer and business partner who is an individual company or student using Examinare program during education. When you order the Service, we collect contact information about you as a contact person and company information about you as a customer. All users have registered contact information, login details, and online identification with us in order to use the Service. If an agreement has been entered into with Examinare, we will process information about you as a business partner, which will be personal information, as well as contact information about you as a contact person. If you have a question or contact us regarding any other matter, the amount of personal information and which may vary depending on which communication channel is being used. Categories of personal data usually contact information, online identifier, company information and the matter itself as unstructured material, which contains the personal data you have chosen to share with us. A detailed list of the personal data that appear in the different categories, the occasions and the legal basis for which the treatment is based are given in Appendix 1.

Information about what cookies are and how we handle cookies are described on our Cookies page (Linked here).

Why do we process your personal information?

Examinare collects these personal data about you as a user and customer in order to provide the Service, as well as provide you with the best possible experience of both the Service and our website. It is necessary for us to identify you, administer your account, for statistical purposes and for direct marketing (which you can unsubscribe from). The personal data collected upon ordering is required to handle the order, invoice and send login details to you and/or contact you. All users' personal information is required to give you access to the Service, in order to use the Service, to create a treatment/process history for you as a customer, to identify you and to know which users and/or customers use the Service. Company information about you as a business partner is required to fulfill the contract and contact details about you as a contact person to contact you. When you contact us through any of the Examinare's communication channels (such as but not excluded to chat, email, phone), your information will be used to handle the case, contact you for educational purposes, and help improve our service by saving the case on recurring questions from you or other persons with the same question.


If you visit any of the Examinare' websites, you agree to cookies for the processing of your information.

Who do we share personal data with?

In the use of Examinare services (especially if you are legally registered outside of Sweden), we may share personal data with suppliers and external support staff working for Examinare both inside and outside the EU / EEA. If you only want support from the local support staff in the country you are legally registered and/or Examinare AB, you may choose to lock your profile with the disadvantage of receiving limited support. Suppliers and external support staff have corresponding obligations regarding the processing of personal data that you as a customer have agreed with us and appear in the Personal Data Entry Agreement. Your data as a customer may be collated with a third party's registry to collect more information about you as a customer. We may need to share your personal information with other companies (Partners) in order to provide the Service and fulfill our commitments to you. We share personal information about users and customers with Partners or external support staff when you have a matter for us if the information is needed to assist you. If you choose to enable an integration into an account in the Service, we will share the personal information required by that integrator, which will be done at your request. You are responsible for all handling of personal data with all integrations that have not been created or provided by the Examinare.

How long do we save your personal information?

Examinare saves personal information about you as a customer as long as there is a customer relationship or is necessary to achieve the purposes described in this policy. Upon termination of the agreement, Examinare will delete or anonymize your information within a reasonable period of notice, unless another Swedish or European law, court or authority says otherwise. Your data can be saved based on interest weighting if there are security or economic reasons. The length of time your personal information is stored by us varies depending on the purpose of their collection. Erasing of personal contact information in form of recipients can be removed by your administrator, but in cases where there is no technical function for deletion, your administrator needs to contact us. Personal data processed for billing is saved as long as it is required for accounting purposes. Information collected when you contact us is stored as long as you are a customer of ours to fulfill our commitment. Upon completion of the customer relationship, we can store it based on interest weighting as evidence in case of problems.

You can at any time request your client profile to be locked from updating, and in that event, customer login will be prohibited and all data will be restricted to systems outside of daily support routines and with controlled by a special permission management function.

What rights do you have?

You as registered with the Examinare have several rights that you should know. You are entitled to request a registry extract of any information that is registered about you, free of charge once a year, provided you have legitimate reasons. In some cases, you also have the right to data portability of your personal data. You are entitled to have your personal information corrected if they are incorrect, incomplete or misleading and may limit the processing of personal data until they are changed. 

You have the right to be forgotten, but deletion of personal data cannot be done if it is required to fulfill the agreement or other Swedish or European law, court or government decision states otherwise, and if it is based on interest-weighting. Should you find that there are no legitimate reasons or the balance of interest is incorrect, you may object to the treatment. You also have the right to withdraw a consent, make complaints about the processing to the Data Inspectorate, automatically oppose decision making, profiling and opposing direct marketing.


 

Appendix 1

Categories of personal data.

When Category of details Personal Information Legal basis
Order of Service Company Details Company Name
Address
ZIP code
City
Country
Business Identification Number
Completing our contractual commitments to you.
  Contact Details First name
Surname
E-mail
Phone
Completing our contractual commitments to you.
User of the Service
(Other than contact person)
Contact Details First name
Surname
E-mail
Phone Number
Completing our contractual commitments to you.
  Login Credentials Username Completing our contractual commitments to you.
  Online Identification IP-adress Completing our contractual commitments to you.

 * Contains the personal data you have chosen to write.

When Category of details Personal Information Legal basis
Contact on Website Contact Details Contact details
E-mail
Phone number
CompanyID
Completing our contractual commitments towards you and balance of interests.
  Company Details Business Identification Number Completing our contractual commitments towards you and balance of interests.
  Case Details Message in body text* Completing our contractual commitments towards you and balance of interests.
Contact via Website chat Contact details Name
E-mail
CompanyID
IP address
City
Country
Phone Number
Completing our contractual commitments towards you and balance of interests.
  Company information
(may exist)
Company Name
Business Identification Number
Completing our contractual commitments towards you and balance of interests.
  Case Details Message in body text* Completing our contractual commitments towards you and balance of interests.

* Contains the personal data you have chosen to write.

When Category of details Personal Information Legal basis
Contact by E-mail Contact Details Contact details
E-mail
Phone number
CompanyID
Completing our contractual commitments towards you and balance of interests.
  Company Details
(may exist)
Business Identification Number
Company Name
Completing our contractual commitments towards you and balance of interests.
  Case Details Message in body text* Completing our contractual commitments towards you and balance of interests.
Contact by Phone Contact details Name
E-mail
CompanyID
City
Country
Phone Number
Completing our contractual commitments towards you and balance of interests.
  Company information
(may exist)
Company Name
Business Identification Number
Completing our contractual commitments towards you and balance of interests.
  Case Details Message in body text* Completing our contractual commitments towards you and balance of interests.

* Contains the personal data you have chosen to write.

Data processor for the processing of personal data.

Process Supplier Location
Contact by Chat Examinare AB France
Contact by E-mail Zendesk USA (Privacy Shield)
Contact by Phone Twilio USA (Privacy Shield)
  Telavox Sweden
  MyDivert** United Kingdom
  Zadarma Project** Bulgaria
SMS Sending Cellsynt AB Sweden
Payment by Credit Card Stripe.com USA (Privacy Shield)
Contact with US Callcenter (Outside EU opening hours) Specialty Answering Service USA (Privacy Shield)
Contact by Phone Localphone Ltd. United Kingdom

** Only used for contact numbers in Russia and Ukraine.

 

Security and Server Environments

Examinare is responsible for the technical and organizational security measures in and around Examinare programs. This means that in Examinare programs we will ensure that there is the required security, such as privilege management, ability to make registry entries and delete personal data. When there are no features in the Personal Data Management program, we have internal procedures for this. The actions taken by Examinare are described in more detail below.

Authentication and Encryption.

All data communication takes place with Secure Sockets Layer (SSL). To access the Services, login is required with username and password.

  • Examinare uses encrypted communications in the form of 256-bit SSL encryption and 2048-bit public keys from RSA. All data communications to and from the user's computers are encrypted with SSL, the most widely used Internet standard for encrypted communication. 
  • Examinare uses password protection in the form that the login process is fully encrypted, which means that no information is sent as unencrypted text. The user password is stored in one-way encrypted format and if lost needs to be recovered by email.
  • There is continuous user authentication. Each call to Examinare's servers involves checking the login credentials.
  • Passwords are never stored in Sessions or Cookies.
Storage and backups.

The Examinare server environments are split up into 2 zones. One zone is Examinare Survey Tool, where all survey data is stored within Sweden and the second zone for External services, such as Examinare Customer Zone and other external services that use Examinare API to connect to the survey data in Examinare Survey Tool with API information.

The examples of Examinare external services (below mentioned as Examinare external) are, but not limited to: Store Evaluator, Leveranskontroll, Delivery Control Survey, Stay Evaluator, Why Cancel, Examinare websites and Examinare Customer Zone. etc.

Examinare Survey Tool.

Examinare Survey Tool Infrastructure is run on servers in 24-hour data halls. Examinare Survey Tool infrastructure is hosted in South of Sweden on redundant Internet Connections.

  • The data halls are equipped with fire protection and climate systems. There are several automatic smoke detecting systems. Climate control system ensures that the temperature is always low and that the humidity is optimal.
  • The data halls are equipped with a secondary power supply system and a diesel generator that ensures the power supply to the servers.
  • High Capacity Connections Ensure Users' Access to the Services.
  • Only authorized personnel have access to the data hall.
  • Examinare server environment and network are protected by firewalls. In addition, Examinare is proactive through monitoring and analysis of firewalls and system logs.
  • Examinare infrastructure is monitored every minute for access problems. If any problems occur, the appropriate support personnel is contacted.
  • Backups are taken daily, hourly (snapshots) and nightly (full backup) and stored on encrypted storage.
  • Full Backups are also stored in a geographically separated location in Sweden.

Examinare external services and Customer Zone.

Examinare external services (not storing survey data) are hosted within EU mainly in data centers in France. 

  • The data halls are equipped with fire protection and climate systems. There are several automatic smoke detecting systems. Climate control system ensures that the temperature is always low and that the humidity is optimal.
  • The data halls are equipped with a secondary power supply system and a diesel generator that ensures the power supply to the servers.
  • High Capacity Connections Ensure Users' Access to the Services.
  • Only authorized personnel have access to the data hall.
  • Examinare external environment and network are protected by firewalls. In addition, Examinare is proactive through monitoring and analysis of firewalls and system logs.
  • Examinare external is monitored every minute for access problems. If any problems occur, the appropriate support personnel is contacted.
  • Backups are taken daily and stored on encrypted storage.
  • Full Backups are also stored in a geographically separated location within EU.

Specific Database storage on order.

Customer specific database storage exists in Canada, Singapore and Russia. Only Clients that order specific database storage have active data connections to abroad areas. If the individual customer has not ordered specific database storage, the data will be kept in Sweden and France.

 Knowledge and information protection.
  • Only a few key people know how the security system is built.
  • All personnel is bound by a confidentiality agreement that prevents the dissemination of data, information and the person or customer's personal data. Only authorized personnel have access to the data and the privileges are governed by Examinare AB.

 

 

Incident Management

In GDPR there is a new requirement for personal data incidents, which means that incidents need to be reported to the Security Authority within 72 hours. In order to meet the new obligations under the Regulation, it is important to have adequate procedures in place to detect, report and investigate personal data incidents.

Incident
Incident Process

Examinare has an incident team that manages the necessary coordination, communication, and responsibility to assess, respond to and learns from incidents to reduce the risk of recurrence. Depending on the nature and impact of the incident, the persons needed to manage the incident are involved. The process of handling is the basis for the flow, which, with complementary procedures, clarifies who does what and how the situation is to be addressed. The process is divided into sub-processes identification of incident, impact assessment, action process, communication and Root Cause Analysis (RCA).

When identifying an incident, an identification of the type of incident is needed. In the subprocess Impact assessment is an analysis of the extent to which customers and users are affected by the incident and what the consequences are. The Action Process takes place in assessing and prioritizing the problem in order to safeguard the action plan as well as the implementation of the action. In a personal data incident, the compilation of report which describes that we should include information about:

  • What kind of incident is it?
  • What categories of people may be affected?
  • How many people does it concern?
  • What consequences may the incident have?
  • What measures have been taken to counteract any negative consequences?

Incidents and actions are communicated to affected persons. In case of personal data incidents, notification to the Integration Protection Agency is an activity in this subprocess. After actions have been taken and the affected person have been informed, a Root Cause Analysis is conducted to prevent the problem from occurring again.

Examinare Personal Data Assistants Agreement

Personal Data Responsible: "Customer" and
Personal Data Adviser: Examinare AB
Organization number: 556773-2598 Establishing country: Sweden.

The "Personal Data Counsel" refers to Examinare AB for the services listed in the Examinare AB Agreements signed on order. Personal Data Responsible refers to the Customer. This agreement also includes services signed on branded sites owned by Examinare AB, but trading under a branded name/trademark owned by Examinare AB.

Examinare's contact for general questions about the agreement and Examinare's processing of personal data can be found at https://oracle.examinare.biz/books/integrity-and-security

1. Introduction

1.1 Both Parties confirm that the signatories have the power of attorney to enter into this Privacy Disclaimer ("Agreement"), which is an integral part of the Service Agreement signed between the Parties ("Service Agreement"). This Agreement governs the Processing of Personal Data in connection with any Service Agreement in force.

1.2 Examinare acts in accordance with Examinare's Privacy Statement, which is available at https://oracle.examinare.biz/books/integrity-and-security/page/privacy-policy 

2 Definitions

2.1 Definition of Personal Data, Specific Categories of Personal Data (Sensitive Personal Data),
Processing of Personal Data, Registered, Data Responsible and Personal Data Counselor is the same as used in applicable data protection legislation, including the General Data Protection Regulation (GDPR), as per this Agreement, and in Europe from 25 May 2018 and at any time applicable national supplementary legislation, together hereafter referred to as "Applicable Data Protection Act".

2.2 In this Annex, Personal Data Responsibility is referred to as the "Customer" or "Party", the Personal Data Assistant as "Examinare" or "Party" and collectively as the "Parties".

3 Coverage

3.1 The agreement governs Examinare's Processing of Personal Data on behalf of the Customer and describes how Examinare will ensure data protection through technical and organizational measures under applicable data protection legislation.

3.2 The purpose of Examinare's Processing of Personal Data on behalf of the Customer is to fulfil obligations under the applicable Service Agreement for Services provided.

3.3 This Agreement takes precedence over any conflicting provisions regarding the Processing of Personal Data in Service Contracts or in any other agreement entered into between the Parties.

4 Examinare's duties

4.1 Examinare may only process Personal Data on behalf of and in accordance with Customer's documented instructions. By entering into this Agreement, the Customer Instructor instructs Examinare to process Personal Data as follows:
(i) only in accordance with applicable law; (ii) to fulfil all obligations under Service Agreements applicable to services provided; (iii) as further specified by Customer's normal use of Examinare's Services; and (iv) as specified in this Agreement.

4.2 Examinare has no reason to believe that there is legislation that prevents Examinare from following the instructions given above. Examinare will, after being aware of it, inform the Customer in the event, that the Customer's instructions or treatment, according to Examinare, violate applicable data protection legislation.

4.3 The categories of Registered and Personal Data covered by Treatment in this Agreement are set out in this document.

4.4 Examinare will ensure the confidentiality, integrity, and availability of Personal Data in accordance with Applicable Data Protection Act. Examinare will implement systematic, organizational and technical measures to ensure an appropriate level of security, taking into account the latest technology and implementation costs in relation to the risk involved in the Treatment, and the type of Personal Data to be protected.

4.5 Examinare will assist the Customer with appropriate technical and organizational measures as far as possible taking into consideration the Type of Treatment and the information available to Examinare in order to fulfil the Customer's obligations under applicable data protection legislation regarding requests from Registered and General Data Protection under the Data Protection Ordinance Articles 32-36.

4.6 If the Customer needs information about security measures, documentation or other information about how Examinare Handles Personal Data, and such requests involve more information than the standard information provided by Examinare in order to comply with data protection legislation as Personal Data Board, and this means more work for Examinare, Examinare may charge Customer for such additional services.

4.7 Examinare and their staff/partners/external consultants will ensure the confidentiality of Personal Data Processed under this Agreement. This condition also applies after the Agreement has expired.

4.8 Examinare will, by promptly and unnecessarily informing the Customer, enable the Customer to comply with the legal requirements that apply to information to relevant data protection authorities and Registered Personal Data Incidents.

4.9 Further, as far as practicable and legally, Examinare will inform Customer about;
(i) requests for disclosure of personal data obtained from a Registered (ii) inquiries from authorities, such as the Police, on the disclosure of personal data.

4.10 Examinare may not respond directly to requests from Registered without permission from the Customer. Examinare may not divulge content relating to the Agreement to authorities such as the Police, including Personal Data, with the exception of statutory provisions, such as court decisions or similar decisions.

4.11 Examinare do not have control over whether and how the Customer chooses to make use of any third-party integration through Examinare's API, through direct data connection or the like. Responsibility for such integrations with third parties is exclusively the sole responsibility of the Customer. Examinare is not responsible for any processing of Personal Data through such third party integration.

5 Customer Obligations

5.1 By signing this Agreement, Customer acknowledges that the Customer:

  • when using the services provided by Examinare in accordance with the applicable Service Agreement for the Services provided, will Process Personal Data in accordance with the requirements of current data protection legislation.
  • have a legal basis to process and disclose the relevant personal data to Examinare (including any sub-assistants used by Examinare)
  • is solely responsible for the accuracy, integrity, content, reliability, and legality of the Personal Data submitted to Examinare.
  • has fulfilled any mandatory requirements and obligations to notify or obtain permission from the relevant Personal Data Processing Authorities.
  • has fulfilled its obligations to provide relevant information to the Registrar for the Processing of Personal Data in accordance with applicable Personal Data Law.
  • agrees that Examinare has provided warranties regarding the implementation of technical and organizational security measures, that are sufficient to protect the integrity and personal data of the Registrar.
  • when using the services provided by Examinare under the Service Agreement, will not transmit any Sensitive Personal Data, or data relating to convictions in criminal proceedings and infringements to Examinare. In the event of such transfer, Examinare may not be held liable for improper handling of these sensitive personal data.
  • will maintain an updated record of the types and categories of Personal Data that are Treated.
6 Use of sub-boards and data transfer.

6.1 As part of the delivery of services to the Customer in accordance with the applicable Service Agreement for the services provided and this Agreement, Examinare may use subcontractors in the subcontracting role. Such subordinates may be sister companies of Examinare AB or external subcontractors (third parties) within or outside the EU. Examinare will ensure that contractual contractors agree to assume the responsibility that complies with the obligations stated in this Agreement.

6.2 Major subcontractors with access to Personal Data are published on Examinare's Privacy Page  https://oracle.examinare.biz/books/integrity-and-security/page/privacy-policy, which have been accepted by the Customer as subcontractors. Examinare preserves the right to keep subcontractors that work as external "employees" hidden online because of personal integrity.

6.3 The Customer may at any time request a full overview and more detailed information about the subcontractors involved in the delivery of the Service under the Service Agreement.

6.4 If subcontractors are outside of the EU, Examinare will ensure that the transfer takes place in accordance with applicable personal data law. The Customer hereby grants Examinare the competence and authority to ensure the appropriate legal bases for the transfer of personal data outside the EU on behalf of the Client, for example by signing the EU Standard Contract Clauses or transferring Personal Data in accordance with the EU / US Privacy Shield.

6.5 The Customer will be notified prior to changes to subcontractors, who process Personal Data except for subcontractors that are working solely self-employed. If a new subcontractor apparently fails to comply with data protection legislation and the subcontractor still fails to comply with data protection legislation after Examinare has had the reasonable time to ensure that the subcontractor complies with the regulations, the Customer may terminate the Agreement. Such termination may include the right to terminate Service Agreement, in whole or in part, in accordance with the termination clauses contained in the respective Service Agreement. An important part of such assessments should be to what extent the Subcontractor's Processing of Personal Data is an essential part of the services provided under the Service Agreement. A change of subcontractor will not in itself be regarded as a breach of the Service Agreement.

 6.6 By signing this Agreement, Customer agrees that Examinare uses subcontractors as described above.

7. Security

7.1 Examinare is committed to providing a high level of security in its products and services. Examinare provides the level of security through organizational, technical and physical security measures, in accordance with the information security requirements described in Article 32 of the Data Protection Ordinance.

Furthermore, the internal data protection framework, Examinare AB, aims to protect the confidentiality, integrity, correctness, and access to Personal Data. The following measures are of particular importance in this regard:

  • Classification of Personal Data to ensure the implementation of safety measures that correspond to risk assessment.
  • Evaluation of the use of encryption and pseudonymization as risk-reducing factors.
  • Limitation of access to Personal Data to those, who need access to fulfil the obligations of this Agreement or Service Agreement applicable to the Services provided.
  • Use of systems that detect, restore, prevent and report personal data incidents.
  • Implementation of safety analyses to assess the quality of current technical and organizational measures to protect Personal Data, taking into account the requirements of current data protection legislation.
8 Audit Rights

8.1 The Customer is entitled to carry out an annual audit of Examinare compliance with the terms of the Agreement. If the law requires, Customer may request revisions more often. As Examinare AB's services are multi-user environments, the Customer authorizes Examinare's empowers and self-employed subcontractors, for safety reasons, to decide that auditing should be performed by a neutral third party auditor chosen by Examinare. Audits may result in a cost to the Customer and will, in that case, be invoiced to the customer.

8.2 If the Customer does not accept the neutral third party auditor selected by Examinare AB, the Customer may, together with Examinare AB, elect another neutral third party auditor at own expense. 

8.3 The Customer is responsible for any costs incurred in connection with the requested revisions. Examinare's assistance that exceeds the standard service provided by Examinare AB and/or Examinare's subcontractors to comply with applicable data protection laws will be charged.

9 Duration and termination

9.1 This Agreement is valid as long as Examinare Handles Personal Data on behalf of the Customer in accordance with the applicable Service Agreement.

9.2 The agreement terminates automatically, when the Service Agreement expires. Upon termination of the Agreement, Examinare will delete Personal Data Processed on behalf of the Customer, in accordance with the applicable clauses in the respective Service Agreement. Unless otherwise agreed in writing, the cost of such actions will be based on;
i) timetable for Examinare's time and ii) the complexity of the requested process.

9.3 Examinare may retain Personal Data after termination of the Agreement, to the extent required by law, with the same type of technical and organizational security measures as described in this Agreement.

10 Liability

10.1 Liability for breach of the terms of this agreement will be governed by liability clauses in the respective Service Agreement between the Parties. This also applies to possible violations committed by Examinare's subcontractors.

11 Applicable law and jurisdiction

11.1 This Agreement is subject to applicable law and the jurisdiction specified in the respective Service Agreement between the Parties.

12 Categories of Personal Data and Registered

12.1 As Examinare's services allow the Customer to treat arbitrary data within the services, it is not possible to generally report the categories of Registered and Personal Data covered by Treatment. This information is the responsibility of the Customer to register.

12.2 The Customer may not transfer any Sensitive Personal Data to Examinare. In the event of such transfer, Examinare may not be held liable for improper handling of these sensitive personal data. Sensitive Personal Data is defined in applicable Personal Data Law, i.e.:

  • Race or ethnic origin, political opinions, religious or philosophical beliefs,
  • information on health,
  • information about a person's sexual life or sexual orientation,
  • membership of a trade union,
  • Genetic data or biometric data to uniquely identify a natural person

12.3 Nor may the Customer transfer personal data relating to convictions in criminal proceedings and offenses.

13 Overview of current subcontractors

13.1 Current subcontractors (excluding self-employed subcontractors working as consultants) of Examinare, who has access to the Customer's Personal Data can be found at:

https://oracle.examinare.biz/books/integrity-and-security/page/privacy-policy

14. Signature of Agreement

14.1 The Personal Data Assistants Agreement is included in all our contracts and terms of service and do not need to be signed. However, if the customer needs a signed copy of the approval to be saved according to their own internal regulations this agreement can be signed online at no cost by requesting it inside your customer zone login. Make sure your information is updated inside the Customer Zone before asking for the signature process. Only 1 request will be made per customer zone without cost.

14.2 The customer signs the agreement first and then the document is sent to our GDPR responsible part will sign (Within 4 working days). After signature the document will be sent as a pdf-version as a proof of acceptance to both parties.

14.3 The Customer approves for Examinare to store the signature digitally inside their systems and/or making it accessible to the Customer in Examinare Customer Zone or branded Customer Zone of Branded Services in Examinare's control and may share the signed document within the organization and external subcontractors upon request.

15. DISPUTES 

15.1 Disputes between Examinare and the Customer arising from this agreement shall in the first instance be solved directly between the parties. Has no resolution been reached within three (3) months from when a party gave notice to the matter in question the dispute shall be determined by Swedish court. The Kristianstad district court has exclusive jurisdiction.

The decision of the Kristianstad district court cannot be appealed.

 

Customer Signature

Name:



Company Name:



E-mail:

 

Mobile:

 

Company reg. no.:

 

Signature

 

 

 

 

Examinare AB, Signature.

 

 

 

 

Daniel Kroon
CEO, Examinare AB