Privacy in SoSafe’s Awareness Building Services

1. Preamble

For us, cooperation based on trust is the core of a successful contractual relationship. And trust begins with transparency. We consider this basis of trust & transparency as essential in all interactions you may have with SoSafe, including this document. Below we outline the measures we have taken in the areas of data protection and data security to protect the personal data of your employees.

2. Data Protection and Data Security at a Glance

  • Made in Germany:
    • SoSafe is a German company with headquarters in Cologne.
    • All customer data is stored on German or European servers.
  • Privacy Principles:
    • Our Awareness Building services are developed according to the Privacy by Design principle.
    • We only collect as much personal data as we need to provide our services.
    • We process personal data exclusively for the purposes described.
    • When handling customer data, we have taken numerous technical as well as organisational measures to protect the data of our customers’ employees to the fullest extent possible.
    • We partner only with subcontractors which have been successfully vetted by our internal IT Security & Legal teams, and only when it has been determined that the subcontractor can provide services better and more reliably than we are able to.
    • Depending on the purpose of use, personal data is deleted at the request of the Customer or automatically after expiry of the purpose or end of the retention period in accordance with the DIN 66399 standard.
  • Confidentiality:
    • All our employees as well as external consultants are bound to confidentiality in accordance with data protection laws.
  • Education and training:
    • Our employees are regularly trained on data protection and data security.
  • Processes:
    • Before using a service provider to provide awareness building services, a comprehensive legal and information security review of the service provider is conducted.
  • Data Security:
    • We have implemented an information security management system and have been ISO 27001:2013 certified since December 20, 2022.
    • Customer data at our hosting provider is encrypted in transit and at rest with SoSafe managed keys.

3. Data Protection at SoSafe

As a provider of Cybersecurity Awareness Building services, the secure and trustworthy handling of our customers’ data is very important to us and an integral part of our product ethos.

3.1 Server locations for the processing of personal data

As a German company based in Cologne, we select service providers that ideally originate from the EU or EEA. Customer data is stored on German servers and/or servers located within the EU / EEA.

3.2 Data protection in our Awareness Building services

In the following, we inform you about how we have implemented data protection within our products.

3.2.1 What types of personal data do we process?

This depends on which and in which form you use our products. Below you’ll find an overview on the categories of personal data we process. You’ll find a detailed list of all personal data subject to data processing in our Data Processing Agreement:

Phishing Campaign

As part of phishing simulation email campaigns, we require the following personal data categories for the duration of the contract with you for the purposes of delivering an authentic and individualised campaign:

  • Customer employee’s contact data and default language
  • Professional email address of the customer employee
  • Customer specific structural information, e.g. departments or teams.
  • Mail log data for technical and security reasons, deleted after 12 weeks.

Optionally, customers can provide additional master data of the customer’s employees (gender and academic rank) to make a campaign even more authentic. At the request of the Customer, a differentiated playout, based on employee groups, according to additional organizational classification criteria can also take place and would require the desired order criteria.

  • If customer’s employee interacts with the phishing email, we also collect some technical data and optional feedback data, if provided.

Phishing Report Button and PhishAssist

If your organization uses the phishing report button and/or the PhishAssist, no personal data is processed. If the corresponding mail originates from the simulation, the click is included in the so-called reporting rate in the evaluation. If the mail does not originate from the simulation, it is forwarded to an email address defined by the Customer directly from the email client in use – no emails are sent to or processed by SoSafe.

Optional: Recommendations and Improvements

To make the phishing campaign more effective and customer employee-related and to provide better learning recommendations, upon Customer’s request (opt-in) we collect a unique customer employee ID (« UUID ») in addition to the reporting data. This is only used internally by us for the aforementioned purposes, but not shared with Customers.

E-learning Platform

In connection with the use of our e-learning platform we process the following personal data categories:

  • Registration data
  • Setting data
  • Usage data
  • Technical data

We also process some of the personal data for reporting purposes to the Customers, partly grouped and/or aggregated.

Server Logs, including SCORM:

When a customer’s employee interacts with our learning pages and e-learning or uses SCORM streaming, we also collect server-side logs and store it for twelve (12) weeks to maximum 6 months for technical and security reasons.

Single Sign-on

The Single Sign-On (« SSO ») procedures offered are – as far as technically possible – integrated as hyperlinks, so that data is only collected by the respective provider when used. If this is not possible, we work with an individual consent solution. Only if the respective customer employee agree to the data processing, data will be collected by the SSO solution.

3.2.2 Privacy by Design and by Default

Our products are developed according to the Privacy by Design and by Default principles (Art. 25 GDPR). In the software development cycle, our data protection experts are already involved in the design phase of new products. Our products are also configurable and are already delivered to our customers with strong privacy settings by default.

3.2.3 Our Employees

All of our employees, as well as external consultants, are obligated to data protection confidentiality. Furthermore, our employees are regularly trained on data protection and data security.

3.2.4 Our Service Providers

As a matter of principle, we only use service providers where we have come to the conclusion after thorough analysis that they can provide the services in a qualitatively better and technically safer solution than we would be able to with our resources.

If we come to the conclusion that we need a service provider for the provision of the Awareness Building services, this provider will be comprehensively reviewed in advance from a legal and information security perspective. This naturally also includes the conclusion of any necessary contracts, the implementation of security and/or protection measures and any other guarantees.

4. Data Security with SoSafe

According to Art. 32 GDPR, you as the controller and we as the processor must implement appropriate technical and organisational measures (TOMs) for the processing of personal data that take into account the state of the art, the implementation costs and the risk to the rights and freedoms of data subjects, while ensuring an adequate level of protection. As an ISO 27001 certified provider, we also align our TOMs accordingly. As part of our information security management system, we have adopted numerous security guidelines and technical protection measures in order to protect both our Customers’ and our own data in the best possible way.

The deletion of data is carried out according to preset deletion routines that are based on legal retention periods. Provided there are no legal retention obligations, we delete data as soon as it is no longer required for the original purpose. When deleting data, we follow the DIN 66399 standard.

For more information on data security at SoSafe, please see our Security & Trust Whitepaper.

5. Data Breach Notification

In the event of a personal data breach, notification obligations to the supervisory authority (Art. 33 GDPR) must be fulfilled, if applicable, and the responsible entity and the data subjects must be notified (Art. 34 GDPR). For this purpose, we have set up corresponding reporting processes and documented our reporting channels including deadlines. If our customers are affected, they are informed within 24 hours of becoming aware of the data breach.

6. Dealing with Data Subjects’ Rights

Data Subject Requests will be processed by our Data Protection Officer and his team (hereinafter « DPO ») within the one-month period. Upon receipt of the request, the DPO checks the competence of SoSafe. If the request is within the scope of our activities as a processor, the request will be forwarded immediately to the contact person at the customer and we will support the customer at his request within the scope of our possibilities.

7. Contact

Data protection and data security should always be present in product development as well as in our daily work. Therefore, we have a strong internal team:

In addition to our Data Protection Officer and our Chief Information Security Officer an experienced legal and information security team provide support in all matters relating to data protection (privacy@sosafe.de) and data security (security@sosafe.de).

8. Documents, Guidelines and Data Processing on Behalf of

The data processing agreement entered into between SoSafe and all of our customers complies with the requirements of the GDPR, includes all relevant information, and an overview of the technical and organisational measures taken. In addition, we will be happy to provide you with our certificates, transfer impact assessments, if relevant to you, and further information. Some of our guidelines and documents are classified as internal documents. We will be happy to confirm the implementation of measures taken, but we ask for your understanding that we cannot share the documents themselves.

Status: January 2023