Whilst using our services, our customers transmit orders, invoices and other business data to our applications for further processing. We understand how important business data is to our customers. This page aims to reassure you that the standardized way we design our services, and the measures we foresee, assist our customers to meet specific business and compliance needs with regard to business data.
Ownership and Confidentiality
Ownership. Our customers choose what business data they share with us based on the services they use, and own all rights in and to all their business data.
Confidentiality. We hold our customers’ confidential business data in strict confidence and limit disclosure of it only to our employees, subcontractors and advisors on a need-to-know basis, or upon our customers’ authorization. These employees, subcontractors and advisors are bound by appropriate confidentiality obligations.
Security Measures. Security of data is of utmost importance to us. We maintain appropriate technical and organizational security measures to protect our customers’ business data. We invest in teams and technology to continually improve the security. Our security measures are summarized here below and guaranteed through an annex to our sales agreements.
Site Access Control: prevent unauthorized persons from gaining access to data processing sites that process and use data.
System Access Control: prevent data processing systems from being used without authorization.
Data Access Control: ensure that persons authorized to use a data processing system have access only to the data they are authorized to access, and that data cannot be read, copied, modified, or removed without authorization during processing, use and storage.
Transfer Control: ensure that data cannot be read, copied, modified, or removed without authorization during electronic transfer, or when saving to data storage media.
Disclosure Control: ascertain and check where and to whom data can be transferred by means of data transmission facilities.
Input Control: perform checks to establish whether and by whom data has been entered, modified, or removed in data processing system.
Order Control: ensure that personal data processed on behalf of a customer is processed in strict accordance with the customer’s instructions.
Availability Control: ensure that data is protected against accidental destruction or loss.
Separation Control: ensure that data collected for different purposes can be processed separately.
Notification Control: ensure that the customer is notified promptly in the event of a material breach of any of the controls above.
Audit. We regularly audit the application of our security measures and we ask third party experts to review our security controls against international standards. These audits help us to further improve our security level and to increase our customers’ trust that their business data is handled in a secure way.
Personal data protection \ Privacy
Personal Data. Any information relating to an identified or identifiable individual, such as your name, email address and phone number, we call personal data. In our operations, personal data mostly is business contact data.
Processing Purposes. We process personal data of our employees for human resources purposes and to allow us to carry out our business operations. We process personal data of our web and event visitors, prospects and customers to inform them about our services, for contract administration, service implementation and support. Furthermore, our customers might require us to process personal data for the provision of our services, like when invoices, processed through our services, mention business contact data.
Requirements. The protection of individuals in relation to the processing of their personal data is a fundamental right. In most countries, businesses that want to process personal data must therefore respect personal data protection (privacy) requirements. In the European Union, the current data protection requirements will be further specified and reinforced through the General Data Protection Regulation (GDPR), enforceable as of 25 May 2018. We are committed to complying with the personal data protection requirements that apply to our operations.
Assurances. Our customers are accountable for compliance with personal data protection requirements that apply to their operations. When our customers buy our services to support their operations and require us to process personal data on their behalf, they expect us to assist them to comply with applicable personal data protection requirements.
Our Personal Data Processing Notice summarizes the measures we foresee to assist our customers in a compliant way. We guarantee these measures through our Personal Data Processing Appendix to our sales agreements.
- Personal Data Processing Appendix
- Personal Data Processing Notice
- Privacy Notice
- Cookie Notice
- GDPR Program White Paper
Basware use of data
Use. We collect and analyse data included in our customers’ business data and data derived from our customers’ use of our services for monitoring, improving and delivering services, for research and development, data products and supporting value added services, such as financial risk analysis, benchmarks and statistics.
Such data collection and analysis are standard market practices in the cloud services business.
Assurances. All such data we collect, is analysed in an aggregated format, meaning that the identity of the customer, its business partners or any individuals is not disclosed to any third party at any point. This data collection process does not apply to any business data fields dedicated for personal data. Moreover, all data collection processes follow our strict security and data protection policies and requirements.