Version 1.0, June 2022
We’re committed to safeguarding our product and protecting the personal data and confidential information we keep.
The purpose of this document is to provide insight to our privacy and security practices. In line with that, we refer to companies who use Arkyn ApS (“Arkyn” or “we”, “us”, “our”) in this document as “you” and “your”.
We make this document publicly available by publishing it on our website and we share it with all of our staff members (including our temporary workers and contractors).
Review of this document and of our information security framework is completed at least annually.
Arkyn is a B2B SaaS company providing a best-in-class iOS app suite and superior mobile user experience for enterprise SAP users.
For more than 15 years the founders have been working with design-thinking and mobile interfaces for SAP- changing complex processes into safe, efficient, and intelligent user experiences. With this knowledge and experience Arkyn was founded to help SAP customers optimize processes and save thousands of hours.
We have a Data Protection Officer (“DPO”) to oversee our data privacy and data protection measures and lead our compliance program to ensure that it is up to date and compliant.
If you have questions about the data processing activities that we carry out on your company’s behalf, you’re most welcome to contact our DPO at firstname.lastname@example.org
We have a dedicated security team who govern our data protection and information security, and who are responsible for securing our product. When appropriate, we also engage external resources and experts.
Our CTO takes on the role of Chief Information Security Officer and leads our security team.
We have privacy-by-design policies, development policies and other security documents that form the basis of our information security framework. These policies and documents are reviewed on an annual basis.
The policies apply to everyone with access to our codebase or data, and all are educated and trained in our information security practices.
The goal of our Information Security effort is to protect all the data we retain and process.
We align with current international regulatory and industry best-practice guidance, and we’ve designed our security program around best-of-breed guidelines for cloud security.
We comply with the GDPR and will notify you by email in accordance with the DPA, should we become aware of a data breach that affects you and requires notification. An email will be sent to the email addresses registered in our product or as contact persons for your subscription with us. Feel free to email email@example.com if you wish to receive such alerts to other email addresses.
We design our product to be highly available, fault-tolerant and fault-resilient. To achieve this, we follow industry best practices which we continuously improve on and review. Our products are hosted on industry-leading hyperscaling platforms which help us minimize incidents, downtime and recovery time of our services.
We also do continuous deployment, which means smaller and thus simpler code changes, with fewer unintended consequences, simpler and quicker fault isolation and improved testability.
As a principle, all our processors and sub-processors are Software as a Service. This gives us multiple advantages in the event of an incident or disaster, such as having our teams work from anywhere and much faster being able to replace a (sub-)processor that is causing issues.
As our customer, your use of our services is governed by the agreement in place between you and us, as well as a DPA.
Our Data Protection Agreement is described in section 5.1.
All of our staff members need to know what they can and cannot do when handling confidential information and personal data. Our staff members must observe strict confidentiality with regard to our affairs. This requirement is included in all of our employment contracts.
The obligation of confidentiality includes not only our activities, but also extends to relationships with businesses and customers. It continues to apply after termination of the employment contract.
If a staff member breaches their confidentiality obligations, intentionally or negligently, we consider it a material breach of their employment contract that can result in disciplinary action, including termination or immediate dismissal.
As part of our recruitment process for hiring new staff members, we carry out reference checks where relevant. As a default, we do not perform any criminal or credit checks, but we may choose to do so for specific roles.
All employees with access to our code repository or production data, are educated and trained in how to protect and handle information. At the heart of this training is our Development Policy which is continuously reviewed and communicated to the team.
When staff members leave us, we revoke their access to our services in a timely manner. For more information about this, please see section 7.2.
We use the terms “data controller”, “processor” and “sub-processor” below. The terms are defined in Article 28 of the EU’s General Data Protection Regulation (“GDPR”), where the data controller and the processor, and the processor and the sub-processor, are required to have a “data processing agreement” (“DPA”) in place that documents the data processing activities being carried out.
Our DPA meets the requirements outlined in the GDPR and is part of your agreement with us. When entering into a contract, you will receive a signed copy of our DPA.
We consider any data relating to an identified or identifiable person as “personal data”; examples:
Basic identity information such as name, address, email address, and Id numbers, other data that identifies the individual Information that identifies the individual
Web data such as location, IP address, cookie data and other technologies serving similar purposes, and device identifiers.
When we build our product, Privacy by Design is part of our development process so we ensure that we have legitimate purpose when we process specific personal data, limit our processing of data, and retain data securely and only for as long as the purpose legitimates.
For details on the personal data we keep, and why and how we and our processors and sub-processors retain and delete this data, please see Section 5.4 and 5.5.
We use specialized companies to assist us with delivering our services to you, such as providing our data-centers. Pursuant to the GDPR, these companies are, depending on our own role, called “processors” or “sub-processors”.
Before we engage a processor or a sub-processor, we perform a thorough security and privacy risk assessment of the company’s services. As part of this process, we evaluate the company’s privacy and security practices, we carry out risk assessment of the personal data that we would be sharing with the company, and we review the company’s DPA. We follow this process to determine whether the company is competent to process personal data in line with the legislation and meets our requirements and standards. We will only share personal data of your users with a company provided that these requirements are in place.
We monitor the performance and applicability of our processors and sub-processors on an ongoing basis. We may find it necessary to add or replace a company as a processor or sub-processor, and if we do, we will notify you through the email we have registered as the owner of your account. Feel free to email firstname.lastname@example.org if you wish to receive such notifications also to other email addresses.
When we stop using a company as a processor or sub-processor, we will remove the company from our product and infrastructure, and we will request the deletion of all personal data about you and your users retained by the company.
Data to and from our processors and sub-processors is encrypted during transit, and to safeguard the traffic between our users and our product, all web communication is 128-bit encrypted as minimum.
Access to our processors and sub-processors is protected by secure multi-factor authentication. We operate on principles of least privilege first, which means that access is limited to those of our employees who have a genuine work-related need, which we monitor continuously.
When you share personal data about your employees with us, your company acts as data controller and we act as processor.
We process this data solely on your behalf, and we use the data solely for the purpose of providing our services to you. We kindly ask you to limit the data shared to what is needed for you to use our product. Please never share sensitive and special category personal data with us.
Please refer to the DPA for more detailed information.
We comply with Data Subject Rights (aka “the rights of the individual”) pursuant to the GDPR and similar legislation.
Should we receive a request from one of your employees to exercise one or more of their rights, e.g. their right to information or their right to be deleted, we will defer the request to you.
To help you respond to such requests please write to email@example.com and we will be happy to assist. We will provide downloaded data in a machine-readable format.
You can see the list of the sub-processors we use to process personal data about your users in the DPA provided upon request
When applicants share personal data about themselves, we act as a data controller.
We comply with Data Subject Rights (aka “the rights of the individual”) pursuant to the GDPR and similar legislations.
Should you choose to exercise one or more of your rights, e.g. your right to information or your right to be deleted, you can email your request to us at firstname.lastname@example.org, where we will process it with due respect for the timeliness required by the law. Should you contact us your request must be about your own personal data.
When we delete your personal data, we will confirm the deletion to you by email.
Please note that once data has been deleted, it may take up to ninety (90) days before the data is deleted from all parts of our systems, including our processors, our technical logs and our backups.
You can see the list of the processors we use to process personal data in the DPA.
We host our data with our processors and sub-processors, re. Section 5.4.2 and 5.5.2. We do not host any data center facilities ourselves.
Our industry-leading infrastructure hosts provides us with best practice in many areas, such as availability, scalability, security, customer data segregation, data input controls, protection against externally and internally generated attacks, and development process.
Operating systems, databases, and applications in our data centers have been hardened to reduce vulnerabilities and maximize their security.
Access to our data center services is protected by secure multi-factor authentication.
Temporary files are retained only for as long as they are needed, then deleted by means of automation.
We host our production environment, our demo environment and our test environment in our data centers, where we keep our production environment, and the data therein, strictly separate from the demo and test environments.
We consider security concepts, assessments and techniques fundamental to the development, reliability, and overall improvement of our product and services.
The physical security of our data centers are handled by our processors and sub-processors, where our databases are encrypted at rest with AES-256, block-level storage encryption.
We operate on principles of least privilege first, which means that access is limited to those of our employees who have a genuine work-related need. We monitor and align this continuously.
The backend infrastructure of our data centers is frequently recreated via code to ensure a lean and clean infrastructure that further enhances our immutable architecture.
We run an agile, DevOps software development lifecycle (SDLC) process. We pass all software changes through a formalized code review process prior to being released into isolated environments. Upon successful testing and quality assurance, the changes are promoted into production. We opt for small but frequent releases.
We have a strict key management process and we provide controls to manage encryption keys throughout their lifecycle and to protect against unauthorized use. We do not store any keys locally or in code, but store them in a secure manner with our processors and sub-processors.
We do not rely on outsourced development – all of our development is in-house.
You are welcome to conduct your own security scans and penetration tests of our services, as long as these are of a non-malicious nature and you ask us for pre-approval. We need the pre-approval solely because your scans and tests could trigger monitoring anomalies on our side that we would like to react appropriately to. We also openly engage security researchers to challenge our services, identify and report any vulnerabilities to us so that we can address them. Please contact email@example.com to initiate any such.
We build our backend infrastructure with code and follow infrastructure-as-code principles, which means that our infrastructure is frequently rebuilt to ensure that it’s always complete, lean and clean, with the benefit that we don’t need to use anti-virus or anti-malware software on the server instances of our data center.
Each repository has a list of third party libraries and code used in our product.
We continuously monitor our infrastructure and product for errors so that we can detect and address these quickly.
We have a process for management and correction of vulnerabilities (bugs, quality issues, etc.). Vulnerabilities should be reported to firstname.lastname@example.org. When we have identified the vulnerability as legitimate and requiring remediation, we log it as an issue, prioritize it according to severity, assign an owner and address it according to priority. We track the vulnerabilities and we follow up frequently until we can verify that the vulnerability has been remediated.
Google’s secure-by-design infrastructure has automated systems to ensure servers run up-to-date versions of their software stacks (including security patches), to detect and diagnose hardware and software problems, and to remove machines from service if necessary.
We send our logs to our processors and sub-processors where they are aggregated, reviewed, and analyzed.
Our logs are confidential and unavailable outside our company.
We retain our logs for a maximum of ninety (90) days, after which the logs are automatically deleted.
Examples of activities we log are:
We use automated backups to manage our database backups.
Our backup procedure includes, as a minimum, a daily full backup.
Our backups are stored in a secure, tamper-proof manner, and cannot be manipulated or changed.
We retain our backups for a maximum of ninety (90) days, after which a backup is deleted.
Before you use our product, you need to enter into a contract and sign our DPA.
Depending on your subscription with us, one or more of your employees may have been granted user access to work within our product.
Our IT team manages our internal accounts, password security, access to systems and data, and IT assets – covering both hardware and software.
All our staff members are granted an individual @arkyn.io personal user account. We don’t allow any two staff members to share or use the same personal user account.
Access permissions for individual services and user roles are granted from our role-based access control model using least privilege first principles and granted according to work-related needs.
When a staff member leaves, their user accounts are immediately disabled and, once they are no longer subject to other legal requirements, deleted. Any information security and legal responsibilities held by the staff member remains valid after they leave our employment.
All internal user accounts are protected with a password, and a password policy that aligns with the recommendations of the National Institute of Standards and Technology (NIST) have been enabled.
We use Microsoft Azure as our internal identity directory, where we have enforced multi-factor authentication. We only grant access for authorized staff members and partners for work-related needs.
We rely on the principle of “working from anywhere”, where our staff are free to work from wherever they are located.
Our office networks therefore do not provide any protection or security specific to our product, and our product considers our office networks as any Internet connected network.
To enable this, no application or file storage services are provided by our office networks, and we instead make use of our processors and sub-processors, who provide access solely on a whitelist basis to our authorized staff.
Entry into our office requires a key at all times.
We maintain a paper-free environment and documents are not printed unless necessary. We do not unnecessarily retain paper documents.
When disposed of, all paper documents containing personal data are shredded.
We have a clean desk policy and data is not stored on on-premise media.
Arkyn’s HQ is located in Copenhagen, but has several employees based around Europe. The company was founded in 2020 in the UK Arkyn Studios Ltd. (company number: 12468392) with operations in Copenhagen through Arkyn ApS (company number: 41263121)
If you have any questions or concerns about our privacy or security practices, you’re welcome to send an email to our DPO at email@example.com.
Get on a call and let an Arkyn Business Developer walk you through the Arkyn’s Fast App Suite and understand how it can help your business.