Privacy and data protection
Orgvue privacy and data protection
Orgvue is compliant with all international data protection legislation, it’s commitment to which is demonstrated through the personal data processing provisions available at the full Data Processing Agreement.
Orgvue is ISO 27001, ISO 27018 and CSA STAR certified which further demonstrate the organization’s commitment to ensuring the necessary technical and organizational measures are in place to safeguard the privacy of client data.
Orgvue is delivered as Software as a Service (SaaS) and hosted on the Amazon Web Services (AWS) platform. Orgvue can be hosted from the AWS us-east-1 (North Virginia), eu-west-1 (Ireland) or ap-southeast-2 (Sydney) Regions. The choice of region and data residency is selected by our clients. Once a region is selected, all Orgvue data stays within that region, including data processed within backup cycles.
By default, the business has no access to Orgvue client data, with our clients exclusively responsible for managing access control to their Orgvue environments. Orgvue clients retain full ownership of their data, while maintaining the ability to delete and determine data retention through the user interface.
Orgvue client data is used only within Orgvue and not transferred, shared or accessed by any sub-processors. Amazon Web Services is the only third party involved in the delivery of Orgvue and has no access to Orgvue client data. Formal agreements are in place with all suppliers, providing assurance of data privacy and protection standards, while employee contracts include confidentiality provisions as standard.
Orgvue requires only minimal personal data categories to provide value and these are determined by the requirements of each client.
The integrity and confidentiality of Orgvue data is assured through the encryption of all data at rest and in transit. Orgvue client data is logically separated and uniquely encrypted using client dedicated encryption keys, ensuring appropriate technical measures are in place to safeguard client data. Encryption key management controls ensure that no party has access to master encryption keys. Orgvue client data can only be accessed through the application, with Orgvue clients responsible for managing access to their Orgvue environments.
Orgvue has appointed a Data Protection Officer, has a full suite of data protection policies and provides its employees with awareness training in data privacy principles and information security.
Data and security protection
Read this article about data and security protection by Tim Ross, General Counsel, Orgvue.