Hoe zit het met de privacy van mijn gegevens?
Met de app worden persoonlijke gegevens verzameld. Privacy is hierbij uitermate belangrijk en dit nemen wij daarom ook heel serieus. Voor een uitgebreid overzicht van de genomen maatregelen verwijzen wij jullie naar de privacyverklaring.
In het kort:
De gegevens worden anoniem opgeslagen en voorzien van een uniek deelnemer nummer. Het opgegeven e-mailadres wordt eenmalig gebruikt om persoonlijke inloggegevens te versturen. Het e-mailadres in combinatie met deze inloggegevens worden verder niet opgeslagen en zijn daarna niet meer beschikbaar.
De data wordt opgeslagen op een beveiligde server en voldoet aan de beveiligingsnormen zoals opgesteld door de Algemene Verordening Gegevensbescherming (AVG). Er wordt zeer zorgvuldig omgegaan met de veiligheid.
Nog wat extra informatie over de beveiliging van onze data:
(1) Where are the data stored? And is there a data encryption protocol at the end point?
When working offline, the collected data is stored in the app; once online the data is transferred over HTTPS to the psymate.io platform and is removed from the mobile device.
(2) How are data stored once they reach the server, e.g. are they encrypted on an EU / UK based server?
At the psymate.io platform, the data is stored to encrypted disks.
(3) What security measures are on the servers to prevent unauthorized access to the data, e.g. brute force protection, administrative interfaces only accessible from particular IP addresses?
All network traffic to the psymate.io platform is monitored for suspicious activity. The administrative interfaces are protected by two factor authentication (2FA) and all activity is logged and monitored for unauthorized access
(4) What is your protocol for keeping / deleting data once our account expires?
If any remaining data exists on the psymate.io platform, it will be deleted.
(5) Is PsyMate ran on your own infrastructure or does it use cloud servers like AWS, google, azure?
The psymate.io platform runs on virtual private servers hosted on a 3rd party certified private infrastructure and is distributed for high availability over 2 datacenters in The Netherlands, Europe. The psymate.io platform is not using public cloud servers or services.
(6) What sort of Identifiable data does the App record. Phone numbers are probably an obvious one, but can it also read IP address, names, etc?
The app exchanges the following data with the psymate.io platform only (and is not exchanged with the 4D backend systems): device and app info (like OS and version) to allow for device specific in-app software updates and for OS version specific error monitoring; ip-address for session management / load balancing and for white / blacklisting once suspicious behavior is detected. On logfile analysis this data is only used in an aggregated way, so no single user / device can be identified.
(7) Is PsyMate ran through Maatstricht University and so therefore GDPR compliant? Are you compliant with any data security standards (e.g. iso27001)
The services used by the psymate.io are ISO27001: 2013 and NEN7510: 2017 certified. Data processor agreements and Subprocessor agreements are in place.
(8) Are any third parties given access to the data.
No.
(9) Where are the data from the app kept for 15 years?
We can store the data for you during this period on our servers (located in Belgium) or you store the data yourself, after we have transferred everything to you after the study has ended. In the latter case, we destroy the data on our servers
(10) Where are the data stored?
The data is stored on servers in Belgium and is fully covered by European directives. No data (nor backups) are stored on servers that fall outside European regulations.
(11) How is the data monitored?
The coordinating researcher will log in regularly and check the completion of the questionnaires. The aim is to do this more than once a week, so that any absentees can be contacted quickly.
(12) How is the destruction of the information provided: when and how will the data be destroyed, how will the app be deleted, etc.?
The data is stored on the user’s smartphone and transferred through the psymate.io platform and the storage servers once the phone establishes a stable internet connection. After confirmation, the data on the device is deleted. If data should remain on a device, it is not accessible to third parties. When the app is deleted, all connected data also disappears.
For information about the data on our servers, I refer to the first answer. As mentioned, our preference is for a formal transfer of the data to the researcher and it is the researcher who is then responsible for the legal retention periods and the destruction of the data. The procedures followed are the subject of the processing agreement.